Executive Summary

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) became law in December 2012. This introduces a new statutory regime with mandatory privacy principles with which all relevant businesses must comply. These principles, know as the Australian Privacy Principles (or APPs), combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth).

The new APPs apply to all direct selling organisations with a minimum annual turnover of $3 million which must, by 12 March 2014:

  1. have a privacy policy tailored to meet the requirements of the APPs;
  2. not use or disclose any information they may hold about an individual for direct marketing, subject to specific exceptions;
  3. before providing an overseas organisation (including related companies) with personal information, take reasonable steps to ensure that the overseas recipient complies with the APPs;
  4. have in place an adequate scheme allowing access to complaints; and
  5. comply with requirements regarding unsolicited information.

Moreover, the amendments to the Privacy Act grant greater enforcement powers to the Australian Privacy Commissioner. The Commissioner will be able to obtain enforceable undertakings from an organisation and apply to a court for a civil penalty order against organisations in breach of the Privacy Act. These penalties can range from $110,000 up to $1.1 million.

Accordingly, direct selling organisations should become familiar with their obligations under the Privacy Act and take steps to become compliant. One of the key steps which needs to be taken is to ensure that their Privacy Policies comply with the new requirements of the Privacy Act.

Australian Privacy Principles

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the Act) introduces the Australian Privacy Principles (APPs), which combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth). The APPs set out obligations with which direct selling organisations (DSOs), with a minimum annual turnover of $3 million, must comply relating to the collection, storage, security, use, disclosure, access and correction of personal information acquired by an "organisation".1 Broadly speaking, personal information is any information which can identify a person.

DSOs with an annual turnover of less than $3 million will also be required to comply with the APPs if they trade in personal information (for example through buying or selling mailing lists) or are related to a larger company. In any event, they should consider complying with the APPs, if not already, because of the strong message to consumers that the organisation, regardless of its size, recognises the importance of treating personal information in an appropriate and secure manner.

Changes to Privacy Regulation

So how will the changes impact upon the way in which your DSO handles personal information?

Privacy Policies - You must have a privacy policy. Your privacy policy must state:

  1. details of the kind of personal information collected;
  2. how it is collected and held;
  3. the purposes of collection;
  4. how individuals can seek access to and/or correct personal information;
  5. how a complaint may be made; and
  6. whether the personal information will be disclosed to overseas recipients and, if so, the countries where the recipients are located (if practicable).2

These requirements are considerably more prescriptive as to privacy policy content than the previous requirements. Accordingly, privacy policies need to be updated to meet the new requirements. For example, it used to be sufficient for a privacy policy to state that a company "collects personal information from its customers for the purpose of providing services to those customers". It is now necessary for the privacy policy to stipulate what kind of personal information is being collected, and the purpose of collection. Moreover, multinational DSOs need to take special care to meet the new obligations. This will be relevant for many DSOs operating in Australia which are part of a global group.

Direct Marketing - The use of personal information in the promotion and sale of goods and services directly to new and existing customers will now be regulated.3

This means that, if you hold personal information about an individual, you must not use or disclose the information for the purpose of direct marketing.4 However, there are various exceptions.

You will be permitted to use personal information for direct marketing if:

  1. your business collected the information from the individual;
  2. the individual would reasonably expect your business to use or disclose the information for the purpose of direct marketing;
  3. you provide a simple means for the individual to request to opt-out from receiving direct marketing communications; and
  4. the individual has not requested to opt out.5

This exception does not apply to sensitive information (i.e. health information, genetic information, political opinions, and information about racial or ethnic origins). Care will need to be taken by DSOs to ensure that any marketing complies with this principle. It is particularly important in respect of online marketing targeting Australians which is often conducted from outside Australia.

Cross-border disclosures of personal information6

Before providing an overseas organisation (including a related body corporate) with personal information about an individual, an Australian organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This is because Australian organisations will remain accountable for information sent overseas and will be liable for breaches of the APPs by overseas recipients. This is a significant change to Australian's privacy regime and will impact upon Australian subsidiaries of overseas companies. Reasonable steps will not be required if the recipient is subject to a law which protects the personal information in a way which is similar to the protection provided by the APPs.

Accordingly, adequate precautions must be in place to prevent unintended and unauthorised breaches of the APPs, particularly in a global context.

Access and Complaints – You must ensure that an individual is aware of:

  1. the fact that they can access their information;
  2. their rights of complaint;
  3. the purposes for which their information is collected; and
  4. any organisations to which the information may be disclosed, including overseas recipients. Examples may include third party vendors providing order fulfilment and other administrative services such as the preparation of mail-outs and credit card processing.7

This information will need to be set out specifically.

Unsolicited Information – If you are a DSO dealing with personal information which was not solicited by your organisation, that unsolicited information will also be regulated. Unsolicited information might be received from, for example, a member of the public sending a query to the DSO about its range of products.

  1. When unsolicited information is received, you must, within a reasonable period, determine whether or not your organisation could have collected the information in accordance with the collection rules, which require that you only collect personal information that is reasonably necessary for, or directly related to, one or more of your organisation's functions or activities.8 If so, then the personal information is then regulated by the Act in the same way as if it had been solicited.
  2. However, where you receive unsolicited personal information which is not reasonably necessary for, or directly related to, one or more of your DSO's functions or activities, reasonable steps must be taken as soon as reasonably practical to either destroy the information or de-identify it so that it is no longer personal information.9

Undertakings and Civil Penalties - Greater powers will be held by the Australian Privacy Commissioner. Most notably, the Commissioner will be able to:

  1. obtain enforceable undertakings from an organisation; and
  2. apply to a court for a civil penalty order against organisations. These penalties can range from $110,000 up to $1.1 million.

How might these changes impact on your business?

The Act will impact DSOs in various ways. DSOs must:

  1. revise their privacy policy to comply with the mandatory requirements set out in the Act;
  2. when engaging in direct marketing, provide a clear and simple method that allows targeted consumers to opt out;
  3. keep more detailed, accurate and current records as to how personal information is obtained as individuals will be able to request details of how their personal information was obtained by the DSO; and
  4. take steps to ensure appropriate measures are in place where personal information is likely to be sent overseas. Given your DSO will be liable for any breach, you should take steps to ensure that, if personal information is sent overseas, the recipient complies with stringent obligations in connection with the protection of privacy.

What now?

  • We would recommend that DSOs conduct a privacy audit to examine the extent to which the Act will apply and the changes required to ensure compliance with the Act.
  • Privacy training for relevant staff should be coordinated.
  • You may also wish to appoint a Privacy Officer to deal with queries and compliance issues and maintain a specific email address for privacy queries.
  • Adopting such measures will reduce your risk of breaching these requirements.

Conclusion

The Act will impact upon the way in which your DSO collects, uses and discloses personal information. Your organisation will be expected to be fully compliant with the new obligations by 12 March 2014. Accordingly, you and your DSO should be considering the changes which you need to make to comply fully with the Act before the deadline.

The assistance of Katie Kavanaugh, Clerk, of Addisons in the preparation of this article is noted and greatly appreciated.

Footnotes

1 An "organisation" is an individual, body corporate, partnership or any other unincorporated association or trust, which is not a "small business" (a business with an annual turnover of less than $3 million) - s 6 Privacy Act 1988 (Cth).
2 AAP 1
3 AAP 7
4 APP 7.1
5 APP 7.2
6 AAP 8
7 AAP 5
8 AAPs 3.1 and 3.2.
9 Note this is not the case in relation to information contained in a Commonwealth record, (i.e. sensitive personal information contained in a Commonwealth record that is not suitable for public release).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.