Many employers may not be aware that amendments were passed to Australia’s current privacy laws back in November 2012. The amendments, which form part of a larger reform process, will become effective from 12 March 2014. For those employers and businesses who will need to comply with the changes, there are less than four months to get ready.
Even if you are not a business owner or employer, the obligations are important ones which protect us all as individuals. Privacy laws protect our personal information to ensure it is correct, it is handled appropriately and that we can amend it.
Without these laws, your personal information could be made available to anyone, the information may not even be correct and you may not have any redress.
Which businesses are affected?
In general only businesses with an annual turnover of more than $3million are obliged to comply with privacy laws.
Small businesses with an annual turnover of less than $3 million must also comply if they are:
- A health service provider;
- Trading in personal information;
- Related to a business that is not a small business;
- A contractor providing services under a Commonwealth contract;
- A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; or
- An operator of a residential tenancy database.
Current privacy laws
Currently the NPPs apply to private business; separate information privacy principles (IPPs) apply to government agencies.
From March 2014 the amendments will create one set of Australian Privacy Principles (APPs). There will be 13 new APPs. Importantly the new principles are, at least in some respects, different to the current NPPs. In line with the current NPPs, the new principles create obligations for how information is gathered, stored and amended. The main differences include the rules around the use of personal information for direct marketing, and cross-border disclosure.
Direct marketing is now covered in APP 7: organisations – including businesses – may only use personal information for direct marketing purposes where consent has been obtained, or there is a reasonable expectation that the information will be used for this purpose.
There are also specific requirements around opt-out mechanisms. APP 8 now requires a greater level of accountability where personal information is being transferred overseas. Businesses will need to take steps to find out whether the overseas recipient of the information meets Australian standards.
What does this mean for employers?
The changes to the privacy laws and the creation of the new Australian Privacy Principles will impact many businesses. The principles create concrete obligations that those businesses must understand and implement.
Furthermore, recent public statements from the Information Commissioner indicate that a firm approach will be taken by his office and penalties will be applied to businesses which are not compliant from March 2014.
Sarah Waterhouse, Solicitor, BlandsLaw
 http://www.oaic.gov.au/privacy/privacy-topics/business-and-small-business/small-business (last accessed 8/11/13).