Should you adopt new privacy requirements as best practice?

Analysis

Should you adopt new privacy requirements as best practice?

Although employment records are currently exempted from federal privacy legislation, employers should consider adopting the new, more stringent requirements that will apply from March next year, as part of a ‘best practice’ strategy.

WantToReadMore

Get unlimited access to all of our content.

Although employment records are currently exempted from federal privacy legislation, employers should consider adopting the new, more stringent requirements that will apply from March next year. There have been some calls for the current exemption to be lifted, and while no decision has yet been made on this, it may be prudent to start implementation as part of a ‘best practice’ strategy.
 
What is happening next year?
 
Stricter information privacy requirements will apply to both private and public sector businesses next year, from 12 March 2014, as will stronger sanctions for non-compliance with the legislation. On that day, the Privacy Act 1998 will be amended by the Privacy Amendment (Enhancing Privacy Protection) Act.
 
It is important to note that it is yet to be decided whether the current exemption of employment records from coverage by the requirements will be retained — see further discussion below.
 
New Privacy Principles
 
The main change is that all businesses that collect or handle personal information will be required to comply with a new set of Principles, the Australian Privacy Principles (APPs), which will replace both the Information Privacy Principles that currently apply to federal public sector organisations and the National Privacy Principles that currently apply to private sector businesses.
 
The APPs cover the following topics:
  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use and disclosure of personal information 
  7. Direct marketing 
  8. Cross-border disclosures
  9. Adoption, use or disclosure of government-related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information [note: link not available — consultation has not yet commenced]
  13. Correction of personal information [note: link not available — consultation has not yet commenced]
What employers will need to do
 
Employers will need to review their privacy and information collection, storage and access policies and procedures to ensure compliance with the APPs as from 12 March 2014. In particular, they will need to note the changes summarised below.
 
The following checklist on the website of the Australian Information Commissioner provides a step-by-step approach.
 
Extra powers for Australian Information Commissioner
 
The Australian Information Commissioner will have enhanced powers, which will generally be exercised by the Privacy Commissioner, including the ability to:
    • accept enforceable undertakings from organisations in respect of taking steps to comply or rectify breaches
    • seek civil penalties in the case of serious or repeated breaches of privacy
    • conduct assessments of organisations’ performance in relation to protecting privacy.
Employment records exemption may continue — but comply anyway
 
Despite reviews of the legislation and some public comments that have recommended removing the current exemption of employment records from compliance with the Principles, the Office of the Australian Information Commissioner (OAIC) advised WorkplaceInfo on 3 October 2013 that a decision has not yet been made about whether the exemption will continue despite the other changes. The new provisions are ‘still being interpreted’ and a decision is apparently several months away. However, it is strongly recommended that organisations comply with the APPs in respect of employment records — both because they represent best practice in information privacy, and because the exemption may be removed either on 12 March 2014 or at some future time.
 
Extra requirements for compliance
 
The following is a summary of the main changes between the two current sets of Principles (private and public sector) and the new APPs.
Private sector: APPs versus National Privacy Principle

APP 1 states that an organisation must have an APP privacy policy that contains specified information, including the kinds of personal information it collects, how an individual may complain about a breach of the APPs, and whether the organisation is likely to disclose information to overseas recipients.
 
The organisation needs to take reasonable steps to make its APP privacy policy available free of charge and in an appropriate form. APP 1 also introduces a positive obligation for organisations to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP Codes.
 
APP 3 clarifies that, unless an exception applies, sensitive information must only be collected with an individual’s consent if the collection is also reasonably necessary for one or more of the organisation’s functions or activities.
 
APP 4 creates new obligations in relation to the receipt of personal information that is not solicited. If the information could not have been collected under APP 3, and it is not contained in a Commonwealth record, the organisation must destroy or de-identify that information as soon as practicable, but only if it is lawful and reasonable to do so.
 
APP 5 will now require organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.
 
APP 6 will introduce some new exceptions to the general requirement that an organisation only uses or discloses personal information for the purpose for which the information was collected. These exceptions include where the use or disclosure is reasonably necessary to assist in locating a missing person; to establish, exercise or defend a legal or equitable claim; or for the purposes of a confidential alternative dispute resolution.
 
Under APP 8, before an organisation discloses personal information to an overseas recipient, it will have to take reasonable steps to ensure the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. In some circumstances, an act done or a practice engaged in by the overseas recipient that would breach the APPs will become a breach of the APPs by the organisation.
 
APP 10 will upgrade the requirements for quality of information. For uses and disclosures, the personal information must be relevant, as well as, accurate, up-to-date and complete, having regard to the purpose of the use or disclosure.
 
APP 11 adds two exceptions to the requirement of organisations to take reasonable steps to destroy or de-identify personal information if the organisation no longer needs it for any authorised purpose:
  • if the personal information is contained in a Commonwealth record; or
  • if the organisation is required by or under an Australian law or a court/tribunal order to retain the information.
APP 12 will provide a new requirement for organisations to respond to requests for access within a reasonable time period. In addition, they must give access in the manner requested by the individual if it is reasonable to do so. If an organisation decides not to give an individual access, it must generally provide written reasons for the refusal and the mechanisms available to complain about the refusal.
 
APP 13 will introduce some new obligations in relation to correcting personal information. Organisations will need to take reasonable steps to correct personal information to ensure that, having regard to a purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading, if either:
  • the organisation is satisfied that it needs to be corrected, or
  • an individual requests that their personal information be corrected.
They will also generally need to notify other organisations that were provided with the personal information of any correction, if the individual requests it. The organisation must also respond to a correction request or a request to associate a statement by the individual within a reasonable period after the request is made, and must not charge the individual for making the request, for correcting the personal information, or for associating the statement with the personal information. If refusing a correction request, it must generally provide written reasons for the refusal and notify available complaint mechanisms.
 
Public sector: APPs versus Information Privacy Principles
 
Because the APPs will replace both the National Privacy Principles and Information Privacy Principles, all the requirements in the above comparison of the APPs and National Privacy Principles will also apply to public sector agencies. This section sets out specific changes from the public sector Information Privacy Principles.
 
Public sector agencies will be required to issue a policy in compliance with APP 1, meeting the requirements described above.
 
APP 3 will impose new obligations on agencies regarding sensitive personal information, as described above.
 
Similarly, APP 4 will introduce new obligations in relation to unsolicited personal information.
 
APP 5 is more prescriptive than the Information Privacy Principles in terms of the information that an agency must provide to an individual.
 
The disclosure exceptions introduced by APP 6 (see above) will also be a new provision for public sector agencies. Similarly, the cross-border disclosure requirements introduced by APP 8 (see above) did not previously apply to them.
 
The exceptions added by APP 11 (see above) to the requirement of organisations to take reasonable steps to destroy or de-identify personal information if the organisation no longer needs it for any authorised purpose are also a new provision for public sector agencies.
 
Where individuals are given access to personal information under the Privacy Act, APP 12 will now require agencies to respond to requests for access within 30 days. They must give access in the manner requested by the individual if it is reasonable and practicable to do so, and must not charge for it.
Further information
 
See: Privacy Reform. (This link includes the APPs in full, comparisons between the new APPs and current Principles, checklists for organisations, draft guidelines and Frequently Asked Questions.)
 
Post details