The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (“the Privacy Amendments”) came into effect from 12 March 2014, which introduced new Australian Privacy Principles (“the APPs”) applicable to the private sector and government agencies.
The APPs regulate the handling of personal information, and governs the requirement for entities to manage personal information in a transparent way, including the following requirements:
- To only collect personal information that is reasonably necessary for the functions and activities of the business;
- To destroy or de-identify unsolicited personal information;
- To notify individuals about the collection of personal information, including the purposes for which you collect information and the consequences if it is not collected;
- To not use or disclose information other than for the purpose for which it was collected, without the consent of the individual;
- To not use or disclose personal information for the purpose of direct marketing (subject to exceptions);
- To not disclose personal information to anyone outside Australia without first taking reasonable steps to ensure that the overseas recipient does not breach the APPs;
- To ensure that personal information is accurate, up to date and complete and to correct information to ensure it is complete, up to date and not misleading;
- To protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure;
- To give individuals access to personal information held on the individual on request.
- The types of credit information you collect and the method by which you collect that information;
- The purpose for disclosing credit information;
- How individuals can seek access and corrections to information;
- How credit eligibility information about an individual will be used;
- How individuals can complain about the information collected and how these complaints will be handled.
Training manuals, direct marketing practices and any contracts with subcontractors and service providers, including any arrangements for data storage or processing which may involve the transfer of personal information offshore, will also need to be reviewed.
The consequences for not complying include penalties of up to $1.7 million for body corporates, with the Office of the Australian Information Commissioner having expanded powers to investigate and monitor privacy compliance, so it is imperative that your business has the correct policies and procedures in place.
For more information, contact Natalie Ledlin, Lawyer & Practice Director
Direct Line: 02-8488-3383