is your business ready for the new privacy act changes?
DESCRIPTION
This presentation provides Australian business owners with an overview of the recent amendments to the Privacy Act. These new changes will greatly impact all businesses so it's important to be prepared and ready.TRANSCRIPT
Is your business ready?
The New Privacy Act Changes (2014)
June, 2014
By Jacqueline Walker, Senior Lawyer
Legal Disclaimer
This presentation is offered for general information
purposes only. It does not constitute specific legal
advice or opinion. You should not act or rely upon any
of the information contained within this seminar
without seeking the advice of a qualified solicitor who
specialises in the particular area of expertise and
jurisdiction that you require.
Introduction
If your business is engaged in: direct marketing;
is thinking about a move to cloud-based IT services; or
collects, stores and discloses personal information to third parties
You need to be aware of recent amendments to the Privacy Act 1988
Introduction
Effective 12th March 2014, the changes came into force as a result of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
These changes apply to: all Government agencies;
most private organisations, including partnerships, trusts, individuals, body corporates; and
unincorporated associations.
Introduction
If your business has an annual turnover of more than $3 million or is a health service provider, the Privacy Act applies and many small businesses also have to comply, particularly those small businesses that collect personal information (other than their own employees' information).
Introduction
Applicable organisations and Government agencies will now need to ensure they have a compliant privacy policy that is in line with these new changes, including any related operational policies, procedures and collection statements.
What are the major changes to the Privacy Act?
1. Privacy Commissioner Powers
The Privacy Commissioner now has increased powers that include the ability to seek a penalty of up to $1.7 million for a repeated or serious breach of privacy laws.
Timothy PilgrimFederal Privacy Commissioner
2. Data Management Obligations
New Australian Privacy Principles (APPs) are now in place that affect how/when personal information can be collected and how that information can be passed on to third parties. This includes: when consent to collect personal data is required; the rights of individuals to access, correct and delete
their own personal information once it has been collected; and
how these individuals can lodge complaints about any interferences with their privacy and resolve these issues.
3. Stricter Penalty Scheme
The Privacy Act now has a much stricter compliance and penalty regime that specifically impacts how organisations collect and retain personal information, engage in direct marketing practices, utilise cloud-based services and disclose personal information to entities outside of Australia.
4. Complete Transparency
The new APPs have been put in place to ensure organisations and agencies are completely open and transparent about the way they collect, retain and use personal information.
5. Credit Reporting Obligations
The Office of the Australian Commissioner (Privacy Commissioner) has introduced a new credit-reporting code with a move towards more comprehensive credit reporting accompanied by enhanced privacy protections relating to notification, data quality, access and correction, and complaints.
To maintain compliance, your privacy policy should deal specifically with how personal information used in credit reporting is collected, stored, used and disclosed
What should businesses do toreduce risk?
1. Clarification of Personal Information
Organisations and agencies will need to determine what information they collect and hold is actually “personal information”. Personal information is defined as being:
"Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not".
2. Update All Relevant Documentation
Businesses will need to update their policies, procedures and statements to reflect the changes. The privacy policy should be updated first as it is usually public and available online.
2. Update All Relevant Documentation
All documentation should now refer directly to the new APPs, not the old National Privacy Principles.
It should also state the ways in which an individual can complain about privacy breaches and how those complaints will be dealt with and resolved.
Finally, it should disclose, transparently, if and how the individual’s personal information is going to be disclosed to any third parties and/or overseas recipients (including any intended countries).
2. Update All Relevant Documentation
As most privacy policies are considered to be too long and difficult to read, we recommend that all external documentation be clear, concise, readable and presented in plain English.
2. Update All Relevant Documentation
In fact, in the last review by the Privacy Commissioner, it was found that none of the privacy policies reviewed met the Commissioner’s preferred reading age level of 14.
This is why we recommend avoiding using legal terms, jargon and in-house/industry terms.
3. Prepare Internal Privacy Compliance Guide
This guide is an internal document that details:
a) An introduction and summary about privacy laws and why those laws are applicable and important to the business;
b) Rules for collecting, storing, using and disclosing personal information;
c) Procedures for handling complaints from individuals and resolving those complaints;
3. Prepare Internal Privacy Compliance Guide
This guide is an internal document that details:
d) Steps to take when faced with a decision that relates to collection, storage, use and disclosure of personal information, for example, when faced with entering into an agreement with an overseas partner; and
e) Details about who is responsible for privacy compliance, including contact details for external providers or recipients.
4. Training Compliance Program
Preparing a compliance guide is the first step to initiating a compliance program.
A privacy compliance program involves educating and training the staff responsible for collecting, storing, using and/or disclosing personal information.
It also involves ensuring security systems are in place to protect the integrity of personal information.
5. Testing & Audits
Once the documentation is up-to-date and the compliance program has been established, organisations and agencies should test out their procedures by conducting an audit.
The procedures used to collect, store, use, disclose and protect personal information all need to be tested properly to ensure they are fully compliant.
The goal of such an audit is to identify problem areas that will need to be later rectified
5. Testing & Audits
Online business transactions, internet banking and global data dissemination are all on the rise - make sure your business is ready to keep pace with the new privacy laws.
You can visit the Office of the Australian Information Commissioner for more information (www.oaic.gov.au).
Turnbull Hill Lawyers – Contact Us
If you have any further questions about privacy or you'd like to discuss a related matter, please call:
Jacqui Walker on 1800 994 279 or email her.
We will endeavour to respond to your enquiry within 24 hours.