Late last year significant changes to privacy law were enacted by the Commonwealth parliament. They are to come into effect in March 2014. This beneficially gives all holders of the private information of others time to adjust and take appropriate steps to ensure compliance with the new standards.
Most entities which handle personal information about individuals, including most Australian companies, charities and many aspects of government, will need to comply with the new regime.
A tailored and targeted approach needs to be taken by charities and not for profit organisations as to when and how they ensure that their systems comply with the new world of privacy that is looming.
Charities are in a position where in many aspects of their activities they may deal with legally protected information. Both the identity and details of donors and beneficiaries will in all likelihood be held by a charity.
The new changes incorporate a set of 13 Australian Privacy Principles, which replace the prior foundational concepts set out in earlier versions of the Act. Those of most relevance to those in charge of charities are likely to be:
1. The open and transparent management of personal information;
2. Allowing individuals to deal with you anonymously or pseudonymously (subject to practicality);
3. The collection of solicited or sought personal information;
4. The collection of unsolicited personal information;
5. Use and disclosure of personal information;
6. The adoption, use or disclosure of government related identifiers (i.e. Medicare number/driver’s licence number);
7. The quality of personal information;
8. Security of personal information;
9. Access to personal information; and
10. Correction of personal information.
All are directed to the protection and privacy of information held about others.
Compliance with the legislation is neither discretionary nor flexible. Whilst there is obviously a commercial need to balance the cost of compliance and training of staff with prudent management, the implications of not observing the law could be significant.
There is a much greater sting in the tail for breaches of the Act. The Privacy Commissioner has much wider powers to take enforcement steps in relation to breaches. Civil penalties can be up to $1.1 million for corporate entities and $220,000 for individuals. Penalties can apply to any person or individual, who aids, abets or knowingly assists in breaches of the Act.
Aligned with the drafting of the Policy will be its observance. It is necessary for you to do what you say you will in the Policy.
Importantly your obligations in relation to the receipt of information you did not intend to collect are also enhanced under the new law, and information must be destroyed if it is no longer needed for a lawful purpose.
Close consideration needs to be given to:
2. Training staff who will deal with the personal and confidential information of individuals; or
3. Setting up a complaint or dispute resolution mechanism when someone alleges their rights under the Act are being infringed.
These steps will assist not only in complying in general terms with the obligations of the Act, but set up safeguards to assist in avoiding breaches of the Act in the misuse of personal information which could give rise to serious implications for you and your organisation.