Changes to the Privacy Act
Do the recent changes to the Privacy Act affect your business?
The Privacy Act changes that apply from March 12 may affect some architectural practices. The changes include more stringent information privacy requirements and stronger sanctions for non-compliance with legislation.
The Privacy Act applies to personal information handled by large businesses (and health service providers of any size). It also applies to small businesses that have an annual turnover of $3 million or less AND meet one or more of the following criteria:
- Provides services under a Commonwealth contract
- Trades in personal information
- Is related to a larger business
- Runs a residential tenancy database
- Is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
The first three are most likely to apply to architectural businesses.
The changes to the Act are outlined on the Office of the Australian Information Commissioner (OAIC) website. These affect how businesses handle and process personal information, use personal information for direct marketing and disclose personal information to people overseas.
This last matter includes the storage of information on overseas servers – for example, through the use of “cloud” storage systems. Businesses must now disclose to customers or clients if personal information is transferred overseas to third party suppliers or is stored on overseas servers.
The Act includes 13 Australian Privacy Principles relating to the handling of personal information. These cover the following topics:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
The Act also now gives the Information Commissioner the ability to investigate serious breaches and to assess the privacy performance of businesses. This includes the right to impose penalties on businesses.
Do the changes apply to your business?
If your business has a turnover of more than $3 million the Privacy Act applies.
If your business has a turnover of less than $3 million you need to consider if any of the conditions listed above are relevant.
To ascertain if your business trades in personal information, consider the following:
Personal information is defined as: “information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes such things as a person’s name, address, financial information, marital status or billing details.”
“Trading in personal information” involves a business collecting or disclosing personal information to a third party for a “benefit, service or advantage”. This could include, for example, supplying a mailing list to a company that looks after your marketing.
The Office of the Australian Information Commissioner (OAIC) website has a 9 Step Privacy Checklist for Small Business to help small businesses determine if the Privacy Act applies to them.
What should your business do to comply?
The following will help affected businesses comply:
- Ensure that you understand all the circumstances in which your business uses personal information.
- Ensure that you have simple, clear processes and protocols in place so that any collection and use of personal information complies with the Privacy Act.
How the ACA can help
DISCLAIMER: The ACA offers the information above as a guide and general overview only. Advice regarding the applicability of the Privacy Act to your business, and relevant Privacy Policies and processes, should be sought from your lawyer or other business advisor.