Federal Government’s Privacy Law Reform 2014 – Questions and Answers

February 18, 2014 - 5 minutes read

On 12th March 2014, amendments to the Privacy Act of 1988 previously passed through the Federal Parliament came into effect. This means that businesses and not-for-profit organisations (including churches) may need to conduct a review of their privacy policies, and update them where required to comply with the new regulations as soon as possible.

Why do we need the amendments?

The changes to the Privacy Act were recommended by the Australian Law Reform Commission in 2008, with a view towards strengthening and enhancing people’s rights to privacy. The privacy amendments place a higher degree of obligation onto organisations that collect people’s personal information with regard to how they process, use, and handle such information. They also provide the Information Commissioner with greater power to enforce actions and to apply penalties for non-compliance.

What are the main changes?

One of the key changes is that the NPPs (National Privacy Principles) and IPPs (Information Privacy Principles) contained in the Privacy Act will be replaced by a new set of 13 Australian Privacy Principles (APPs). The APPs will be broader in scope than the former privacy principles and will apply to both the private and public sectors.

Under the APPs organisations that collect personal information will need to be more transparent in how they intend to use the information they are provided with. They will also be required to be more proactive in the steps and procedures they take to protect people’s personal information.

How is this likely to affect CofC churches?

Many of our churches may collect personal information such as names and addresses, phone numbers, email addresses, details of family members / next of kin, payment or credit card details, and sensitive information pertaining to gender, race, beliefs and health or medical history. Churches that collect these types of information may need to comply with the Privacy Act depending on certain criteria (see below). If so they will need to follow the APPs and guidelines provided by the OAIC (Office of the Australian Information Commissioner) with regard to both transparency and the protection of people’s privacy and information.

This includes the following:

  • Only collecting information for a clear and specific purpose.
  • Keeping the information in secure storage and taking active steps to ensure its protection from being lost or interfered with.
  • Destroying personal information that is no longer needed or that was unsolicited (that is, not deliberately collected). This may involve shredding documents and / or clearing or destroying storage devices.
  • Clearly providing and communicating an ‘opt out’ mechanism to people when conducting any ‘direct marketing’ (when sending e-newsletters for example).
  • Informing individuals where their information was obtained from if asked.
  • Disclosing details of any intention to provide personal information to other recipients, and seeking consent before doing so.
  • Providing details of how complaints can be made and how alleged breaches will be handled.
  • Obtaining the consent of individuals when seeking to collect sensitive information.
  • Providing people with access to the personal information that is held on them if requested.
  • Keeping all personal information current / up-to-date.

What about employee information?

Information held on employees is exempt as long as it is held only for the purpose of their employment.

What is the next step?

Complete the ‘small business checklist’ (also see * below) provided by the OAIC to see if you need to take any action at this stage, and if so:

  • Review and revise your privacy policy and procedures to comply with the new APPs. Note that all references to NPPs will need to be removed.
  • Ensure that you make the changes required by the amendments, including clearly communicating to people the ways you intend to use and safeguard their personal information before collecting it.

(* Note that the answer to Step 6 with regard to Conference of CofC Vic/Tas being a ‘larger body corporate’ would be ‘no’).

If the checklist indicates you don’t need to comply with the Privacy Act, you have the option to comply anyway in order to protect people’s personal and sensitive information that you collect.

If you are unsure about any issue regarding the Privacy Act it’s recommended that you contact the OAIC or obtain advice from your legal representative.

Written by Tess Oliver