Mertons Update – Australian Privacy Principles

ASX Continuous Disclosure Obligations Checklist
February 8, 2017
Third Edition of the ASX Corporate Governance Principles and Recommendations
February 8, 2017

12 March 2014 marked the replacement of the National Privacy Principles and Information Privacy Principles with the Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (enhancing Privacy Protection) Act 2012.

Mertons Update – Australian Privacy Principles

 

From 12 March 2014 the Australian Privacy Principles (APPs) will apply to most organisations.

 

Click here for the pdf

 

Executive Summary

12 March 2014 marked the replacement of the National Privacy Principles and Information Privacy Principles with the Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (enhancing Privacy Protection) Act 2012. The thirteen APPs are detailed in the attached notes section.

Who is covered by the APPs?

Any Australian organisation with an annual turnover of over $3 million will be considered an ‘APP Entity’. Small business operators (organisations with a turnover under $3 million) may also be caught by the exemptions (see notes section).

For those organisations caught by the annual turnover threshold, it would be prudent for the Board to allocate sufficient resources to ascertain the level of impact and the appropriate response which should be summarised in a Privacy Policy. Privacy Policies should be reviewed on a regular basis by the Board or Risk Committee or when an organisation acquires or moves into new business areas. Risks of not doing so include financial penalties (up to $340,000 for individuals and $1.7 million for corporations), legal costs of any prosecution and reputational damage.

Next Steps

 Implement, or amend, a privacy policy

  • Review what information the organisation collects or holds (including information  captured via apps, big data & cloud) and whether it is ‘personal’ or ‘sensitive
  • Review direct marketing processes including consent and opt out policies
  • Consider appointing a Privacy Compliance Officer and ensure that staff handling data are appropriately trained
  • Add to Risk Committee Agenda
  • Review security and access to personal information (cyber attacks)
  • Examine contracts with overseas suppliers (see APP 8 – cross border disclosure of personal information)

Mertons can assist you preparing and implementing your Privacy Policy.

Notes

A Small Business Operator is an individual (including a sole trader), body corporate, partnership, unincorporated association or trust that has an annual turnover of $3 million or less for a financial year, unless an exception applies (s 6D). If an exception (as noted below) applies to a small business operator it may be deemed an APP Entity. The exceptions include businesses that:

• provide a health service and hold health information other than in an employee record

• disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else, unless they do so with the consent of the individual or are required or authorised by or under legislation to do so

• are contracted service providers for a Commonwealth contract.

APP Principles

1. open and transparent management of personal information
must have a clearly expressed and up to date policy regarding the management of personal information ie. a Privacy Policy
2. anonymity and pseudonymity
must offer individuals the option of not identifying themselves or of using a pseudonym
3. collection of solicited personal information
must not collect personal information unless the information is reasonably necessary for one or more of the entity’s functions or activities
4. dealing with unsolicited personal information
is required to consider the content of information and if necessary destroy or de-identify the information
5. notification of the collection of personal information
must take such steps as reasonable to notify the individual as to a range of matters including identity and contact details of the APP entity
6. use or disclosure of personal information
must obtain consent when disclosing personal information
7. direct marketing
must provide the ability for the individual to ‘opt-out’ of marketing and/or provide source of information
8. cross-border disclosure of personal information
must recognise that in certain circumstances, an act done, or a practice engaged in by the overseas recipient is taken to have been done, or engaged in by the APP entity
9. adoption, use or disclosure of government related identifiers
10. quality of personal information
must take reasonable steps to ensure personal information collected is accurate, up-to-date and complete
11. security of personal information
must protect from misuse, interference and loss from unauthorised access, modification and disclosure
12. access to personal information
must have procedures for giving an individual access to their personal information
13. correction of personal information
must have procedures for giving an individual ability to correct their personal information

Personal information is defined as any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not (s 6(1)).

Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person.

Sensitive information is a subset of personal information and is defined as:

  • information or an opinion (that is also personal information) about an individual(s):
    • racial or ethnic origin,  political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association.

Disclaimer: The content in this Mertons Bulletin is intended only to provide a summary and general overview on matters of interest. It is not intended to be comprehensive nor does it constitute legal advice. We attempt to ensure that the content is current but we do not guarantee its currency. You should seek legal or other professional advice before acting or relying on any of the content.

 


[1] Source: Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012