Privacy Law Reform

Amendments passed by the Australian Government to the Privacy Act in November 2012 are due to come in force from 12 March 2014. These amendments will affect the way in which privacy is regulated by Government Agencies and businesses alike.

The changes include a set of new, harmonised, privacy principles that will regulate the handling of personal information by Government Agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). All businesses which collect any personal information from their customers must ensure they are aware of the new APPs and put processes in place to ensure that they comply with the new requirements.

There are 13 new APPs which government agencies and businesses must adhere to when collecting personal information:

  1. An organisation must have an APP privacy policy that contains specified information, including the kinds of personal information it collects, how an individual may complain about a breach of the APPs, and whether the organisation is likely to disclose information to overseas recipients.
  2. An organisation must provide individuals with the option of dealing with it using a pseudonym.
  3. An organisation must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the organisation’s functions or activities.
  4. Where an organisation receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under the APPs.
  5. An organisation must advise an individual about certain matters when the organisation collects their personal information, including, access, correction and complaints processes in their APP privacy policies.
  6. An organisation may use or disclose the personal information that it holds about an individual in certain specified circumstances.
  7. Organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to the use, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.
  8. Before an organisation discloses personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information.
  9. An organisation is prohibited from adopting, using or disclosing a government related identifier unless an exception applies.
  10. An organisation must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete.
  11. An organisation must take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure
  12. An organisation must give an individual access to the personal information that it holds about that individual, unless an exception applies.
  13. An organisation must take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:

a. the organisation is satisfied that it needs to be corrected, or

b. an individual requests that their personal information be corrected.

Businesses should review their policies on the collection of personal information of their customers and ensure any necessary changes are made to bring said policies in line with the new APPs.

If you require assistance with the new changes to the Privacy Act, please contact McLaughlins Lawyers.