Privacy Updates – Are You Ready to Get Private?
From Wednesday 12 March, the Privacy Amendment (Enhancing Privacy Protection) Act comes into force. This Act causes significant change to the information collection and storage landscapes, as well as imposing large fines on individuals and companies who breach the Act.
The Act sets out the “Australian Privacy Principles”, which impose new obligations in terms for information collection and storage. There are 17 principles, which are to be used as a guideline for information collection and storage. Highlights are set out below:
- The matter of information collected;
- The manner in which information is collected;
- How and where that information will be stored; and
- How that information should be used.
- An individual or entity providing information must be given an option to not identify themselves.
- Information may only be collected if it is reasonably necessary for the performance of an organisation’s functions or duties. Any information that is not reasonably necessary is not permitted to be used.
- Any person or entity providing information must be notified as and when their information is being collected.
- Information may not be used for direct marketing without a person’s express consent or the person’s reasonable expectation that they will receive marketing.
- Generally, information may only be disclosed to a foreign entity if that foreign entity complies with the principles.
- If an entity wishes to use and disclose information collected, the information must be relevant, accurate, up-to-date and complete.
- An entity must ensure that information must be reasonably stored so as to avoid interference, misuse, modification and disclosure. Any information that is no longer needed or current must be destroyed in a similar manner.
- An individual or entity providing information is entitled to access the collected information on demand. If access is not permitted, the refusal must be written and include the reasons why the information cannot be provided.
- An individual or entity providing information is entitled to have the information rectified or corrected if either the individual or entity requests the information be updated or the organisation that collected the information is satisfied that the information needs to be corrected.
In essence, there is now a much higher obligation that applies to an entity collecting and storing personal information.
Such is the nature and scope of information collection and storage, there changes also affect and modify other laws, such as employment obligations and credit reporting requirements.
Finally, while these changes affect information collected in Australia or by Australian entities, it should be remembered that there are other relevant laws that apply in other jurisdictions.