Australian organisations have a lot to do to prepare for the reforms to the Privacy Act, which take effect from March 2014, but which include empowering the Australian Information Commissioner (AIC) to enforce hefty penalties for being in breach, according to Hall & Wilcox partner Alison Baker.
Ms Baker said the reforms will impact on Australian organisations and demand stricter protocols and policies when dealing with someone’s personal information, which is why she’s alarmed to find so few organisations have started taking the requisite action now, in anticipation of the reforms.
“The purpose of the reforms is to enhance privacy protection, so organisations need to start taking steps now, or it may be too late and they could be potentially exposed to hefty legal penalties of up to $1.7M for corporations.
“I urge Australian organisations to start the process now, while there’s still time,” she said.
Ms Baker said the key features of the amended Privacy Act are:
- The Australian Information Commissioner will be given increased powers to enforce privacy laws (so that it’s no longer seen as a ‘toothless tiger’);
- The 10 National Privacy Principles applicable to the private sector will be replaced with 13 Australian Privacy Principles (which will also apply to the Commonwealth public sector), which will create additional obligations on organisations;
- Organisations will need to comply with increased legal obligations regarding overseas disclosure of personal information and direct marketing; and
- A new and significant penalty scheme will apply to organisations for breaches of the Act (up to $1.7M for corporations).
“They also need to review their internal protocols that cover how staff (and third parties) collect and deal with people’s personal information, to ensure they are handling personal information in accordance with the APPs.
“Staff compliance training is also very important to ensure employees understand and adopt the new obligations. So too is reviewing and amending third-party supplier contracts to ensure they place adequate contractual obligations on the third-party suppliers to comply with the new Australian Privacy Principles when handling personal information.”
Ms Baker said organisations that store personal information will be required to protect the personal information they hold from loss, misuse, unauthorised access and interference, and to destroy or permanently de-identify personal information when it’s no longer needed.
“Organisations are required to take what’s deemed ‘reasonable steps’ to ensure any personal information they’ve collected is protected, but also to delete any personal information that is no longer required for the primary purpose for which it was collected.
Ms Baker said Australian organisations need to start preparing for these reforms given what is required of them to comply and the potentially serious ramifications if found in breach.