Australian Privacy Principals (AAPs)

On 12 March 2014 significant changes were made to the Commonwealth Privacy Act including the introduction of the Australian Privacy Principles (APPs).  The amendments change the way businesses are required to deal with personal information.

The Act applies to individuals, companies, partnerships, unincorporated associations and trusts that are:

  • Government agencies;
    • health service providers; and
    • businesses and corporations that have an annual turnover of more than $3 million
  • businesses and corporations that have an annual turnover of less than $3 million and:
    • trades in personal information
    • provide services under a Commonwealth contract
    • operates a residential tenancy database
    • are related to a larger business
    • are a reporting entity under the Anti-Money Laundering and Counter-Terrorism Finance Act

The changes also allow the Australian Information Commissioner to not only resolve complaints and investigate serious breaches of privacy but also to seek civil penalties of up to $1.7 million against non compliant corporations, and up to $340,000 against individuals (including company directors and employees).

The minimum steps that should be taken by businesses to ensure compliance with the APPs include:

  • Reviewing and updating privacy policies, practices, procedures and systems.  Policies must be readily available and address issues such as:
    • what and how personal information is collected
    • why is personal information collected
    • processes to correct personal information
    • how personal information is destroyed
    • how complaints about breaches of the APPs are handled
    • access to personal information
    • disclosure of personal information, particularly to overseas recipients
  • Consideration should be given to:
    • whether individuals can be given the option to remain anonymous or if a business could use pseudonyms when dealing with personal information
    • the treatment of unsolicited personal information
    • whether the personal information held by a business is accurate, up to date and complete
    • direct marketing
    • how personal information is protected
  • Systems to notify individuals about the collection of their personal information

Businesses which were compliant under the old National Privacy Principles should not assume that are automatically APP compliant, but take the opportunity to review their privacy policies, and their structure and application.