Although the amendments to the Australian Privacy Act 1988 aren’t going to be effective until March of 2014, we are taking a quick look at what these changes will bring and what it means for compliance going forward. One thing is clear: being compliant with the new Australian Privacy Principles (APPs) will be a little more complicated, at the same time much more important than before.
Today, the Privacy Act 1988 regulates the handling of personal information. This includes the collection, use, storage and disclosure of personal information. The Privacy Act includes among others:
- 11 Information Privacy Principles that apply to the handling of personal information by most Australian, ACT and Norfolk Island public sector agencies
- ten National Privacy Principles that apply to the handling of personal information by large businesses, all health service providers and some small businesses and non-government organisations
- credit reporting provisions that apply to the handling of credit reports and other credit worthiness information about individuals by credit reporting agencies, credit providers and some third parties.
From 12 March 2014 those principles will be replaced by a single set of Australian Privacy Principles (APPs) which will apply to both businesses and government agencies (here’s a summary of those Principles).
Lets look at some of the significant changes the privacy act law reform brings for you.
- (a) the kinds of personal information that the entity collects and holds;
- (b) how the entity collects and holds personal information;
- (c) the purposes for which the entity collects, holds, uses and discloses personal information;
- (d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
- (e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
- (f) whether the entity is likely to disclose personal information to overseas recipients;
- (g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
Especially the subsection (e) is interesting. You now need to post how you will deal with such a complaint and how that individual may complain about a breach of the Australian Privacy Princinples.
Importance of compliance with the Privacy Act 1988
The act is bringing a critical rise to liability for Australian companies, where an Australian business can be held liable for a breach of Australian privacy principles by an overseas recipient/data processor as if it were their own breach. As Peter Karcher puts it, “not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with out-sourced IT service providers and cloud computing services”.
Additionally there is an increased penalty for violations which should drive home the point for increased attention by companies.
What will be important for websites and privacy policies?
This being a new law we can only guess what will be important for websites and the exact crafting for websites. Luckily there’s a quote by Australian Privacy Commissioner, Timothy Pilgrim, from a recent survey of Australian websites and their privacy policies that may help us to understand what may be important down the way:
Australian Privacy Commissioner, Timothy Pilgrim, said the results of the sweep were mixed with 83% of the sites having one or more issues in the following areas: ‘easy to find’, ‘easy to read’, ‘contacts for further information’, relevance and length.
‘It is a concern that nearly 50% of website privacy policies were difficult to read. On average, policies were over 2,600 words long. In my view, this is just too long for people to read through. Many policies were also complex, making it difficult for most people to understand what they are signing up to,’ Mr Pilgrim said.
‘We did see some instances where organisations provided both a simplified and full policy to assist their customers to understand what will happen to their personal information. This attempt to use ‘layered’ privacy policies is encouraging.’
The most interesting part is the layered approach that the Information Commissioner wants to see on websites. This is one thing we had implemented into our policies from the very start.
Who is covered by the new Privacy Act?
The Privay Act covers
- any business that:
- credit providers and credit reporting agencies
- most Australian, ACT and Norfolk Island Government agencies (Government agencies).
You are likely to be covered by the Privacy Act if you use personal information to sell advertising, including through an app. (info from OAIC regarding mobile apps)
The act applies only to companies that have a turnover of more than 3 million or trades in personal information (e.g. sells the personal information to third parties). Many website owners may therefore be exempt from the provisions of the Privacy Act.
iubenda and the Privacy Act 1988
Further helpful resources for Australia
This post is meant to be a general update on the privacy developments in Australia. More information can be found on the site of the Australian Information Commissioner.