Changes to the Privacy Act 1988 (Privacy Act) are due to start on 12 March 2014. If you are a business that is covered by the Privacy Act it is important to understand your responsibilities and how they may change.
Generally the Privacy Act 
covers:
businesses and organisations with an annual turnover of more than $3 million
private sector health service providers
businesses that sell or purchase personal information
contractors providing services under a contract with the Australian Government
credit providers and credit reporting bodies, and
other small businesses who have opted into coverage .
Most small businesses will find that they do not need to comply with the Privacy Act.
What are the changes?
The changes introduce a single set of rules – the Australian Privacy Principles (APPs) – that businesses covered by the Privacy Act will need to comply with. The APPs will replace the National Privacy Principles that currently apply to businesses and other organisations and the Information Privacy Principles that currently apply to Australian Government agencies.
There are 13 APPs covering the collection, use, disclosure and holding of personal information.
The changes also give enhanced powers to the Australian Information Commissioner to investigate and take action for breaches of the Privacy Act. This includes the power to agree enforceable undertakings or to impose penalties on businesses for serious privacy breaches.
How are the APPs different?
There have been a number of changes made to the APPs. Some of the main changes include:
Compliance – businesses must implement practices, procedures and systems to ensure compliance with the APPs and to handle complaints.
Privacy policy – businesses must make available an up-to-date and clear privacy policy, setting out certain information on how personal information will be managed.
Direct marketing – businesses must not use or disclose personal information for direct marketing, except in limited circumstances.
Unsolicited information – businesses must delete or de-identify unsolicited personal information that is not necessary for a function or activity of the business.
Cross-border disclosure – businesses can only disclose personal information to a person or organisation outside Australia where they have taken reasonable steps to ensure the overseas recipient does not breach the APPs, or in other limited circumstances. A business that discloses personal information to an overseas recipient will generally be responsible for a breach committed by the recipient.
The Office of the Australian Information Commissioner (OAIC) has released a summary of the APPs .
Where can I get more information?
The OAIC has responsibility for investigating complaints about the handling of personal information under the Privacy Act. The OAIC also provides a range of resources about the changes to the Privacy Act and general information, such as how to tell if your business is covered by the Privacy Act.
Even if your business is not covered by the Privacy Act, it is important to handle your customer’s personal information appropriately or it can negatively impact on your business’ reputation.
The material in this blog post is not intended to nor should it be relied on as a substitute for legal advice. Readers should seek independent legal advice relevant to their business’ particular circumstances.
Erinn, CommsAu