This article was produced by CIE Legal, who provide legal reviews for eComplianceTraining.

March 2014

The changes to the Privacy Act 1988 (Cth) (the Act) place new requirements on organisations for the collection, use and disclosure of “personal information” and “sensitive information” about individuals.

The changes also introduced 13 Australian Privacy Principles (APPs) that replaced the existing National Privacy Principles (NPPs).  The APPs set out minimum standards for the collection and storage, use and disclosure of information, and require organisations to establish procedures to ensure that they comply with the Act.

• Personal information is defined under the Act as – information or opinion (whether true or not) about an individual who is identified or could reasonably be identified.
• Sensitive information is defined under the Act as – personal information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health information.  The APPs expanded the definition of sensitive information to include biometric information; used for biometric verification or identification (i.e. fingerprints and DNA).
• Careful consideration needs to be given when dealing with sensitive information and legal advice should be sought if such information is being dealt with.

The changes to the Act also greatly expand the powers of the Office of the Australian Information Commissioner (OAIC).  The civil penalties for non-compliance have drastically increased. Companies now face a $1.7 million penalty for serious repeated interference with privacy, and individuals may be liable for a penalty of $340,000 for similar breaches.  The OAIC has also been given broader powers to:

• Conduct performance assessments to ensure compliance with the APPs;
• Accept enforceable undertakings from entities;
• Make an enforceable determination after an own motion investigation; and
• Develop and register binding privacy codes.

Tips for dealing with these changes:

1. Update your privacy policy and collection statement to comply with the APPs.
2. Prepare policies and guidelines for the use of personal and sensitive information via contact lists, supplier contracts and data security.  Also consider a policy that deals with the removal of data that is no longer required to be stored by your organisation.
3. Conduct a privacy review of your organisation and consider how you collect, use and disclose personal and sensitive information.
4. Appoint a staff member to act as your Privacy Officer.  This person should implement and oversee a privacy compliance strategy and respond to privacy enquiries and complaints.
5. Provide training to your staff to ensure they are familiar with the APPs and understand how they impact your business practices.
6. Conduct a privacy impact assessment in respect of any new project to be undertaken by your organisation.  The assessment should consider whether personal or sensitive information will be collected, used, or disclosed.

CIE Legal is also available to assist with updating your privacy policy and collection statement.

eCompliance Training offers a Workplace Privacy Essential Obligations online training program.  This online training program helps employees to understand the importance of the role they play in protecting privacy. The program also explores the consequences that may be imposed on individuals and organisations, should a privacy breach occur. Custom and tailored versions are available, in addition to face-to-face delivery options. Click here to learn more.