The article that says it all: Are you prepared for the March 2014 Privacy Act changes?

January 8, 2014 |

On 5 December 2013 the Age ran a piece titled Are you prepared for the March 2014 Privacy Act changes?  It is a piece, with helpful links to business.gov.au and the Privacy Commissioner’s site, that sets out directly and pithily the key issues that every organisation and agency needs to address now rather than in March 2014.

It provides:
From 12 March 2014, there will be many changes to the Privacy Act.
Although this seems a while away, if the Privacy Act applies to your business, it’s a good idea to start preparing for the changes now.

Does the Act apply to my business?

The Privacy Act protects personal information handled by large businesses and health service providers of any size.
The Act may also apply to a small business if it has an annual turnover of more than $3 million and either:
  • trades in personal information
  • provides services under a Commonwealth contract
  • runs a residential tenancy database
  • is related to a larger business
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business External link on the Office of the Australian Information Commissioner (OAIC) website.
If you’re still not sure, you may need to seek advice from your lawyer or other business advisors.

What is changing?

A new set of privacy principles that covers the handling of personal information by businesses will be introduced.
The changes will affect how businesses can:
  • handle and process personal information
  • use personal information for direct marketing
  • disclose personal information to people overseas.
The Privacy Act changes will also give the Information Commissioner the ability to:
  • investigate serious breaches (including the right to impose penalties on businesses)
  • assess the privacy performance of businesses.
To comply with the Privacy Act from 12 March 2014, businesses will need to have a clear and up to date privacy policy that is easily available.
For details of all changes to the Privacy Act, visit the Privacy law reform External link page on the OAIC website.
For an introduction to privacy legislation, try the snapshot of the Privacy Act for small business External link or the guide to privacy for small business External link.

Connect with business.gov.au

  • Don’t get off to a shaky start. Watch our countdown of the Top 10 Bad Business Handshakes and find out how we can help businesses of all ‘shakes’ and sizes.
  • Join business.gov.au on Facebook External link to get the latest business news delivered straight to your news feed.
  • On Twitter? Follow us External link @business_gov_au.
  • Watch our suite of useful business videos on our business.gov.au YouTube External link channel.
  • Visit our News and Features page to stay up to date with the latest business news this month.
And the flip side to the above story is the piece in the Australian later in the month, Companies not ready for privacy laws.
It provides:
AT least half of corporate Australia will not be compliant with new privacy laws when they come into effect in March next year, according to a legal expert.

DLA Piper intellectual property and technology partner Alec Christie said there was little understanding of what businesses had to change in order to be compliant.

“My feel is 50 to 60 per cent of corporate Australia will not be compliant by March 12 and either it is a hangover from not taking the previous law that seriously, because there weren’t penalties and fines, or it is just not on their to-do list,” he said.

The new privacy laws apply to all businesses that turnover more than $3 million a year and which collect personal data. This includes many online retailers and tech start-ups as well as large corporations and all federal government departments and agencies.

From March 12, the same set of rules, the Australian Privacy Principles (APPs), will apply to both businesses and federal government.

“It is certainly of most import online because we do so much online, but it is applicable to everything so good old-fashioned businesses that collect forms in hard copy it applies to them as well,” Mr Christie said.

Under the new laws, agencies and companies can be fined $1.7 million and individuals $340,000 for serious or repeated invasions of privacy.

“I think a lot of corporate Australia is just missing the point that this is not just a change to the wording but it is a complete change in the attitude.”

Currently, if company X collected personal information from a consumer and wanted to share it with company Y the only obligation on company X was to state in its privacy policy that it would share the information with a third party.

The new laws mean the obligation also falls on company Y to contact the consumer and let them know how they plan to use their data.

“That is a consequence which has possibly catastrophic knock-on circumstances,” Mr Christie said.

Organisations must have an up to date privacy policy and train their staff on it and privacy compliance.

Mr Christie said organisations needed to undertake a “mini privacy audit”.

“They need to look at what they collect, how they collect it, what purposes they use it for, how long they keep it and then map that against the APPs,” he said. “I think most of them will find at least one of those scenarios is contrary to what their obligations are.”

He said the privacy law changes would reinvigorate consumer interest in privacy.

Leave a Reply