Turbines

Does your organisation comply with the revised Privacy Act? Time is running out!

Agencies and organisations were given significant notice that, come 12 March 2014, they would need to comply with the amended Privacy Act and the 13 Australian Privacy Principles (“APP”)’s set out in it.

Does your business need to comply?

If you answer “YES” to the following questions your organisation must comply with the APPs

Is your organisation is an APP Entity?

APP Entities are organisations or Government agencies that satisfy any of the criteria below:

    • businesses and non-government organisations with an annual turnover greater  than $3 million
    • private sector health service providers (regardless of turnover)
    • private schools, if they have an annual turnover greater than $3 million, or provide a health service
    • private and ACT universities
    • small businesses that have opted-in to the Privacy Act
    • businesses covered by an approved privacy code
    • businesses that sell or purchase personal information without the consent of the individual or where the disclosure or collection is not authorised or required by law
    • credit providers and credit reporting agencies that handle personal credit file information, regardless of their annual turnover
    • Federal Government agencies

Does your organisation collect Personal Information?

Does your organisation handle and collect information or form opinions about identified individuals, or individuals who can, from the information, be reasonably identifiable. it doesn’t matter:

(a)  if the information or opinion is true or not; nor

(b) whether the information is recorded in a material form or not.

Does your organisation carry on business in Australia or collect personal information in Australia?

What types of information is covered by the APPs?

The APPs cover Personal Information which can be collected from a range of activities and includes:

  • name, address, signature, date of birth, bank account details, employment details, commentary and opinion about the person
  • information about an individual’s health or disability or personal information collected in providing health services (including by complementary therapists, dentists, gyms, weight loss clinics, pharmacies,  child care centres, private schools and tertiary institutions)
  • genetic information
  • information about race or ethnicity, political opinions or memberships, religious beliefs,  union and professional association memberships, sexual preference or practices, criminal records
  • information and opinions relating to prospective employees and employees

Compliance program and complaints processes

APP Entities should know what information they are handling and collecting, how the APPs apply to their business and ensure that pre-existing policies and procedures are reviewed and modified accordingly.

If your organisation is an APP Entity you need to understand the obligations and requirements of the 13 APPs.

APP 1 requires the APP Entity to manage personal information in an open and transparent way.  To comply with this APP the APP Entity must take reasonable steps to implement a compliance program which:

  1. sets out practices, procedures and systems to ensure compliance with the APPs and any applicable binding registered APPs;
  2. includes a complaints handling process to deal with inquiries and complaints relating to a person’s personal information;
  3. has, keeps current and makes freely available, an APP Privacy Policy clearly stating how the organisation handles personal information.

The privacy policies, procedures and systems must address the matters regulated in the other 12 APPs including:

  • individuals’ anonymity and ability to use pseudonyms
  • collection of solicited personal information and dealing with unsolicited personal information
  • requirements  to notify individuals of the collection and use of personal information
  • the purpose of the collection of personal information
  • use and disclosure of personal information
  • direct marketing
  • sending  personal information overseas
  • adoption, use  or disclosure of government related identifiers
  • the accuracy, completeness and  correction of personal information
  • maintaining security of personal information
  • giving access to the individual of their personal information

Penalties for failing to comply with the APPs:

The Office of the Australian Information Commissioner will have wider powers than it previously had. These will include the ability to accept enforceable undertakings, seek civil penalties and conduct assessments of the privacy performance of government agencies and businesses.  The  pecuniary penalties will increase to up to $1.1 million for breaches of the  Privacy Act by companies.

It is important to make sure that compliance programs are developed and can work effectively to ensure protection of individuals’ personal information and compliance with the organisations’ legal obligations.

If you need advice or help with understanding your organisation’s obligations and developing  implementing an effective compliance program we are here to help.

More information can be found on the OAIC website .

Mar 03, 2014 | Filed under APP Entity, Blog, compliance program, Privacy Act.

Reply

X
Now you can find out how sustainable your business really is… FREE DOWNLOAD
¤