I had my Lawyer, Andrew Nicholson send me a copy of this article he wrote on the new privacy Laws. I hope it is helpful.
Changes to the Privacy Act 1988.
Changes to Privacy Laws
The amendments to the Privacy Act are focused on ensuring privacy laws keep up with our ever changing technological and social environment and to reflect community expectations that organisations will keep secure and correctly use an individuals’ personal information.
SUMMARY OF THE CHANGES
The changes bring both businesses and government under the same umbrella, whereas previously different rules applied to each. There are four central themes to the changes:
You will only be able to collect personal information (from an individual or entity if it is reasonably necessary to your organisation’s functions or activities. If you receive personal information that is unsolicited, generally you will need to dispose of or de-identify the information.
When collecting personal information, you must make individuals aware of a number of matters including the purpose of collecting the information, who will use the information and how the individual can access and correct their privacy information, which you hold about them. You should provide collection notices to individuals. If your organisation engages in outsourcing to offshore entities and personal information is being shared, or if there is a risk that may be, you will need to alert individuals of this and tell them which agents or entities will have access to their information. In a number of instances you may need to receive consent from an individual before disclosing their personal information.
2. STORAGE AND MAINTENANCE
You will need to ensure that adequate security measures are taken to securely store personal information. If you provide information to any offshore entity (such as a web host) you must take steps to ensure that they treat the information appropriately.
You will not be able to use personal information for direct marketing, unless you fall under an exception in the Privacy Act. The exceptions include where an individual has a reasonable expectation that their personal information will be used for direct marketing, or if they have consented to their personal information being used for this purpose. Even if an individual consents, you must comply with the SPAM Act and the material must contain a prominent opt-out statement.
Individuals will have greater access to their personal information including to require organisations to maintain their records and ensure they are current. Individuals may also require businesses to disclose the source of their information, which will mean many businesses, will need to review and update their collection practices.
WHAT YOU NEED TO DO
To ensure your organisation complies with the legislative changes, you should:
Review your practices and make changes
You should consider how you collect personal information, what you do with personal information and how privacy operates within your business. For example, if you use personal information to assist in compiling marketing lists, store personal information in your company records or give any other entity or individual information that contains personal information, it is likely you will need to amend your practices to ensure you comply with the Privacy Act, including identifying the source of the information and whether the individual consented to the use of their information for other purposes (including marketing).
Educate staff about the changes
All staff members who come into contact with personal information will need to be briefed on the legislative changes and the procedures that your business intends to put in place to comply with the updated Privacy Act.
FAILURE TO TAKE ACTION
Organisations who fail to comply with the new Act may be investigated by the Australian Information Commissioner, whose powers have been expanded by the legislative changes. The Commissioner may investigate companies of its own accord, without having received a complaint. Serious or repeated breaches of personal privacy may attract prosecution with penalties of up to $1.7 million for corporations and $340,000 for non-corporate entities.