Additional laws apply to “sensitive information”. The way businesses deal with the security of that information has also been beefed up. You also must provide access to personal information.
The Commissioner’s powers to investigate and enforce have been significantly increased. They can seek Court injunctions against people who engage in conduct that might breach the Privacy Act and seek penalties against them.
Direct marketing has also become a focus, as certain conditions will now need to be met without falling foul of the new laws.
Further guidelines on APP are available on the Office of the Australian Information Commissioner website.
The intention is that this is a summary guide only of some of the changes, and it is not exhaustive or provided as legal advice. Please contact us if you want to discuss further or obtain advice.
Collection, use and retention of personal information should be minimised to that reasonably required as notified in a privacy policy or otherwise with a user’s consent.
In addition to other matters listed in APPs 1.4 and 5.2, APP 5 requires organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.
APP 11 (Security) requires organisations to take reasonable steps to protect PI from misuse, interference and loss and unauthorised access, modification or disclosure.
A privacy policy will need to include details as to:
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. Broadly, direct marketing:
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
An entity has obligations to destroy or de-identify personal information in certain circumstances.
An APP entity must provide access when an individual requests to be given access to personal information held about them by the entity.
Some limited, specific exceptions apply.
It is also important to note that APP 8, which deals with the cross-border disclosure of personal information from Australia to outside Australia, is not limited in its application by the nationality of the individual whose PI is the subject of the transfer. In other words, APP 8 will apply to a cross-border disclosure of personal information collected in Australia, irrespective of whether the information relates to an Australian citizen or Australian resident or not.