Publications / Work Health and Safety
In an increasingly digital world, it has become obvious that rapid advances in technology, together with vastly expanding global markets, have permanently affected the way in which personal information is collected and disseminated. By virtue of the way that they and their employees are engaging in these markets, employers are now necessarily on the frontline of those affected by the changing environment in which we now operate.
In May this year, the Federal Government responded to calls to amend the current privacy legislation (first drafted in 1988) to accommodate some of these changes by introducing the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. These reforms are aimed specifically at the protection of personal information and are also designed to simplify the reporting of credit information in relation to a person’s credit rating. Broadly, the changes are aimed at:
- enhanced regulation of personal information used in direct marketing
- improved access to personal information and to make corrections
- increased restrictions on the international sharing of personal information, and
- more vigilant protection of ‘sensitive information’ (e.g. health records).
While these changes will no doubt be beneficial for individuals, it is important to understand how the changes may affect the day-to-day operation of your organisation, particularly from an employment perspective.
The Australian Privacy Principles
One of the most significant general changes is the introduction of the Australian Privacy Principles (APPs) to replace the ‘National Privacy Principles’ and ‘Information Privacy Principles’. With this change, for the first time, the regulation of the private sector will come together with the regulation of the handling of personal information by Commonwealth agencies. Overall the reformed legislation will still apply to the same entities and operate with a similar structure to its predecessors, but this change is expected to vastly decrease the confusion about the regime’s coverage.
The APPs still cover the management principles, quality, collection, disclosure, security, access and correction of personal information. For all intents and purposes, the definition of ‘personal information’ under the Act will remain unchanged.
Having said this, there are some amendments that may require action from organisations. For example the APPs will:
- explicitly require up-to-date privacy policies and procedures that ensure your organisation is compliant with any relevant APP Code
- further restrict the use of unsolicited personal information by organisations by imposing positive duties to de-indentify or destroy such information
- introduce specific regulations for using personal information held for direct marketing, and
- impose increased restrictions on cross-border disclosure of personal information.
One key principle that has been introduced into the legislation is the concept of reasonable necessity. This test will effectively narrow the scope of many exemptions by implying a more objective test for the exemption to apply. For example, when the amendments become effective, employers should consider whether the unauthorised disclosure of personal information was necessary to conduct their business in the eyes of an ordinary reasonable person, not from the perspective of an organisation in their individual circumstances.
Impact on employers – what should you do?
While there are no amendments explicitly referring to the employment industry, these changes are a timely reminder of the way in which employers (necessarily) collect personal information from their employees on a daily basis. Employers and organisations should be conscious of how the reforms are effectively placing additional duties and greater restrictions on the way in which personal information may be dealt with.
Importantly, employers will be required to take positive steps to assess the relevance and accuracy of all personal information that they collect about their employees (and other individuals) and deal with it according to up-to-date and code-compliant privacy policies. The APPs will specifically apply to the way in which personal information is held about employees, such as its security and the possibility that it may be held outside Australia, and employers may therefore need to implement certain procedures to ensure that any protected information is held in compliance with the revised restrictions.
In preparation for the commencement of the amendments organisations should:
- review their current privacy policies, which should include information to be provided to employees or other individuals at the time that personal information is collected from them
- train staff in, and communicate information about, the new policies and practices
- establish clear procedures to deal with inquiries and complaints about privacy issues
- establish clear policies to manage the relevant risks and ensure compliance for your organisation, including procedures for the collection and maintenance of personal information, and
- consider the manner in which any personal information is held, secured and transferred and whether changes in procedure will need to be adopted to ensure compliance.
McCullough Robertson can advise clients on adopting, drafting and implementing privacy policies and procedures.
This Alert covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. This Alert is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.