This year recent amendments to the Privacy Act 1988 (Cth) (‘Privacy Act’) have introduced new privacy obligations known as Australian Privacy Principles (‘APPs’). These APPs, which came into effect on 12 March 2014, place obligations that must be complied with by both Government agencies and organisations that fall within the definition of an APP entity.
Replacing both the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) that previously applied to Government agencies and private organisations respectively, the new obligations are significantly different and provide a wider protection for privacy.
What is an APP entity?
Under the Privacy Act, an APP entity will include Australian and Norfolk Island Government Agencies, or any organisation that:
• Has an annual turnover of more than $3,000,000.00; or
• Provides a health service to another individual and holds health information; or
• Discloses personal information about an individual for a benefit, service or advantage;
or
• Is a contracted service provider for a Commonwealth contract.
What are the APPs?
The obligations placed on an APP entity are summarised as follows:
1. The APP entity must ensure it has open and transparent management of personal information;
2. The APP entity must provide individuals, where applicable, with an option for anonymity and pseudonymity when dealing with a matter;
3. Personal information can only be collected in accordance with the Privacy Act;
4. An APP entity must not collect unsolicited personal information except in accordance with the Privacy Act;
5. Notification must be given to any individual of certain matters if personal information is collected about that individual by the APP entity;
6. An APP entity may only use personal information for the purpose it was collected except where specified under the Privacy Act;
7. Any personal information collected by the APP entity cannot be used for direct marketing unless specified under the Privacy Act;
8. An APP entity must not disclose personal information to an overseas recipient that does not have adequate privacy protection measures;
9. Government related identifiers must not be adopted, used or disclosed by the APP entity except where permitted;
10.Any personal information collected, used or disclosed must be accurate, up-to-date and complete;
11.Personal information held by the APP entity must have security measures protecting it;
12.An APP entity must comply with the minimum access requirements to allow an individual access to their personal information upon request; and
13.Any personal information that is not accurate, up-to-date, complete or relevant must be corrected in accordance with the Privacy Act.
Penalties for Non-compliance Given that these obligations are designed to provide better protection for private and sensitive information, the Commissioner has enhanced powers to impose penalties against APP entities that fail to comply with the APPs. Particularly, the Commissioner may investigate an APP entity to determine whether an offence has been committed and impose civil penalties up to $210,000.00.
Require Assistance?
Our office is able to assist with ensuring that your business complies with the new privacy obligations imposed under the Privacy Act.