Changes to privacy laws

19 March 2014
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) introduces changes to the Privacy Act 1988 (Cth), which commence on 12 March 2014.

A key change is the introduction of 13 Australian Privacy Principles (APP), which replace the Information Privacy Principles and the National Privacy Principles.

Application of the APP to unions

The APP apply to APP entities, which means both agencies and organisations. Under the Privacy Act, a union will be treated as an organisation if:

  • total annual turnover exceeds $3 million; or
  • it is registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth).

The most important change for trade unions will be the need for a privacy policy that is communicated to all members. This is explained in more detail below.

What are the APP?

The APP are designed to regulate information-handling processes including, the collection, holding, use and disclosure of specific information by an APP entity. The APP regulate two types of information, being:

  • personal information, which means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not; and
  • sensitive information, which is information of a more sensitive nature and includes, for example, information or an opinion about an individual's race, political opinions and relevantly, membership of a trade union.

Key changes under the APP include:

  • open and transparent management of personal information - APP 1 imposes a requirement to manage personal information in an open and transparent way, including by taking reasonable steps to implement practices and procedures that will ensure compliance with the APP. Importantly, APP 1 requires APP entities to have a clearly expressed and up-to-date policy, and it introduces specific minimum requirements that must be contained in such a policy.
  • anonymity and pseudonymity -  APP 2 introduces the concept of pseudonymity, and requires individuals to be given the option of dealing with the APP entity either anonymously, or by using a pseudonym, except where it is impracticable to do so, or the APP entity is required or authorised by law to deal with individuals who have identified themselves.
  • dealing with unsolicited information ­-  APP 4 is a new principle which deals with situations where an APP entity receives personal information that is not solicited. In these circumstances, APP entities are required to destroy or de-identify unsolicited information if the APP entity determines that it could not have collected such information in accordance with the APP.
  • notification of the collection of personal information - APP 5 lists the specific matters which an individual must be made aware of when information is collected from them. These matters have been expanded to include, notification that the privacy policy contains information about access to personal information, correction of personal information and complaint mechanisms, and notification of whether the APP entity is likely to disclose an individual's personal information to overseas recipients.
  • direct marketing - APP 7 is a new principle, which prohibits the use or disclosure of personal information that an APP entity holds, for the purpose of direct marketing, unless an exception applies. Where the direct marketing involves the use or disclosure of sensitive information, an individual's consent is required.
  • security of personal information -  APP 11 expands on an APP entity's obligation to maintain the security of personal information, and requires reasonable steps to be taken to protect the personal information it holds from interference, which is broader and intended to mean protection from electronic intrusions on computer systems.
  • cross-border disclosure - APP 8 introduces a new accountability approach in relation to the disclosure of personal information to overseas recipients. Before an APP entity discloses personal information about an individual to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APP in relation to the information.

Be compliant- the steps you should be taking

As APP has come into effect, now is the time to take active steps to ensure compliance, including:

  • reviewing and updating your privacy policy in accordance with the specific requirements in the APP;
  • drafting and implementing a privacy policy if you do not have an existing one;
  • auditing processes relating to information collection, and the manner in which collected information is used and disclosed;
  • reviewing processes in relation to the storage of information;
  • reviewing the security measures in place to protect information, and the adequacy of those measures;
  • considering whether unsolicited information is received, and implementing processes on how to deal with such information in accordance with the APP;  
  • implementing procedures for the handling of complaints, as well as dealing with requests from individuals for access to, and the correction of, their personal information; and
  • training staff in relation to APP requirements. 

Practice Areas: