One of the more overlooked reforms to the Privacy Act 1988 (Cth) (the Act) has been the new civil penalty provisions. The reforms introduce new ‘low level’ penalty provisions which empower the Office of the Australian Information Commissioner (OAIC) to issue infringement notices or compliance notices where an entity fails to comply with the Australian Privacy Principles (APPs) or where they issue a non-compliant eligible data breach statement.
This Insight sets out these provisions relating to the APPs and outlines what businesses can do to ensure compliance.
Australian Privacy Principles
The new civil penalties relating to the APPs are contained in section 13K(1) of the Act. Section 13K(1) provides:
An entity contravenes this subsection if:
- the entity does an act, or engages in a practice; and
- the act or practice breaches any of the following Australian Privacy Principles:
- Australian Privacy Principle 1.3 (requirement to have APP privacy policy);
- Australian Privacy Principle 1.4 (contents of APP privacy policy);
- Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities);
- Australian Privacy Principle 6.5 (written notice of certain uses or disclosures);
- Australian Privacy Principle 7.2(c) or 7.3(c) (simple means for individuals to opt out of direct marketing communications);
- Australian Privacy Principle 7.3(d) (requirement to draw attention to ability to opt out of direct marketing communications);
- Australian Privacy Principle 7.7(a) (giving effect to request in reasonable period);
- Australian Privacy Principle 7.7(b) (notification of source of information);
- Australian Privacy Principle 13.5 (dealing with requests);
- any other Australian Privacy Principle prescribed by the regulations.
The maximum pecuniary penalty that may be issued for a breach of section 13K(1) is 200 penalty units for an individual (currently equivalent to $66,000) or 1,000 penalty units for a corporation (currently equivalent to $330,000).
Action you should take
The introduction of these provisions, and the penalties they attract, serve as a timely reminder for businesses to review their privacy frameworks to ensure they are compliant with the Act. It is important to keep in mind that each breach of the APPs is a separate contravention of the Act. For example, a breach of the requirement to have an APP privacy policy will also necessarily breach the provision about the required contents of an APP privacy policy and will attract penalties for two separate contraventions.
For that reason, understanding your obligations is the most important first step in ensuring you are APP compliant. Here are some steps that businesses can take to kickstart their compliance efforts.
Ensure you have a compliant privacy policy
All entities should have a privacy policy that is clearly expressed and up-to-date. The privacy policy must include information relating to:
- the kinds of personal information that the entity collects;
- how the entity collects that information;
- the purposes for which the entity collects that information;
- how users may access personal information that the entity holds about them;
- how users may complain about a breach of the APPs and how the entity will deal with such a complaint;
- whether the entity is likely to disclose personal information to overseas recipients; and
- if the entity is likely to disclose personal information to overseas recipients––the countries in which the recipients are likely to be located.
Having a compliant privacy policy is crucial as it serves as the foundation upon which a more robust privacy framework is built. Not only is failing to have one a contravention of the Act in its own right, but many of the other APP obligations will be fulfilled through their inclusion in the privacy policy. Moreover, individuals should also be able to rely on it to understand how their information is being dealt with, and what avenues of recourse are available to them should their rights be breached. For that reason, the clarity of the privacy policy should also be front of mind.
Review direct marketing practices to ensure they are compliant
In all direct marketing materials, individuals must be able to easily opt out and entities must also direct their attention to the fact that they may opt out. If a user makes an opt-out request, entities must action it within five working days.
Review privacy practices to identify any areas of non-compliance
The list of potential contraventions in section 13K(1) is extensive. Accordingly, a general review of privacy practices would be well-advised to identify any potential areas of concern. For example, does your business keep records of when personal information is used or disclosed for enforcement related activities conducted by on behalf of an enforcement body (as required by APP 6.5)? If an individual requests to know how your business obtained their personal information which you have used for direct marketing purposes, are you able to respond to their request within a reasonable time (as required by APP 7.7.b)?
The section 13K(1) list can be made more extensive by the fact that it includes “any other Australian Privacy Principle prescribed by the Regulations”. To date, no additional APPs have been prescribed by the Regulations, however that is not to say it will stay that way. Thus, apart from ensuring compliance with the APPs already enumerated in section 13K, entities should remain vigilant and prepared for any additional APPs which may be prescribed. The most effective way to do that is to ensure compliance with all APPs, to the greatest extent possible.
Conclusion
The OAIC now has a broader range of enforcement powers particularly in respect to low level privacy breaches which results in increased privacy risk for businesses.
More privacy reforms are on the horizon, with Tranche 2 changes expected to be progressed in the coming months after being temporarily delayed pending the outcome of the 3 May federal election. The recent and forthcoming reforms are designed to overhaul Australia’s privacy landscape and help bring Australia in line with other jurisdictions, such as the EU and UK, in terms of privacy protection.
To find out more about the recent reforms to the Privacy Act, read our Insight here. For more information about your privacy responsibilities and obligations, or if you would like to undertake a review of your privacy frameworks, please contact Donna Short or Cate Sendall.