On 12 March 2014, the federal Privacy Act 1988 (Privacy Act) changed. This law regulates how your personal information is handled by Australian Government agencies (not state and territory government agencies) and the private sector, including large businesses, credit bodies (like banks), not-for-profits and private health service providers.
The new Privacy Act includes changes in three main areas.
• A new set of privacy principles. These are called the Australian Privacy Principles (APPs) and they govern how your personal information must be handled. There are a number of important changes, including in the areas of privacy policies, direct marketing and overseas disclosure of personal information.
• Comprehensive credit reporting. Changes to the credit reporting affect everyone — anyone who has a credit card, store card or uses a telecommunications service provider has a credit report, and the information that goes onto it now can have an impact on your ability to get credit in the future.
• Enhanced powers for the Office of the Australian Information Commissioner (OAIC). The OAIC now has greater powers to resolve investigations and promote privacy compliance.
You can’t exercise or enforce your rights if you don’t know what they are — visit the OAIC website to find out about changes to the law.
Privacy policies can be long and complex, and most of us don’t read them, but a good policy will tell you what you need to know before you provide your personal information.
• what personal information is collected
• if sensitive information is likely to be collected
• if your personal information is likely to be shared with a third party
• if personal information will be disclosed overseas
• how your personal information will be used and disclosed
• how personal information is stored and managed
• how you can access and correct your personal information
• how you can make a privacy complaint.
Australian Government agencies and private sector organisations are only allowed to use your personal information for direct marketing in certain circumstances.
If they do, they have to give you a simple way to opt-out, and they have to action your opt-out request within a reasonable period of time. They also have to tell you where they got your information if you ask.
Cross border disclosure
Many of the services we use on a daily basis have overseas components to their business.
If your personal information is held by an business or agency that is covered by the Privacy Act, and they disclose it to an overseas organisation or agency they need to make sure that it will be handled in accordance with Australian privacy law.
If your personal information is mishandled by the overseas recipient, the business or agency that disclosed your information may be legally responsible for this.
These obligations don’t apply in some circumstances, such as where you specifically agree to your information being disclosed to an overseas organisation or agency. So get informed, and make sure you know what you are agreeing to!
Access and correction
You now have greater rights to access your personal information, and to correct it if it’s wrong. Government agencies and organisations must respond to a request for access or correction within a reasonable period of time (this is 30 days for agencies, and the OAIC considers that 30 days is reasonable for businesses too), and they have to give you reasons in writing if they refuse to give you access.
More in our Privacy Series: Top 10 Privacy Tips; Social Media & Identity Theft; and The Truth About Your Credit Report