How privacy law changes will impact businesses

News

How privacy law changes will impact businesses

More stringent information privacy requirements will apply to both private and public sector businesses from 12 March 2014, as will stronger sanctions for non-compliance with legislation.

WantToReadMore

Get unlimited access to all of our content.

More stringent information privacy requirements will apply to both private and public sector businesses from 12 March 2014, as will stronger sanctions for non-compliance with legislation.
 
On that day, the Privacy Act 1998 will be amended by the Privacy Amendment (Enhancing Privacy Protection) Act.

The two main changes are:
    1. All businesses that collect or handle personal information are required to comply with a new set of principles, the Australian Privacy Principles (APPs), which will replace both the Information Privacy Principles (IPPs) that applied to federal public sector organisations and the National Privacy Principles (NPPs) that applied to private sector businesses. An exception is ACT Government agencies, which will remain covered by the IPPs.
    2. The Office of the Australian Information Commissioner (OAIC) will have stronger enforcement powers than before, and media releases have indicated that these powers will eventually be exercised more proactively than previously.
Employee records exemption retained
 
Despite some speculation that the exemption from coverage for employee records might be abolished, it will be retained under the new regime. However, it appears to have been common practice to allocate to HR administrative functions the role of complying with the NPPs and IPPs in organisations that did not have a separate legal compliance section, and this is likely to continue with the APPs.

Although the exemption remains, it is strongly recommended that organisations comply with the APPs in respect of employment records, both because they represent best practice in information privacy, and because the exemption may be removed at some future time.
 
Differences between old and new principles
 
The changes introduced by the APPs are explained in detail in a previous article.

When does information become “personal information”?
 
It has been suggested by some legal commentators that the distinction between an “employee record” and “personal information about employees” can become blurred in some cases. For example, information about employees might be included in marketing information about the business that is used for advertising or sent to clients.
 
In such cases, the APPs would apply to both the information about employees and the information about the clients, because it is now “personal information” about them. Clear consent from both groups would be required, and they must be made aware of why the information is collected and what it is used for.

See also the comments below about being compelled to supply information to outside organisations, eg government regulators.

Enforcement powers increased
 
The Australian Information Commissioner will have enhanced powers, which will generally be exercised by the Privacy Commissioner, including the ability to:
    • Seek enforceable undertakings from organisations in respect of taking steps to comply or rectify breaches;
    • Pursue civil penalties in the case of serious or repeated breaches of privacy; and
    • Conduct assessments of organisations’ performance in relation to protecting privacy.
However, a media release issued by the OAIC indicated it would attempt to resolve matters by conciliation initially and would only consider using these extra powers in cases of repeated non-cooperation or non-compliance (eg refusal to update and comply with information collection policies).
 
During the first year of operation of the new provisions, it intends to focus on working with organisations to ensure that they understand the new arrangements and their obligations, and have systems in place to comply with them.

What HR needs to do

Employers will need to review their privacy and information collection, storage and access policies and procedures to ensure compliance with the APPs as from 12 March 2014.

For example, they need to ensure they have clear consent from employees to cover situations where the employer may be legally compelled to provide information to government regulators, agencies, courts or tribunals. Common examples include Centrelink and state workers compensation authorities.

Guidelines released

Last month the OAIC released guidelines for organisations to assist them to comply with the APPs. These guidelines both outline minimum compliance requirements and provide examples of best practice.

Other information is available here. This link includes the APPs in full, comparisons between the new APPs and current principles, checklists for organisations, draft guidelines and frequently asked questions.
 
Post details