The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by the Australian parliament on 29 November 2012 (Bill). The Bill effected major changes to the Privacy Act (1988) Cth (Act), and updates the “National Privacy Principles” to the “Australian Privacy Principles” (APPs). The changes took effect on 12 March 2014. This article will set out a (non-exhaustive list) of the things affected entities need to do to comply with the changes to the Act.
Entities Affected by the Changes
The Act applies to APP entities, which include governmental entities and “organisations”. The term “organisation” does not include entities captured by the definition of “small business”.
Under the Act, an entity is a “small business” unless it turns over more than $3,000,000 per year, and does not:
- provide a health service;
- disclose personal information about an individual to a third party for “benefit, service or advantage”; or
- provide a “benefit, service or advantage” to collect personal information about an individual from a third party.
In other words, if an entity turns over more than $3,000,000 per year or engages in any of the activities in the bullet points above, it is captured by the Act.
Privacy Compliance Program
Under the changes, entities need to implement a “Privacy Compliance Program”, the aim of which is to ensure that the entity complies with the APPs, and has a structured procedure in place to handle complaints about the entity’s compliance with the APPs. The Privacy Compliance Program must be set out in a written document with specific types of information included.
All references to “National Privacy Principles” should be changed to “Australian Privacy Principles”.
Entities also need to add to their Privacy Policies:
- if they are likely to disclose personal information to recipients overseas, and if so, the countries where the recipients are located; and
- a description on how an individual can complain about a breach of the APPs, and how the entity will deal with such privacy complaints.
Notices When Collecting Personal Information
Under the old regime, when an entity collected information from an individual, it was necessary to notify the individual of:
- the collecting entity’s identity;
- the purpose for which the information was collected; and
- the individual’s right to see the information that an entity collects about them.
Under the revised Act, an entity needs to inform an individual:
- if it is likely to disclose the personal information to recipients overseas (and where those recipients are located);
New Liabilities for Disclosing Data Offshore
Every entity subject to the revised Act should review its arrangements for offshore data storage and processing.
Under the Act, if an entity discloses personal information to an overseas recipient, it must take “reasonable steps” to ensure that the overseas recipient does not breach the APPs. If the overseas recipient does breach the APPs, the entity that disclosed the information will be responsible for the breach as if the entity had itself committed the breach.
An exemption applies, however. If an entity reasonably believes that the overseas recipient is subject to a law that provides for privacy protections substantially similar to the APPs, the entity will not be responsible for the breach.