Back to Listing

Are You Ready

07 February 2014

On March 12, 2014 Australia introduces amendments to its privacy laws.  Are your data collection practices compliant? How does this impact your direct marketing? Is personal information stored in the Cloud covered by Australia’s privacy laws?

Under the amended Privacy Act, Australian businesses will need to comply with 13 new Australian Privacy Principles (APPs) that regulate the collection, holding, use and disclosure of "personal information". Personal information includes the name and address, email address, bank account details, credit card information, photos, videos and information about opinions of your customers. It does not include information that has been de-identified or rendered anonymous.

The Privacy Act does not apply to small businesses (with an annual turnover of less than $3m). However, a small business may choose to “opt in” to the Privacy Act to increase consumer confidence and trust.

So, what do you need to do under the new Australian privacy laws?

  1. Have a clear and up-to-date privacy policy in place.

  2. Your privacy policy must be available free of charge and in an appropriate form.  This is usually on your website and able to be downloaded and printed.  Further, you need to be ready and able to respond to individuals who request details about what information you hold, how you use it and if you have shared it with others.

  3. Your privacy policy must:

    • Include details about the kind of personal information you collect, how you collect that information and how you hold that information;

    • Explain how the personal information is used;

    • Advise how an individual may complain about access to the information, make corrections to any personal information and complain about a breach of the APPs; and

    • Indicate whether the information is likely to be disclosed to overseas recipients.

  4. Except in limited circumstances, you must not collect sensitive information unless you have obtained a consent from the individual for the collection of such information and the information is reasonably necessary or related to your business’s activities.  Sensitive information includes information or an opinion about an individual’s racial or ethnic origin, health or medical information, political opinion or associations, professional or trade associations or trade unions, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices, criminal records and genetic information.

  5. If you hold personal information about an individual, you must not use or disclose the information for the purpose of direct marketing, unless:

    • you collected the information;

    • the individual would reasonably expect you to use the information for direct marketing;

    • you provide a simple way of opting out of direct marketing; and

    • the individual has not already opted out of direct marketing from your business.

  6. Do you disclose any personal information to a business overseas? An offshore parent company? Or cloud-based data management service located overseas?  If so, you must take reasonable steps to ensure that the overseas business does not breach the APPs - otherwise, you may be liable for any breach of the APPs by the overseas business.  What can you do to fulfill this obligation?

    • Include commensurate privacy protection provisions in your contracts with overseas business.

    • Have all personal information returned to you when the agreement ends.

    • Have disaster recovery measures in place.

    • Advise your customers and obtain their consent before sending personal information overseas.

  7. You must take steps as reasonable in the circumstance to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

The new laws mean that Australian businesses that collect personal information have an obligation to contact the consumer and let them know how they plan to use their information. Individuals will have more power to access their information and opt out of its use. Companies will be more accountable for protecting consumer information and there are heavy penalties for failure to do so. Under the new laws, you can be fined $1.7 million (and individuals $340,000) for serious or repeated invasions of privacy.

It's time to review your data privacy practices and your IT security across all channels: hard copy, web, email and mobile.

This article is intended to outline some of the issues that you may need to address with your legal counsel when the new Australian privacy laws come into effect. It does not go into great depth with the subject matter, but offers useful insights into the basics. It is not legal advice and it is not exhaustive of all laws and issues that may apply to your particular business. There are many other laws and regulations that relate to the protection of personal information. Qualified legal counsel should review the details of your compliance with Australian privacy laws.


© 2014 Natasha Burns

Principal Lawyer | Burns IP & Commercial

T: 0439 035974

E: | W: | 

Natasha Burns - Australia | LinkedIn


Related Articles