If you are a business which collects and/or uses personal information of customers and clients, then recent changes to the Privacy Act 1988 mean you will need to review and update your privacy policy.

What changes have been made to the Privacy Act?

Late last year the Senate passed amendments to the Privacy Act 1988 implementing changes to Australian privacy law in a number of areas. These changes included:

  1. New information which must form part of your privacy policy;
  2. Increased liability for Australian businesses when transferring or disclosing personal information overseas; and
  3. Greater penalties and enforcement powers for the Australian Information Commissioner.

What must your Privacy Policy include?

All businesses regulated by the Privacy Act must have a privacy policy. The new Australian Privacy Principle 1 sets out the information which a privacy policy must contain. It maintains the existing obligations to clearly disclose the kind of personal information which an entity collects, how that information is collected, the purposes for which it is collected, and how it may be used or disclosed. In addition it is now mandatory to include how an individual may complain about a privacy breach, how the entity will deal with such a complaint, whether or not personal information is likely to be transferred overseas, and if possible the countries to which it is likely that personal information will be transferred.

How do the changes affect outsourcing of information management and storage such as Cloud Computing?

Under existing laws, a business may only transfer personal information overseas if the individual concerned consents, or if the business has taken certain steps to ensure that the overseas recipient will hold and use the information consistently with Australian law. The amendments to the Privacy Act take this a step further, so that even in circumstances where the Australian business has taken such steps, a privacy breach by the overseas recipient can be deemed to be a breach by the Australian business, giving rise to liability for the Australian business under local Australian law. Not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with out-sourced IT service providers and cloud computing services.

What should you do now?

With increased penalties of up to $1,700,000 for corporations, and the possibility of actions for misleading and deceptive conduct under the Australian Consumer Law, businesses need to be prepared for the effective start date of these new laws in March 2014 by reviewing their privacy policies, data collection and handling policies, and third party IT and data management contracts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.