Know Your Obligations: New Privacy Laws

Early this month, new privacy laws came into effect which affect all Australian business.

Apart from introducing 13 new Australian Privacy Principles (APPs), the definition of “personal information” was also extended to include non identifying information such as cookies.

Businesses with a turnover of less than $3 million are exempted from the new principles unless they are dealing with personal information (in which case the Australian Privacy Principles may still apply).

So just because you have a turnover of less than $3m, it does not mean you are automatically exempt. Many smaller businesses trade in personal information without realising it. The key is to understand what constitutes personal information.

Additionally businesses with an annual turnover of less than $3m that provide health services, advertising and marketing services, or who contract to the Commonwealth government are not exempt.

Confused? So are we! It’s obviously hard to provide blanket advice unless you know more about a business and how it uses information.  So if you are still a small business and have a turnover of $3m or less, you should consult this checklist.

Serious fines of up to $1.7 million may be applicable so it’s important to take a little bit of time to make sure to get your privacy policies in order.

So what is personal information?

Personal information includes any information that could identify, or could reasonably identify, an individual.

This includes names, addresses, dates of birth and bank account details. So it may just apply to you if you are an e-commerce store or have an email list where you send newsletters to your customer base.

So what are these principles?

The privacy principles, which came into force on March 12 this year, are related to:

  • How you communicate and / or
  • Request, collect and hold people’s personal information within your organisation (this includes databases from 3rd parties overseas).

Importantly the definition of personal information has also been extended to potentially include anonymous personal information.

The changes affect how businesses can:

  • Handle and process personal information (for example, collecting personal data via forms).
  • Use personal information for direct marketing
  • Disclose personal information to people overseas

Does this impact me?

If you’ve been collecting personal data for the purposes of sending electronic direct mail, then yes it will impact you.

You may already be compliant, however it is worth reviewing your processes to make sure that definitely are.

  • Get familiar with the new Privacy Principles 

Find out if there is anything that might require changes or new procedures within your business.

  • Review your privacy policy & ensure you have documentation and processes in place

Review the list in the first APP to make sure you meet the requirements for your privacy policy.

Make sure you have a documented privacy policy.

Ensure it contains details around things like how you collect information, what you are collecting it for and how someone can make a complaint.

Make sure you have systems in place to manage compliance issues and complaints, and the relevant people are trained in using them.

  • Review your forms for unnecessary data collection

Check all your data collection forms and make sure you’re only asking for what you need. If you don’t have a clear reason for collecting it, you could be in breach of the Act.

  • Ensure that your Direct Marketing policies and procedures are compliant.

Review principle number seven which relates specifically to direct marketing.

There needs to be a simple way that people can request not to receive direct marketing.

You now need to include a “prominent statement that the individual may make such a request”.

  • Ensure security & secure disposal of personal information 

Include statements regarding the security, storage and disposal of personal information.

Make sure you use shred any personal information. Use a document destruction service if shredding and disposal in house is impractical.

Have a discussion with your IT team about data security. It’s important to be aware that privacy breaches most often happen through human error.

  • Cover off use of Cookies and Web Beacons 

Cover off how your website uses cookies and / or web beacons in your privacy policy. If you are using Google analytics to track visitors and / or conversions or using re-marketing, you will need to have this covered in your policy.

You should ensure you download and read the principles and seek advice if  you have any questions.

Where do I get more information?

This article is just a general overview of some of the things you should cover.  It should not constitute or replace any legal advice.

For further information, the Office of the Australian Information Commissioner (OAIC) has a fact sheet that you can download and determine if you need to comply.

The Australian Direct Marketing Association (ADMA), also has a nifty summary and a checklist which you can obtain for free (ironically in exchange for your contact details).

You can also contact the OAIC or seek independent legal advice.