What you need to know
The changes will affect how businesses can:
- Handle and process personal information (such as collecting personal data via forms).
- Use that personal information for direct marketing
- Disclose personal information to people overseas
Do the Australian Privacy Principles apply to me?
The Act has been extended to include a select group of small businesses that have an annual turnover of less than $3 million. If your business has an annual turnover of more than $3 million, then the Act has applied since December 2001 – and the APPs will of course apply.
The Office of the Australian Information Commissioner (OAIC) has a great fact sheet here that will help you determine if you need to comply. If you’re still not sure, you can contact the OAIC or alternatively seek some independent legal advice.
What do I need to do?
If you’ve been collecting personal data for the purposes of sending electronic direct mail, then it’s likely that you’re already applying the APPs to some extent. But it doesn’t hurt to review your processes and make sure that you comply.
- Get familiar with the APPs
Read them carefully to see if there is anything that might require changes or new procedures within your organisation. - Review your privacy policy
The first APP covers off the requirements around your privacy policy. There’s a list of things you need to make sure you’re doing, including making sure you have a privacy policy and that it contains details around things like how you collect information, what you are collecting it for and how someone can make a complaint. Cross check your policy against the list. - Assess your forms for unnecessary data collection
If you’re collecting data from people but don’t have a clear reason for collecting it, you could be in breach of the Act. Check all your forms to make sure you’re only asking for what you need. - Ensure that your Electronic Direct Marketing (EDM) and SMS/MMS policies and procedures comply with the new requirements.Principle number seven gets pretty specific around direct marketing and what people should expect to see in regards to, (amongst other things) unsubscribing from electronic direct mail. You now need to include a “prominent statement that the individual may make such a request”.
As mentioned, there are 13 Privacy Principles and the above is really just a snapshot of some of the things that they cover. This blog should be considered a general overview and doesn’t constitute or replace any legal advice. You should make sure you download and read the principles prior to them taking effect on March 12 and seek assistance should you have any questions. Chances are that you already have a very robust process around data privacy, but it never hurts to conduct a review once in a while!