Strateg-Eyes
Privacy: Are you Compliant with the New Laws?
Recent changes to the privacy legislation means it has become more consistent with Australia’s trading partners, and it enhances protection for individuals, but is your organisation ready?
On 12 March 2014 the Privacy Act 1988 (Cth) (the “Act”) was amended so that Australia’s privacy laws will be consistent with its major trading partners. The new laws aim to enhance the protection of personal information in this age of rapid social and technological advances.
In this article we will address the changes and what steps can be taken to comply with the laws from an employment perspective. The new laws can have profound impacts on the business processes of an organisation – so having systems, a policy and training staff on their obligations will be key to ensuring their compliance with the amendments.
The most notable change to the Act is the introduction of the 13 Australian Privacy Principles (“APPs”) which govern the use, collection and disclosure of personal information by an “APP entity”. The APPs consolidate and replace the Information Privacy Principles (“IPPs”) that formerly applied to government agencies and the National Privacy Principles (“NPPs”) that regulated private organisations. Both IPP and NPP entities are now referred to as “APP entities”.
The Australian Privacy Principles
The APPs have expanded on the content of the IPPs and NPPs. The 13 APPs have been spilt amongst 5 parts that highlight the objectives of the amendments to the Act.
What are the employee records exemption?
In spite of the new changes, employers can be reassured that the “employee records exemption” will remain in force so that the personal information of current or former employees relating directly to the employment relationship will be exempt from complying with the APPs.
It is crucial to realise that this exemption does not cover prospective employees, contractors or employees of other companies. That means APP entities must be mindful of the notes and records made and kept about unsuccessful job candidates, labour hire employees or employees of a subsidiary.
APP entities should also be aware of associated legislation that operates in their state (e.g. employee health records are not exempted from the Privacy Act in Victoria or the Australian Capital Territory where as they are in New South Wales).
What needs to be in an updated privacy review?
It is important that an updated privacy policy is widely circulated amongst all stakeholders that an APP entity impacts upon. A privacy policy should:
- be made freely available via an APP entity’s website;
- be a working document that is regularly updated;
- clearly state what information will be collected and how it will be obtained;
- specify how individuals can access their records and amend them;
- set out processes for handling complaints and an individual’s ability to report breaches;
- make methods of data collection known to individuals where it is not solicited directly from them; and
- if applicable, inform individuals that their personal information may be shared overseas and where reasonable, the locations it will be disclosed to.
| Overview There have been major updates to Australian privacy laws including:
Who does it impact?
What information is covered? “Personal information” has been updated to mean “information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual”. This differs to the old definition which referred to “an individual whose identity is apparent, or can reasonably be ascertained”. The new definition is aimed at bringing the definition in line with international standards, as well as ensuring that the definition remains sufficiently exible and technology-neutral. It does not significantly change the scope of what was already considered to be personal information. “Sensitive information” is considered a subset of personal information and its definition has also been amended to include genetic information, biometric information and biometric templates. This would include information like finger prints or facial recognition data. Actions for employers Review:
Ensure:
What if I don’t take action? Failure to observe the new laws may find an employer facing penalties of up to $1.7 million for serious or repeated breaches of privacy. |
Training for employees
It is crucial that employees are given the appropriate training to help them understand the context of the updated privacy policy. Training should be specific to their roles as different positions, teams and departments in an organisation will use, collect and disclose the personal information of individuals in different ways. Consider updating induction materials that are given to new employees and arrange privacy training for them at the outset of their employment.
Additional measures that can be employed to demonstrate a commitment to compliance include:
- appointing a staff member to the role of “Privacy Officer” and training them accordingly. This will allow enquiries and complaints in relation to personal information to be handled centrally and in a consistent manner;
- consider the creation of a generic email address such as privacyofficer@yourorganisation. com. This way the contact will not be disturbed if the privacy officer role is taken on by someone new; and
- develop a script for the members of staff that handle business enquiries. For example, the script might inform individuals that they will be sent a copy of the privacy policy with their quote.
Updating standard contracts
As the new privacy laws require APP entities to take reasonable steps to safeguard against the misuse of personal information, particular care should be taken where outsourcing arrangements are used or cross border disclosure of information is likely.
It is wise to include a binding clause in contracts with suppliers that compel them to abide by privacy standards.
The employee records exemption will apply to payroll information that is likely to be disclosed to your external payroll manager, however, personal information of employees that is disclosed to an external service provider obligates that external service provider to handle the employee’s information in accordance with the APPs.
Employers are encouraged to use best practice when managing the personal information of employees. This means they are encouraged, where possible, to abide by the APPs despite there being no legal obligation to so.
Section 6(1) of the Privacy Act 1988 (Cth) defines ‘personal information’ as:
“information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual”
For example, it would be best practice for employers to:
- inform employees that an external payroll manager is engaged by your organisation;
- obtain the consent of employees before collecting and disclosing information that will be handled by an external service provider; and
- act as a conduit for any enquiries that an employee might have about their records with the external payroll manager.
Methods of surveillance
Despite employee records being exempt from the APPs, engaging in email surveillance of employees could amount to collection of personal information. If an organisation obtains email conversations that discuss the personal information of individuals outside the organisation, the APPs will apply. The relevant APPs would be those regulating use and disclosure, openness and access to information.
It may be possible to defend surveillance activities as “being necessary for the employer’s activities” which might include the protection of computer systems or disciplining employees that are in breach of a company policy.
