The New Rules

The new regimes for privacy of personal information and credit information in the Privacy Act have been in force since 14 March 2014.  The Office of the Australian Information Commissioner (“OAIC”) has indicated that it will actively enforce the new laws and, where appropriate, use new powers and apply substantial penalties applicable for breaches.

Statements from the OAIC make it clear that it is not just enough for an organisation to update its policies – it must have systems and procedures to back these up.

What Should You Do?

The following 10 steps are some which may be essential for organisations that are affected by the new laws (there may be more):

  1. Work out whether your organisation is affected as an APP entity or a credit provider.
  2. Audit and collect for review all your current policies, protocols and procedures.
  3. Establish or review an APP privacy policy.
  4. Establish or review your credit reporting policy (including a statement of notifiable matters).
  5. Review, update or establish internal policies and procedures for:
    1. data management;
    2. personal information;
    3. credit information.
  6. Review, update or establish robust management and security systems for:
    1. electronic data;
    2. hard copy information.
  7. Ensure the awareness and compliance of employees, contractors and others by:
    1. publishing and making available policies;
    2. providing training and information sessions;
    3. reviewing or obtaining contract conditions to require compliance with policies.
  8. Appoint a Privacy Officer and/or a Credit Information Officer.
  9. Obtain qualified external advice and assistance, where necessary.
  10. Keep a record of all of the above.

Some comments on each of these steps follow.

1. Is your organisation affected?

This will depend on whether your organisation is either or both:

  • an APP entity; or
  • a credit provider (different rules apply to credit reporting bodies and affected information recipients, but these notes do not relate to them).

Whether your organisation is an APP entity usually depends on whether it carries on any business that is not a small business, with an annual turnover less than $3 million. If an entity (a natural person or company or partnership or other entity) is not a small business operator it will be an organisation that is an APP entity.

However, some types of organisation are expressly excluded from being a small business operator and are caught by the laws, regardless of turnover.  These include organisations that:

  • provide a health service to an individual and hold any health information (except employee records) – this will include all practices providing any form of health service, not just medical practices;
  • provide contract services to the Commonwealth (whether or not a direct party to a contract);
  • disclose or collect personal information for a benefit or advantage.

Your organisation will be a credit provider regardless of turnover or other matters if you allow time for payment of the debt due for the sale of goods or the supply of services for 7 days or more.

The allowance of time to pay a debt due for goods or services is credit and even if your organisation does not make loans, issue credit cards or do other things that would normally be considered to be providing credit, the deferral of payment for at least 7 days will mean the organisation is a credit provider.

2. Audit of Policies and Systems

If your organisation is an APP entity and/or a credit provider, you should conduct an audit, or a process to collect for review and amendment, if necessary, all of your existing policies, procedures or systems, as listed below including, of course, your existing:

  • privacy policy; and
  • credit information policy;

(if these do exist).

You should also establish a checklist for each of the policies, procedures and systems that will be required to determine whether these are to be updated, or to be put in place if they do not exist.

3. APP Privacy Policy

The organisation should review its existing Privacy Policy to ensure that it is adequate as an APP privacy policy, or establish an APP privacy policy, if one does not exist.  The APP privacy policy must comply with the requirements of the Australian Privacy Principles (“APPs”).

As with other policies and procedures, it would be wise to have the APP policy reviewed by a legal practitioner for compliance.

The appropriate and effective ways of publishing the APP Privacy Policy of the organisation should be determined.  Usually this will be published on the Website of the organisation, and made available in hard copy or by email, where required.

Consideration should also be given to whether a shorter form of Privacy Notice may be appropriate for use in some situations (with a link or reference to the full APP Privacy Policy).

4. Credit Reporting Policy

If the organisation is a credit provider then it must have a credit information policy (a clearly expressed and up-to-date policy about the management of credit information and credit eligibility information by the provider).

A Credit Information Policy must contain the matters required by the Privacy Act, and “notifiable matters” that are specified in the Credit Reporting Privacy Code (“CR Code”).

As with the APP Privacy Policy for the organisation, the appropriate means for publication and dissemination of the Credit Information Policy should be determined.  This may be on the Website, or in documentation relating to the provision of credit.

5. Internal Policies or Protocols

It is essential that an organisation that is an APP entity and/or a credit provider has internal policies, procedures and systems which ensure that it is able to give effect to its APP Privacy Policyand Credit Information Policy, and the requirements of the APPs and the CR Code, if applicable.  As has been indicated, the OAIC will require that organisations take their responsibilities seriously.

What is required will depend on the nature of the organisation.  Internal policies/protocols for employees, contractors or others who may deal with personal information or credit information may be required, including:

  • privacy;
  • credit reporting;
  • data management and security;
  • personal IT devices;
  • email and Internet usage.

6. Data Management Security Systems

There are two main components of data management and security systems for an organisation:

  • electronic data; and
  • hard copy records.

Information technology (IT) and electronic data present the most complex areas for consideration.  Some of the issues to be considered, and areas in which systems and procedures will be required are:

  • Where is data stored?
  • How is personal information identified and managed?
  • Who can access data?
  • What passwords or other security is required for access to or reproduction of data?
  • What protections are in place for security against unauthorised external access?
  • Is personal information or credit information data which may be stored on transportable devices (such as laptops, tablets or phones)?
  • Is remote access to data permitted?
  • Is any personal information or credit information transmitted to the Cloud or otherwise to any overseas site (this may lead to a number of complexities)?

