If your business handles customer information, you are likely to be required to update your policy, procedures and systems to comply with a number of major changes to the Privacy Act 1998 (Cth) which came into effect on March 12. Otherwise you may face costly penalties of up to $340,000 for individuals or up to $1.7 million for corporations for serious or repeated breaches of the new privacy laws.
The 13 new Australian Privacy Principles (APPs) will replace the existing National Privacy Principles (NPPs) that currently apply to businesses. The changes include a set of new, harmonised, privacy principles that will regulate the handling of personal information by both the public and private sector.
Two key reforms include:
- A stand alone direct marketing principle (APP 7). Generally, businesses may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.
- Cross-border disclosure of personal information (APP 8). If your business discloses personal information to an overseas recipient, you are required to “take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information”. In certain circumstances, you may be deemed liable for a breach of the APPs by the overseas recipient. This is particularly relevant if your business discloses or transfers information overseas for the purposes of, for example, outsourcing or cloud computing.
What does this mean for your business?
- Conduct an audit of how your business collects, stores, uses and discloses personal information.