The New Australian Privacy Principles
The Australian Privacy Principles (APPs) were revised and reissued in March 2014. The APP guidelines outline:
the mandatory requirements in the APPs, which are set out in Schedule 1 of the Privacy Act.
the Information Commissioner’s interpretation of the APPs, including the matters that the Office of the Australian Information Commissioner (OAIC) may take into account when exercising functions and powers relating to the APPs.
examples that explain how the APPs may apply in certain circumstances.
good privacy practice to supplement minimum compliance with the mandatory requirements in the APPs.
Although the Privacy Act uses the words “must” and “is required to” to indicate mandatory behaviour, the APP Guidelines give suggestions by using the words “should”, “could” and “is expected to”. The Guidelines do not constitute legal advice about how you should comply with the APPs in particular circumstances, and it would be appropriate to seek legal advice when putting in place procedures for handling personal information.
The thirteen APP principles cover:
Consideration of personal information privacy (APPs 1 and 2)
Collection of personal information (APPs 3, 4 and 5)
Dealing with personal information (APPs 6, 7, 8 and 9)
Integrity of personal information (APPs 10 and 11)
Access to, and correction of, personal information (APPs 12 And 13)
Some of these are more relevant to certain organisations that process personal information than others. Two principles that are relevant to all organisations that handle personal information are APP 1 and APP 5.
APP 1 requires organisations to handle personal information in an open and transparent manner.
APP 5 sets out matters that an organisation has to inform individuals about at the time of, or as soon as possible after, the collection of their personal information.
In respect of APP 1 a compliant privacy policy should be specific and tailored to your business, easy to understand, cover the types of information collected and explain how the information is held and disclosed. Other mandatory matters that should be set out in your privacy policy include:
the type of personal information collected and held by your business
how your business collects and holds personal information
the purposes for which personal information is collected, held, used or disclosed
how a person may access their personal information and get it corrected
how a person may complain if their privacy is breached; and
whether your organisation is likely to disclose personal information overseas.
If your organisation is part of a group or structure, the privacy policy must indicate whether it applies to the whole group or to individual businesses. Separate policies should be designed where there are differences in the way in which different parts of the group handle personal information.
The use of 'bundled' consent is of concern to the OAIC particularly in relation to direct marketing. Bundled consent is where consent for direct marketing is combined with other consent relating to the personal information. The individual may not be given the opportunity for voluntary consent where consent is bundled. If your organisation does intend to use bundled consent for direct marketing offers, this should be stated in the privacy policy.
Under APP 5 your business is required to take reasonable steps either to notify the person of certain matters, or to ensure that the individual is aware of those matters, either at the time of collection or as soon as practicable afterwards. The OAIC has recently indicated that "reasonable steps" is linked with the sensitivity of the personal information. Organisations in the health services industry are more likely to process information that will be considered sensitive information, and their notification procedures will need to be robust. Organisations in a group structure need to clearly explain which business is collecting the personal information. Preferably, your “contact us” methods should be fixed and should not change with the departure of individual staff members. If information is to be disclosed overseas your policy must explain how and why the disclosure takes place.
Breach of an APP
An act or practice of an APP entity that breaches an APP in relation to personal information about an individual is an interference with the privacy of the individual. The Information Commissioner has powers to investigate possible interferences with privacy, either following a complaint by the individual concerned or on the Commissioner’s own initiative.
Where an individual makes a complaint, the Commissioner will generally investigate with the aim to resolve non-compliance issues by agreement to ensure the agency both understands and meets its privacy obligations. However, the Commissioner does have a range of enforcement powers and other remedies available. It is important to remember that an act done by an employee (or person in the service of your organisation), in performing their employment duties, will be your responsibility.
Compliance
The APPs may well be principles-based, but the OAIC considers that businesses are obliged to comply with certain mandatory matters. Implementing privacy practices that follow the OAIC guidelines will go a long way to being compliant with the privacy requirements. However, reliance on the guidelines alone may not ensure total compliance. Your organisation may need to apply the guidelines to its particular circumstances in order to remain on the right side of privacy compliance.
What should I do next?
Contact us to review your privacy practices and see how they measure up to the new system. We can offer legal advice on any documents, pamphlets, brochures or online privacy resources available on your website. Our lawyers at You Legal will be happy to assist you in whatever way we can.
* This blog is for general guidance only. Legal advice should be sought before taking action in relation to any specific issues.