Changes to the Privacy Act that come into effect on 12 March 2014 mean that most Dealers will need to amend their current privacy compliance documentation such as privacy statements, notices, privacy policies (usually posted on a website) and direct marketing processes.
What is the Privacy Act?
The Privacy Act protects personal information, that is, information about identifiable individuals. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 represents the largest reforms to the Privacy Act 1998 for over a decade.
A key reform applicable to Dealers is a set of 13 new Australian Privacy Principles (APPs) which replace the National Privacy Principles (NPPs) that currently apply to Dealers.
Direct marketing is now prohibited unless the exceptions listed in APP 7 apply. Direct marketing is an activity that many Dealers engage in and so their processes will need to be reviewed.
Dealers who disclose personal information to an overseas distributor face new obligations and risks. If a Dealer discloses information to an overseas distributor and the overseas distributor breaches the APPs, then the Dealer may be found liable and so it is important that this risk is mitigated.
Under the new APPs, Dealers must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to their dealership functions and activities. This will ensure that their dealership complies with the APPs and relates to the dealership’s interaction with not only customers, but also its staff. In this regard, management and staff should be well informed about the Privacy Act and its requirements. Compliance by management and staff can be facilitated through a combination of training and for example, a staff handbook or policy.
The Privacy Commissioner now has powers to impose penalties for a breach and so it is important that all Dealers comply with the new legislation. Up until now, the Privacy Commissioner has been seen as a ‘toothless tiger’ amongst regulators, because it could not impose penalties for breaches (except for credit reporting breaches). Now, serious or repeated privacy breaches can attract civil penalties for a maximum of $1.7 million against corporations and $340,000 against individuals.
The Five Categories
The 13 APPs are grouped into five sets of principles, as follows:
Principles that require dealerships to consider the privacy of personal information, including ensuring that dealerships manage personal information in an open and transparent way. The APPs in this group are:
(i) APP 1 – open and transparent management of personal information; and
(ii) APP 2 – anonymity and pseudonymity;
Principles that deal with the collection of personal information, including unsolicited personal information. The APPs in this
(iii) APP 3 – collection of solicited personal information;
(iv) APP 4 – dealing with unsolicited personal information; and
(v) APP 5 – notification of the collection of personal information;
Principles about how dealerships deal with personal information and government related identifiers, including principles about the use and disclosure (including cross-border disclosure) of personal information and identifiers. The APPs in this group are:
(vi) APP 6 – use or disclosure of personal information;
(vii) APP 7 – direct marketing;
(viii) APP 8 – cross-border disclosure of personal information; and
(ix) APP 9 – adoption, use or disclosure of government related identifiers;
Principles about the integrity, quality and security of personal information. The APPs in this group are:
(x) APP 10 – quality of personal information; and
(xi) APP 11 – security of personal information; and
Principles that deal with requests for access to, and correction of, personal information. The APPs in this group are:
(xii) APP 12 – access to personal information; and
(xiii) APP 13 – correction of personal information.