Groom Kennedy Lawyers & Advisors

Groom Kennedy Blog

    Increasing Responsibilities for Personal Information

    The Commonwealth government’s Privacy Act 1988 (Act) is familiar to most organisations. It hasn’t really changed since becoming applicable to much of the private sector in 2000.

    However, following the most significant reform of the Act in over a decade, our familiarity and comfort with the present regime is about to end.

    The potential stakes for failing to respond are high: a breach could cost an individual up to $340,000 and an organisation up to $1.7 million in civil penalties (without any consideration to collateral damage, for example the effect on a business’s reputation and its clients’ trust in it). The reforms also see the Privacy Commissioner being given some teeth, and he intends to use them. In his own words, there will be no ‘softly softly’ approach.

    The changes

    The requirement to have a privacy policy remains the same, however the new Australian Privacy Principles (APPs) are more prescriptive in respect to required content and clearer and more definitive in relation to the collection and treatment of personal information.

    Although there are a number of changes, for example in relation to the use of personal information for direct marketing, the change that is going to trigger the most widespread need for a review of current privacy policies and practices is in respect to when personal information is sent overseas.

    And personal information is increasingly finding its way offshore with businesses embracing the use of cloud technologies and outsourcing services to offshore providers.

    With fraud and identity theft on the increase, it is no surprise that the changes aim to ensure that those who send personal information offshore are held more accountable. Indeed, where the APPS are not complied with, a party will be held liable for any breach irrespective that the breach is by the offshore entity.

    What to do

    The substantive effect of the new laws may require a significant internal review of privacy policies, practices and procedures. In some situations, this will extend to a review of agreements and relationships with third party providers.

    It is appropriate to begin the process now in order to have sufficient time prior to the laws coming into operation in March 2014.

    If you have any questions, or wish to discuss your particular circumstances, please contact Kerry Sarten or Jenny-Ellen Kennedy.