Enhancement to Privacy Protection
The Federal Parliament has passed legislation which significantly reforms the Privacy Act 1988(Cth). Whilst these reforms do not take effect until March 2014, businesses should consider the implications of them to their current policies and processes to ensure that they are compliant by the commencement date. Personal information includes any information that could reasonably identify a person such as residential addresses, email addresses and phone numbers.
The changes mean a set of 13 Australian Privacy Principals (APPs) will apply to both Commonwealth agencies and private sector organisations (APP entities). Currently there are 10 National Privacy Principles that apply to the private sector, many of the APPs simply reflect and build on the existing principles, but there are a few significant inclusions or differences. For business the most significant changes include:
1. Greater obligations to ensure comprehensive privacy policies and processes are in place.
2. New obligations to assess whether the collection of unsolicited personal information is reasonably necessary and if not, destroy or de-identify it
3. More restrictive rules to how organisations can use personal information for direct marketing purposes
4. More Onerous responsibilities when disclosing personal information to overseas entities (including a cloud service provider) by:
- Requiring an APP entity, which discloses personal information to an overseas entity, to take reasonable steps to ensure the overseas recipient does not breach the APPs and
- Rendering the APP entity, that discloses the personal information, liable for any act or omission by the overseas entity that is not in accordance with the APPs.
In addition a new credit reporting system is also being introduced. The current system is considered a ‘negative’ system in that its information reflects predominantly negative credit behaviours. The new system will allow the collection of additional information such as
- The date a credit account was opened
- Type of credit account opened
- Date credit account closed
- Current limit of each open credit account
- Repayment performance history.
The purpose of this new information is to allow credit providers to make a more robust assessment of individual credit risk. The new system also includes enhanced obligation on credit providers in regards to data quality, access and correction as well as complaints.
To prepare for the new reforms businesses should
- Consider their current privacy policies and processes to determine gaps with compliance
- Review and update current privacy policies to ensure they comply with the APPs
- Educate and train staff on the new privacy obligations
- Put in place all business processes and practices needed to ensure compliance.
A good place to start is to ask the following questions:
- What information does my business collect that could be regarded as ‘personal information’?
- For what purpose did we collect this information? Is it still being used for just that purpose?
- How do we ensure that the information remains accurate and secure?
- Do we use the information for direct marketing? If so, do we comply with the requirements to enable us to use the information for this purpose?
- Do we disclose the information to another Australian entity? What about an overseas recipient?
To obtain the full exposure draft follow the link: http://www.smos.gov.au/media/2010/docs/Privacy-reform-exp-draft-part-1.pdf