As businesses develop and extend their online presence, many quickly find themselves collecting personal information from their website's visitors, including as a result of enquiries, signing up to an email newsletter, or online ordering and payment processing.
Long-anticipated changes to privacy law in Australia were made late last year and these changes will come into effect on 12 March 2014. The changes introduce a new set of 13 privacy rules called the Australian Privacy Principles (APPs) that replace the current credit reporting provisions, and strengthen the powers of the Australian Information Commissioner.
If the APPs apply to your business, you will need to review, and potentially change, your information handling practices to make sure that you comply with the new privacy requirements before they come into effect.
The APPs will apply broadly to many types of organisations and businesses. However, small businesses (those with an annual turnover of $3 million or less) are generally not required to comply with the APPs, unless an exception applies.
Changes to the Collection and Handling of Personal Information
The new APPs replace the existing National Privacy Principles and govern the collection, use, disclosure and maintenance of personal information. Among the important changes for businesses that currently have to comply with the Privacy Act are:
- Open management of personal information
- Dealing with unsolicited information
It is important to realise that the APPs apply even if you are given unsolicited personal information, ie personal information you did not ask for. Businesses that receive unsolicited personal information must determine whether this information could have been lawfully collected by the business itself. If the business could not have lawfully collected the information itself, it will generally need to destroy or de-identify the information.
- Direct marketing obligations
There are new requirements around direct marketing to individuals, for example through telephone calls, SMS, mail, email and online advertising.
If businesses use personal information such as contact details for direct marketing purposes, they must ensure (amongst other things) that there is a straightforward and free mechanism for individuals to opt-out from receiving the direct marketing communications.
These requirements do not override obligations under the Spam Act, which continue to apply to electronic communications.
- Overseas disclosure of personal information
If you send personal information overseas (including storing and processing information in the cloud with an overseas service provider), the obligations on you will become greater following the changes to the privacy law.
Under the changes, before a business discloses personal information overseas (which may happen without the business even knowing), the business must take reasonable steps to ensure that the overseas recipient of the information does not breach the APPs. If it does, the business may still be held liable for any breach by the overseas recipient.
Increased powers of the Commissioner
Under the changes, the Commissioner will be given the power to seek penalties of up to A$1.7 million for serious or repeated interferences with an individual's privacy. The Commissioner will also be given the power to accept court enforceable, written undertakings from businesses to comply with agreed privacy obligations. The Commissioner's powers of investigation have also been strengthened, with the Commissioner now able to conduct investigations into potential breaches of the privacy law even if a complaint has not been made.
The new privacy laws come into effect on 12 March 2014. Even if the new privacy laws don't apply to your business, you should consider these issues and how you might address them – your business may benefit from a better relationship with its customers as a result.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.