Today (12/03/2014) is the day that massive changes to the Privacy Act come into effect. These include the new Australian Privacy Principles (“APPs”) and the new “positive” credit reporting system.
There has been plenty of warning as the legislation amending the Privacy Act was enacted on 29 November 2012, but many businesses have not taken steps to comply. The Australian Financial Review on 10 March 2004 under the heading “Firms lax on changes to Privacy Law” warns that the Privacy Commissioner Mr Timothy Pilgrim has said that “the days of ‘softly, softly’ privacy enforcement are over”.
A summary of the APPs appears in the DW Report for Summer 2014.
One of the primary obligations of a business that is required to comply with the APPs is to have a compliant APP Privacy Policy.
However, it is not enough merely to have a Privacy Policy. A business must comply with the APPs and ensure that it has all the necessary internal policies, procedures and data security measures necessary to comply with the APPs. In relation to data security, the Office of the Australian Information Commissioner recently issued a statement on 6 March 2014 headed:
Cyber attacks do not mean businesses are ‘off the hook’.
The statement goes on to say:
APP11 requires an organisation that holds personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP11. The OAIC has previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.
Businesses may assume that they are not required to comply with the APPs if they are under the $3 million threshold for a small business, but there are exceptions, particularly in the health services area. Any business that provides any form of health service will be caught, regardless of size, if health information is held by the business.
A business that is affected by the changes, if it has not already done so, should urgently get advice and conduct an audit and review of internal policies and procedures and data security measures, and the terms of the Privacy Policy of the business.
