Is Your Privacy Policy Up To Date?

You are probably aware, although it is worth a reminder, that some important changes to Australian privacy laws came into effect on 12 March 2014.

From that date, businesses stand to be liable for increased penalties of up to $1.7 million for breaches of the Privacy Act in relation to how they collect and use personal information.

In addition to new information, which must form part of your privacy policy, there will now be an increased risk of liability for Australian businesses when transferring personal data overseas. That means a lot of businesses need to look at their data storage and IT outsourcing arrangements, including cloud computing services, to make sure they have minimised their risk.

There are also changes to how you can use personal information for direct marketing.

“While these changes have been coming for some time, we are finding that clients are only now becoming alert to the potential impact of these changes on their business, and we are currently advising numerous clients on privacy compliance ahead of these changes,” said Mr. Peter Karcher, Media Partner at ClarkeKann Lawyers and Privacy Law specialist.

Peter outlined, in an interview last year, the changes that had been made to the Privacy Act and offered some advice as to what your Privacy Policy must include. Please find a transcript of that interview below.

Because publishers invariably collect and use personal information of readers and subscribers, recent changes to the Privacy Act 1988 means you should be reviewing and updating your privacy policy.

What changes have been made to the Privacy Act?
Towards the end of 2012 the Senate passed amendments to the Privacy Act 1988 implementing changes to Australian privacy law in a number of areas. These changes included:
1. New information which must form part of your privacy policy;
2. Increased liability for Australian businesses when transferring or disclosing personal information overseas; and
3. Greater penalties and enforcement powers for the Australian Information Commissioner.

What must your Privacy Policy include?
All businesses regulated by the Privacy Act must have a privacy policy. The new Australian Privacy Principle 1 sets out the information which a privacy policy must contain. It maintains the existing obligations to clearly disclose the kind of personal information which an entity collects, how that information is collected, the purposes for which it is collected, and how it may be used or disclosed. In addition it is now mandatory to include how an individual may complain about a privacy breach, how the entity will deal with such a complaint, whether or not personal information is likely to be transferred overseas, and if possible the countries to which it is likely that personal information will be transferred.

How do the changes affect outsourcing of information management and storage such as Cloud Computing?
Under existing laws, a business may only transfer personal information overseas if the individual concerned consents, or if the business has taken certain steps to ensure that the overseas recipient will hold and use the information consistently with Australian law. The amendments to the Privacy Act take this a step further, so that even in circumstances where the Australian business has taken such steps, a privacy breach by the overseas recipient can be deemed to be a breach by the Australian business, giving rise to liability for the Australian business under local Australian law. Not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with out-sourced IT service providers and cloud computing services.

What should you do now?
With increased penalties of up to $1,100,000 for corporations, and the possibility of actions for misleading and deceptive conduct under the Australian Consumer Law, businesses need to be prepared for the effective start date of these new laws in March 2014 by reviewing their privacy policies, data collection and handling policies, and third party IT and data management contracts.

Want more information?clarkekann

Peter Karcher may be contacted as follows
P: (02) 8235 1218