There are high obligations for businesses to protect privacy by implementing policies, procedures and practices across Australia.
It must also contain certain information e.g. the kind of information collected, how it is collected, where it is held (including overseas if applicable), used, retained, how information can be accessed and corrected and a complaints mechanism.
Businesses must be able to demonstrate user consent (when in issue), how inquiries and complaints about privacy are managed, procedures and compliance with any applicable Australian Privacy Principles (APP) industry codes of practice.
Additional laws apply to “sensitive information”. The way businesses deal with the security of that information has also been beefed up. You also must provide access to personal information.
The Commissioner’s powers to investigate and enforce have been significantly increased. They can seek Court injunctions against people who engage in conduct that might breach the Privacy Act and seek penalties against them.
Direct marketing has also become a focus, as certain conditions will now need to be met without falling foul of the new laws.
Further guidelines on APP are available on the Office of the Australian Information Commissioner website.
The intention is that this is a summary guide only of some of the changes, and it is not exhaustive or provided as legal advice. Please contact us if you want to discuss further or obtain advice.
In addition to other matters listed in APPs 1.4 and 5.2, APP 5 requires organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.
APP 11 (Security) requires organisations to take reasonable steps to protect PI from misuse, interference and loss and unauthorised access, modification or disclosure.
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. Broadly, direct marketing:
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
An entity has obligations to destroy or de-identify personal information in certain circumstances.
An APP entity must provide access when an individual requests to be given access to personal information held about them by the entity.
Some limited, specific exceptions apply.
It is also important to note that APP 8, which deals with the cross-border disclosure of personal information from Australia to outside Australia, is not limited in its application by the nationality of the individual whose PI is the subject of the transfer. In other words, APP 8 will apply to a cross-border disclosure of personal information collected in Australia, irrespective of whether the information relates to an Australian citizen or Australian resident or not.
“I highly recommend Progressive Legal to anyone who wants a solid foundation for business success.”
Law delivered differently,
more resolution, less confusion