Australia: Amendments to Privacy Act Now in Effect

Change has arrived.

Under amendments passed in December 2012, new privacy reforms (and stiff penalties) went into effect on March 12, 2014. Australia’s Privacy Act now includes a set of 13 new harmonized privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organizations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organizations.

The APPs cover the collection, use, disclosure and storage of personal information. They allow individuals to access their personal information and have it corrected if it is not accurate. There are also separate APPs that deal with the use and disclosure of personal information for the purpose of direct marketing (APP 7), cross-border disclosure of personal information (APP 8) and the adoption, use and disclosure of government related identifiers (APP 9).

The APPs generally apply to government agencies and to private sector organizations with an annual turnover of $3 million or more. These entities are known as ‘APP entities’. In addition, the APPs will apply to some private sector organizations with an annual turnover of less than $3 million, such as health service providers.

A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information. In addition to some new requirements, the APPs also introduce stronger sanctions for non-compliance. The previous exemption from coverage applicable to employee records and the current small business exemption (generally, businesses with a turnover of $3m or less) continue to apply. However, these exemptions may be repealed in the future.

One area of particular interest to HSP customers regards the new obligations imposed on an offshore parent or related entity that collects or deals with personal information from Australian resident employees in connection with managing employee equity incentive plans. These changes mean that compliance is of utmost importance.

Employers should review their privacy and information collection, storage and access of information policies and procedures to ensure compliance with the APPs. It is likely that many organizations will need to review and amend any systems, policies and procedures that they have in place with respect to the handling of personal information. Even though the employee records and small business exemption will continue, employers should comply with the new principles as good practice. In particular, organizations will need to ensure that they have a Privacy Policy and Collection Notice that accords with the Privacy Principles.

HSP customers should also be aware of their obligations regarding data breaches. A bill read before the Australian Parliament in March 2014 will amend the Privacy Act 1988 to establish a framework for the mandatory notification by regulated entities of serious data breaches to the Office of the Australian Information Commissioner (OAIC) and to affected individuals.

Under the changes to the privacy laws, the Office of the Australian Information Commissioner has power to assess and monitor the compliance of organizations with the privacy laws and seek enforceable undertakings or civil penalties of up to $1.7 million for serious or repeated breaches of privacy laws. For this reason, it is important that you are aware of the privacy principles and take steps to implement legally compliant practices within your organizations with respect to personal information.

We have included helpful background information and additional resources in the section below. Please contact Paul Sutton with queries related to your obligations under the new requirements.

About Privacy Law in Australia

In Australia, privacy law generally relates to the protection of an individual’s personal information. Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. The Privacy Act 1988 (Privacy Act) regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information. As mentioned above, significant amendments to the Privacy Act 1988 to strengthen privacy protection were passed by Parliament on November 29, 2012 as part of a reform process that began in 2004. The Bill received the Royal Assent on December 12, 2012 and went into effect on March 12, 2014. (See HSP December 2012 update on the Privacy Amendment (Enhancing Privacy Protection) Act 2012 .) The Privacy Regulation 2013, made under the Privacy Act, also commenced on March 12, 2014.

The Privacy Act, as amended, includes:

• 13 Australian Privacy Principles that apply to the handling of personal information by most Australian and Norfolk Island Government agencies and some private sector organisations
• credit reporting provisions that apply to the handling of credit-related personal information that credit providers are permitted to disclose to credit reporting bodies for inclusion on individuals’ credit reports.

The Privacy Act also:

• regulates the collection, storage, use, disclosure, security and disposal of individuals' tax file numbers
• permits the handling of health information for health and medical research purposes in certain circumstances, where researchers are unable to seek individuals' consent
• allows the Information Commissioner to approve and register enforceable APP codes that have been developed by an APP code developer, or developed by the Information Commissioner directly
• permits a small business operator, who would otherwise not be subject to the Australian Privacy Principles (APPs) and any relevant privacy code, to opt-in to being covered by the APPs and any relevant APP code
• allows for privacy regulations to be made.

As of March 12, 2014, the new privacy laws mean that Australians can more easily:

• ask an organization where they collected their personal information from (in response to receiving direct marketing)
• opt out of receiving direct marketing communications from organizations
• find out if their personal information will be sent overseas
• request access to their personal information held by an organization or agency
• request a correction to their personal information held by an organization or agency

The Office of the Australian Information Commissioner (OAIC) will focus on public education during the upcoming Privacy Awareness Week campaign (May 4–10, 2014), the primary privacy awareness and education event in the Asia Pacific region.

Resources

• Regarding Australian Privacy Principles (APPs): See the 13 APPs in schedule 1 of the Privacy Act 1988 (the Privacy Act). For a summary of the APPs, see the APP quick reference tool. Additional information on complying with the APPs can be found in the APP guidelines.
• Regarding coverage: See Who is covered by privacy and the Privacy Topics — Business pages.
• Regarding data breaches: See the Privacy Amendment (Privacy Alerts) Bill 2014 and the Explanatory Memorandum for additional information.
• Office of the Australian Information Commissioner
• Parliament of Australia