Time to check out the new privacy APPs and use of personal information

From 12 March 2014, both public and private sector entities will be subject to a unified set of privacy principles known as the Australian Privacy Principles (APPs). The much anticipated reforms, passed by the Federal Parliament late last year, will result in considerable change to the Australian privacy landscape.

While March 2014 may seem like a long time away, public and private sector entities need to start thinking now about how the changes will affect their collection, storage, use and disclosure of personal information.

Who is affected?

The new APPs will apply to Commonwealth government agencies, as well as those private sector business organisations which are already bound by the Privacy Act 1988 – ie. any business with an annual turnover of more than $3 million, or which is a health service provider, or which trades in personal information

The types of private sector business organisations that will be most affected are:

• retailers, distributors and other service providers who conduct direct marketing activities;

• organisations which have related entities in foreign jurisdictions; and

• organisations which outsource their business process services, or their data storage, hosting or network requirements, to entities in foreign jurisdictions.

• organisations which collect credit information or who conduct credit checks on their customers.

Key Changes

Some of the key changes introduced by the reforms and the new APPs are:

1.   Privacy Policies

While most entities bound by the Privacy Act already have a written privacy policy, the APPs now prescribes specific types of information that those policies must include.  There is also a new positive obligation to implement practices, procedures and systems to comply with the APPs and any registered APP codes.

2.   Unsolicited Information

Where an entity comes into possession of unsolicited personal information, it must now consider whether the information is of a kind that it could have collected itself under the APPs. If not, and the information is not contained in a Commonwealth Record, the information must be destroyed or de-identified.

3.   Direct Marketing

Business organisations are prohibited from using personal information for the purposes of direct marketing unless one of several exemptions apply – for example, where consent has been obtained or where the individual would reasonably expect that their information will be used for direct marketing. This new direct marketing principle does not apply to government agencies.

Individuals will be entitled to ask the businesses who send them direct marketing materials where the business obtained their personal information.  As a result, businesses which engage in direct marketing will have to keep details of the source of the personal information used for direct marketing. This is a significant change.

The Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) will still apply to direct marketing via email, SMS and phone.

4.   Overseas transfer of personal information

While many business organisations are familiar with the rules for cross-border disclosure under the existing privacy regime, the transfer of personal information into foreign jurisdictions will now be more restricted under the APPs.

When collecting information, business organisations will need to let individuals know that their information will be transferred offshore and, if it is practicable to specify, the countries in which the recipients are likely to be located. 

Further, as a general rule, before a business organisation discloses an individual’s personal information to an overseas recipient, the organisation must take reasonable steps to ensure that the overseas recipient does not breach the APPs.  In most cases, this would require the recipient to be obliged to not breach the APPs under a written contract. There are some exceptions to this general rule, but having robust contractual arrangements with the overseas recipients of personal information is the best way to manage the risk.

5.   Credit Reporting

Changes made to the credit reporting provisions mark a shift from a ‘negative’ reporting system to one which is more comprehensive and positive.  Additional ‘positive’ data about an individual will become available to the credit reporting industry, such as repayment history, credit limits and account opening/closing dates. 

The changes mainly affect credit reporting bodies and credit providers.  The definition of a ‘credit provider’ is quite broad and includes a supplier which provides credit in relation to the supply of goods or services where repayment of credit is deferred for at least 7 days. 

Credit providers will need to ensure appropriate consents are obtained from individuals if credit information about the individual is to be disclosed to credit reporting bodies and ensure they have a privacy policy which specifically deals with how personal information used in credit reporting is collected, stored, used and disclosed. Credit reporting bodies and credit providers will have to update their policies and procedures to more readily enable individuals to access, correct and resolve issues with their personal information.

The changes also include the development of a new credit reporting code (CR Code).  A draft CR Code has been prepared by the Australasian Retail Credit Association and has been released for public comment until 5 May 2013. Credit reporting bodies and credit providers will need to comply with the new CR Code.

6.   Enforcement

The Australian Information Commissioner’s powers have been expanded.  The Commissioner will have the power:

• to initiate investigations of its own accord – without a complaint having been received;

• to conduct compliance assessments of an entity’s information maintenance practices;

• to accept written undertakings that may be enforced in court; and

• to seek civil penalties of up to $1.7 million for serious or repeated breaches.

What you should do

Organisations should use the period to March 2014 to get themselves ready for the new APPs.

The first step would be to conduct a privacy audit of the organisation - to identify what personal information is collected and how it is collected, stored, used and disclosed.  Special attention should be given to what types of credit information is collected, stored, used and disclosed.

The organisation should then revise and update its privacy policies and practices, and conduct staff training.  Organisations may also need to update credit account application forms or terms of trade, to bring them in line with the new credit reporting and credit information requirements.

Organisations should also consider their outsourcing practices and other instances where personal information may be transferred to foreign jurisdictions.  New contractual arrangements may be required with any overseas recipients of personal information.

Please contact us if you need assistance with any of these steps or if you have any queries about the new APPs.

Author: Michael Cossetto