An organisation should obtain appropriate professional IT advice and assistance in establishing its systems and procedures.

For hard copy records the issues are not as complex as for electronic data, but must be considered.  Issues include:

  • How is information recorded and kept?
  • What are the security measures for access to or reproduction of information?
  • What levels of security are there for premises and data storage?
  • What security measures are there for access by non-employees?

7. Staff Awareness and Compliance

The most likely reason for a breach of requirements for privacy of personal information or credit information in an organisation will be some action or omission of staff, whether employees or contractors, of the organisation.  It is essential for the organisation to ensure awareness of its staff of the obligations for privacy for personal information and credit information, as applicable.

As well as providing appropriate policies and protocols, which should be published and made available so that staff are actually aware of these, an organisation should consider:

  • specific training seminars or sessions for staff (these can be provided by external consultants); and
  • monitoring the compliance of staff with privacy requirements.

It may also be appropriate to include specific obligations to comply with policies and directions in relation to data security in contracts of employment or other contracts.

8. External Advice and Assistance

As noted in relation to a number of points above, an organisation should, where appropriate, obtain professional advice and assistance.  This is likely to be particularly appropriate for:

  • IT and data security systems and procedures;
  • legal review of policies and procedures;
  • training and awareness of staff.

If an organisation has received appropriate external assistance, this should be taken into account by OAIC if there is a breach of privacy in relation to personal information or credit information, despite the steps that have been taken by the organisation.

9. Appoint Privacy/Credit Information Officer(s)

An organisation should make an appropriate person responsible for the oversight, management and control of:

  • personal information; and/or
  • credit information.

This may be the same person, and it may be that the person also has the role of maintaining data security generally for the organisation.

The Privacy Officer/Credit Information Officer should have an appropriate level of authority and will usually be the appropriate person to notify for contact in the event of a complaint.

10. Keep a Record

An organisation should keep a file or record of the various steps, policies, procedures etc that are taken to ensure privacy compliance for personal information and/or credit information.

This will assist the organisation if a breach does occur, and the OAIC makes enquiries.

Data Security is a Benefit

While some of the steps that may be necessary for an organisation to comply with requirements for privacy of personal information and/or credit information may seem onerous or bothersome, data security for an organisation to preserve its own confidential information may be extremely important, and the need to ensure privacy for personal information and credit information of individuals can be seen as only a subset of this.

In a recent publication released by the World Intellectual Property Organisation[1], examples are given of cyber theft of valuable information worth many millions of dollars and it is said that:

Ultimately, cyber crime is not strictly speaking a technology problem.  It is a strategy problem, a human problem and a process problem.

The time to act is now!

DW Fox Tucker can assist your organisation with:

  • advice in relation to privacy and credit reporting issues and systems for compliance;
  • review or preparation of privacy and credit information policies;
  • contracts and conditions for employees and contractors; and
  • staff training and information sessions and materials.
  1. Economic Impact of Trade Secret Theft produced by The Centre for Responsible Enterprise and Trade and PriceWaterhouseCoopers LLP.

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Sandy Donaldson

View Profile →

Related Articles

View All News
November 04, 2024 DW Fox Tucker Lawyers welcomes Dr Mark Giancaspro to boost the firm’s commercial team and add a new sports law offering
Firm News Corporate & Commercial Sports Law
October 29, 2024 Disqualifications and Jail Time: ASIC Increasing Pressure on Directors for Mismanagement
Corporate & Commercial Dispute Resolution & Insolvency
October 08, 2024 Transferring Intellectual Property in a Business Sale
Intellectual Property (IP)
October 08, 2024 The Concepts of Consent for Personal Information
Intellectual Property (IP)
June 19, 2024 When Reputation Assists in Protecting Your Brand
Intellectual Property (IP) Dispute Resolution & Insolvency
June 19, 2024 When Are Goods or Services Acquired by a “Consumer”? When Do Guarantees Under the Australian Consumer Law Apply? Can Suppliers and Manufacturers Liability Be Limited?
Corporate & Commercial
April 18, 2024 2025 Edition of Best Lawyers: Celebrating Our Leaders and a Rising Star
Firm News Corporate & Commercial Employment, Workplace Relations & Safety + 6
December 20, 2023 New Reasons to Keep Your Contract Terms Fair
Corporate & Commercial
December 20, 2023 Is a Trade Mark License a Franchise?
Intellectual Property (IP)
December 20, 2023 Deeds vs Agreements
Corporate & Commercial
December 20, 2023 Trade Mark Use/Copyright and Fair Dealing – AGL v Greenpeace
Intellectual Property (IP)
December 20, 2023 When Can You Send Unsolicited Electronic Messages?
Corporate & Commercial
September 11, 2023 Advertising Health Services
Corporate & Commercial Health & Aged Care
October 14, 2022 Lessons From Theranos
Corporate & Commercial
October 12, 2022 Vendor Safety Nets
Corporate & Commercial
October 06, 2022 Bind Games
Corporate & Commercial
July 12, 2022 Personal and Confidential Information: Employer Obligations to Employees
Employment, Workplace Relations & Safety Intellectual Property (IP)
May 02, 2022 Privacy Week - Top Tips
Corporate & Commercial Intellectual Property (IP)
March 30, 2022 Domain Names and Cyber Security
Corporate & Commercial Intellectual Property (IP)
March 29, 2022 Are You a Director Who Still Needs to Get Your Director ID?
Corporate & Commercial