Privacy Act changes

Who does this affect? Businesses and Commonwealth and ACT government agencies and bodies that collect, use, store or disclose personal information, including names, e-mail addresses and other information about customers and clients.

What do you need to do? Make sure you have an up-to-date privacy policy that contains all the information required under the amendments to the Privacy Act. We can help.

Significant changes to the Privacy Act

Recent changes to the Privacy Act 1988 (Privacy Act) will have a significant impact on how private sector organisations and Commonwealth government agencies and bodies may collect, use, store and disclose personal information.

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. It can include things like names, e-mail addresses, photos, phone numbers, medical records, bank account details, information and opinions about what customers like and details about where individuals live and work.

Up to now, it has not been mandatory for many businesses to have a privacy policy. The changes to the Privacy Act will require all businesses operating in Australia, as well as Commonwealth agencies and bodies, to have a clear and up-to-date privacy policy. As part of this requirement, the changes to the Privacy Act list a number of things that must be included in a privacy policy.

Even if you already have a privacy policy, it’s likely that it is now out of date. Existing privacy policies need to be updated so they are clearly expressed and include all the things required under the amended legislation.

You need to start thinking about the changes now

The changes to the Privacy Act do not come into effect until 12 March 2014. However, depending on how you collect, use, store and disclose personal information, it may take some time to update your privacy policy and related business systems.

You should start thinking about these issues now to ensure they are factored into future decisions and so employees can be trained in the new or amended privacy policy.

Other changes to the Privacy Act

Other changes to the Privacy Act that will come into effect in March 2014 include:

  • a new consolidated set of Australian Privacy Principles (APPs) that will cover both private sector organisations and Commonwealth agencies and bodies
  • a requirement to develop and implement a privacy ‘compliance program’ to ensure compliance with the APPs and proper handling of privacy complaints
  • new, more restrictive requirements for direct marketing
  • tighter restrictions around disclosing personal information to overseas entities, including to IT storage and cloud computing providers; and
  • significantly increased investigation and enforcement powers for the Privacy Commissioner. Amongst other new powers, the Commissioner will be able to audit both private sector organisations and Commonwealth agencies to check they are handling and storing personal information in accordance with the new APPs. The Privacy Commissioner recently said that he won’t be taking a ‘softly-softly approach’ to privacy investigations. All entities subject to the Privacy Act should take steps now to ensure compliance.

Meyer Vandenberg assistance

We can help draft or update a privacy policy for your business, Commonwealth agency or body. We can also advise on privacy laws and compliance, and conduct in-house training for your staff.

For more information, contact:

Geoff Adams — Partner
(02) 6279 4377
geoff.adams@mvlawyers.com.au

Athol Opas — Special Counsel
(02) 6279 4468
athol.opas@mvlawyers.com.au