A recurring criticism of Australian privacy law has been that the Privacy Act 1988 (Cth) (the Act) lacked any real bite – the enforcement powers of the privacy watchdog, the Information Commissioner, were limited. However, recent amendments to the Act, which introduced a new set of privacy principles, have increased the Commissioner’s enforcement powers. Employers should familiarise themselves with the changes in order to ensure they are compliant with the new regime.
On 12 March 2014, significant amendments to the Act came into operation. The changes affect all private sector organisations and government agencies covered by the Act, which will include most Australian employers except for “small businesses” with less than $3 million in annual turnover.
In brief, the Act deals with how organisations are to manage “personal information”. The scheme of the Act works by subjecting organisations that it covers to a series of “privacy principles” that govern how personal information is to be collected, stored, handled and used.
The Australian Privacy Principles
Before 12 March, government agencies and private sector organisations were subject to different sets of privacy principles – the Information Privacy Principles and the National Privacy Principles respectively. Under the new regime, however, all bodies covered by the Act are required to comply with a new set of thirteen Australian Privacy Principles (APPs).
Some of the new APPs substantially reproduce existing obligations. In some cases, however, the APPs strengthen existing requirements. APP 1, for instance, is much more prescriptive than its predecessor in the matters that must be dealt with in organisations’ privacy policies. Similarly, APP 8 now imposes more detailed requirements for the procedure to be followed when personal information is sent outside of Australia.
Other elements of the APPs introduce entirely new obligations. APP 2, for example, creates a new requirement that where practical persons be allowed to deal with organisations pseudonymously (as well as anonymously), and APP 13 creates a duty for organisations to proactively monitor and ensure the quality and currency of personal information that it holds (where previously they only had to respond to concerns raised by individuals).
Increased enforcement powers
Procedurally, the main change is that the Commissioner has been given “teeth” to enforce the new requirements of the Act. The Commissioner now has the power to obtain enforceable undertakings, to seek civil penalties (of up to $1.7 million for a body corporate) where an organisation seriously or repeatedly breaches its privacy obligations, and to conduct assessments of organisations’ privacy performance. So organisations that breach their privacy requirements may well find themselves subject to harsher consequences than has been the case in the past.
Impact for employers – how to avoid being bitten
Much of the information that employers hold about their employees is not subject to the APPs, because the Act still contains an “employee records exemption”. However, employers still need to be across the changes to the Act and review their policies and procedures to ensure compliance. There are several reasons for this:
- Firstly, employers will likely hold personal information about people who are not employees, such as independent contractors and unsuccessful job applicants (or, for that matter, clients or customers), to which the APPs apply; and
- Secondly, even where information is part of an employee record, the exception does not apply in circumstances that are not related to the employment relationship, for example certain disclosures of personal information to third parties.
In future blogs, we will consider the key APPs in more detail and the steps that employers can take in order to comply.