Privacy Act changes – deadline looms

Businesses need to prepare now for changes to the Privacy Act that take effect from 12 March 2014.  Businesses that fail to update their privacy policies and practices will very likely find themselves in breach of the Privacy Act, potentially resulting in fines and orders to pay compensation, and possibly adverse publicity.

All businesses with an annual turnover of more than $3 million dollars must comply with the requirements of the Privacy Act when handling personal information, which include having a compliant written privacy policy.  From 12 March 2014, those requirements will change as a new set of Australian Privacy Principles (APPs) will take the place of the current National Privacy Principles (NPPs).

For most businesses, this will mean that their current privacy policies will no longer be compliant with the Privacy Act.  In addition to having to comply with the substance of the new APPs, businesses need to be aware that a failure to have an up to date and compliant privacy policy will constitute a breach of the APPs which can lead to the business being fined or ordered to pay compensation.

Some of the changes introduced by the new APPs include:

  • A prescriptive approach to what the content of privacy policies must include.
  • Restrictions on the use or disclosure of personal information for direct marketing purposes unless certain exceptions apply.
  • The need to advise individuals whether their personal information is likely to be disclosed to overseas recipients and, if so, in what countries those recipients are located.

In addition to these changes to the APPs, the amending legislation has also handed sweeping new powers to the Australian Information Commissioner and introduced greatly increased penalties for breaches of the APPs.

Amongst the Commissioner’s new powers are the ability to obtain undertakings from businesses which are enforceable by a Court and, in serious cases, to take businesses directly to Court to have fines imposed.

The maximum fine that can now be imposed on businesses for serious breaches of the APPs will be increased to $1.7 million.  The Commissioner has also recently flagged a `get tough’ approach meaning that he is unlikely to be as forgiving of transgressions as previously.  Whilst most penalties imposed on businesses for breaches will not approach the maximum penalty of $1.7 million, the fact that the penalty has been increased significantly, coupled with the Commissioner’s tough new approach, indicate that businesses face a far greater exposure under the new regime.

It is worth noting again that in almost all cases, businesses’ existing privacy policies will cease to be compliant on 12 March 2014 unless they have been updated.  In most cases, the changes that would need to be made can be made quite readily without the need to completely overhaul the existing privacy policy.

Paul Hesse and Craig Healy of our office would be happy to discuss with you what might be involved in updating your policy.