Are you involved in a business with a turnover of more than 3 million?

Do you receive health related information?

If you answered yes to either of those questions, then the Privacy Act 1988 (Cth) applies to you and you will likely have to make some changes.

Some of the key changes are:

1. You need to have a privacy policy, and the policy needs to be available on your website. This policy must cover the following areas:

  • The kinds of personal information you collect.
  • How you collect and hold personal information.
  • The purposes for which you collect, hold, use and disclose personal information.
  • How someone may access and seek correction of the personal information you have about them.
  • How someone may complain about a breach of the Australian Privacy Principles and how you deal with complaints.
  • Whether you are likely to disclose personal information to overseas recipients.

2. This policy should actually reflect your internal processes and may require you to develop some new processes (such as a complaints procedure).
3. Where you collect personal information (such as in the case of marketing events or website queries), it needs to be obvious that why you are collecting it, it should be from the person themselves and, where possible, with their consent.  Mostly, this will already be the case. However, where third parties are collecting the information and providing it to you, it should also be only the information necessary for the purpose (ie to provide a prize).  When hiring a third party marketer, it is worthwhile specifying criteria they must meet including having a privacy policy that complies with the law.
4. You can only use or disclose personal information for direct marketing where the individual would expect it to be so used and where a simple opt-out is provided. Individuals now have a right to request the source of the personal information and request that their information not be used to facilitate direct marketing by others.
There are risks if you disclose information overseas.  While you may believe that you do not, if you use cloud storage providers sometimes it is difficult to know where exactly that information goes and this can be quite a risk.
5. You must take steps to ensure that information you hold on individuals is accurate, up-to-date and complete.  It needs to be keep secure against misuse, interference and loss, and should be destroyed when no longer needed (like you do with credit card information).
6. The Privacy Commissioner has new powers of investigation under the amendments and there are much bigger sanctions for serious or repeated interferences with privacy.

Please contact Peter North if you would like assistance dealing with Privacy issues.