Are you across all the recent changes to the Australian Privacy Principles? If not, you could be exposing your business to various legal risks. I’m Ursula Hogben, Managing Director of LegalVision, and I’m going to outline the privacy law essentials for businesses in Australia.
Summary: The Australian Privacy Principles have been amended. Some key changes relate to the obligations of Australian business who provide personal information to offshore businesses, and to clarifying what are reasonable steps to ensure that personal information is secure?
Background: There were extensive changes to the privacy laws in March last year, including introducing the Australian Privacy Principles. We’ve discussed the changes in detail, including here. On 1 April 2015, the Office of the Australian Information Commissioner (OIAC) amended the Australian Privacy Principle (APP) guidelines in response to feedback.
These changes are aimed at clarifying the APPS to make them easier to follow
What changes have been made?
Chapter A
The APP guidelines now provide legislative guidance to public sector agencies operating in the Australian Capital Territory under the Information Privacy Act 2014 (ACT).
Chapter B
Amendments as follows:
1. Organisation: the changes when small business operators are treated as organisations, and are therefore treated as an APP entity that needs to comply with the Australian Privacy Principles. A small business operator may be an APP entity if they carry out certain activities, including in relation to anti-money laundering, or in relation to a residential tenancy database.
2. Carries on business in Australia: One of the limbs of the test to determine whether an entity has an ‘Australian link’, and so whether the APPs apply to the business, is – does the entity carry on business in Australia? The amended guidelines assist to make this assessment by taking into account all of the relevant circumstances, including – what type of work does the entity carry out. This helps to determine whether it is carrying on a business. The changes suggest that entities that carry on business outside of Australia, but have decision-makers inside Australia including agents in Australia, may be caught by the now-broadened definition of an APP entity.
Please contact us if you would like to check if the APPs apply to your business. We can assist you to analyse this, and to comply with the APPs, including with a Privacy Policy and internal Privacy Manual.
Chapter 8 – Disclosing personal information to an overseas recipient
Under Chapter 8, the circumstances under which an APP entity will be in breach of the APPs have been reconsidered and broadened. If an Australian business that is an APP entity provides customers’ personal information to an overseas contractor, then the Australian business is responsible for making sure that the overseas contractor protects and uses the personal information in accordance with the APPs. The agreement should deal with (i) adequate protection of the personal information provided to the overseas contractor, following the same standards as the APPs, and (ii) the procedure to be followed, to ensure that obligations or undertakings imposed by the agreement are met. If not, the Australian business can be held liable.
Do you provide customers’ personal information, including for example names and email addresses, to overseas entities? One common example is using an offshore company for marketing and promotion. We can assist you with the required contract, including the required privacy clauses.
Chapter 11 – Taking reasonable steps
What are reasonable steps for an APP entity to take to ensure the security of personal information? Reasonable steps take into consideration the nature of your business, size, complexity, the amount of personal information your business holds, how sensitive it is, and the time and cost of the security measures.
APP entities need reasonable steps, including for internal training of handling personal information, online and physical security, and providing the person’s information to third parties including offshore servers (cloud storage).
The discussion regarding the relevant considerations in taking ‘reasonable steps’ has been consolidated so that it is consistent with the OIAC Guide To Secure Personal Information (2015).
The Chapter 11 amendments take into account that an organisation is not able to physically destroy personal information that is held in an electronic format. It provides two further means to satisfy the ‘reasonable steps’ threshold. The first is by putting the personal information ‘beyond use’ by completely destroying or deleting the information. In a physical sense, ‘beyond use’ could mean burning, pulping, pulverising, disintegrating or shredding. Alternatively, if the organisation considered it to be sufficient, it could take steps to de-identify the data. For example, if a third party, such as a cloud-storage entity, held personal information that an APP entity had the responsibility to destroy, ‘reasonable steps’ might include taking steps to verify that this third party has destroyed or de-identified the data.
Next steps:
Please contact LegalVision if you would like to assistance with privacy law. We can assess if the APPs apply to your business, create or check your contracts with offshore providers, and help you assess or implement reasonable steps in relation to keeping personal information secure. Call us on 1300 544 755 and get a fixed-fee quote today!
‘
* The Boss Lady’s buy in:
A big thank you from the team at LegalVision for putting together our own Privacy Policy at Creative Little Soul. It’s most appreciated and all of the team are exceptional to liaise with. Like Ursula explained knowing the law, how it effects you and being prepared can make the world of difference with your business and brand. Chrissy.