New amendments to the Commonwealth Privacy Act come into effect today, Wednesday 12 March 2014. According to the Office of the Australian Information Commissioner (OAIC) this is the biggest change in privacy law for Australia in 25 years.

For the most part the big change is that there is now a mandatory requirement for businesses to be “open and transparent” about how they use and manage personal information. So if your business collects information from customers, potential customers or people who visit your website, this affects you.

If you’re a new business or you’re not sure how this change will impact you, I’ve covered some important things to consider in this blog post.

Understanding what is considered personal information

The Privacy Act deals with “personal information”, that is information which can be used to identify a person, not just you and or your clients. This can include name, address, date-of-birth, tax file number, driver’s licence number or anything else that identifies a person.

Before you update your privacy policy you should first establish:

  • What personal information your business does collect?
  • Is the personal information reasonably necessary for one or more of your business activities or functions?
  • Why is the information collected?
  • How does your business collect, handle and store information?
  • To whom is this information disclosed? Internally and/or externally?
  • Do you disclose any information to people or entities overseas? And if so in which country are they located?
  • Do you have  procedure in place for complaints

New guidelines for business

The new Commonwwealth Privacy Act now refers to the Australian Privacy Principles, also referred to as the APP guidelines. OAIC has also released guidelines for entities to help them implement the APPs, you’ll find the guidelines here.

Something to be aware of is that businesses collecting personal information need to have what is called a “collection notice” available which should contain certain information as set out in the APPs. This notice will need to be, where reasonably practicabe, supplied before, at the time or as soon as  possible after personal information is collected by you.

If you don’t currently have a collection notice or privacy policy that includes this information you must act immediately to avoid penalties. The OAIC Commissioner has made a point of emphasising that from today he now has broader powers to ensure the new privacy laws are enforced, including conducting audits of businesses which he intends to use.

You’ll find a helpful checklist for knowing if your business meets new requirements here.