Australian Data Privacy has teeth

Crocodile teeth If you’re thinking that Australians are fun loving, easy going types, and that doing direct marketing to Australians is probably the same way, think again. The data privacy regime in Australia has recently made the process of getting truly compliant direct marketing data for your Aussie campaigns a whole lot tougher, and has instituted some penalties for non-compliance that have more teeth than a crocodile.

Any entity even remotely connected to collecting or using any kind of marketing data in Australia should take pains to thoroughly understand the numerous new interpretations, definitions, requirements and penalties that were enacted as of March 12, 2014. A lot of very smart people have written extensively about this subject, and one of the most thorough reviews can be read here: http://bit.ly/1jaiAuY. If you’re a skimmer and prefer a summary, here are some of the highlights of the so-called “New Act”:

>> Significantly strengthened powers have been conferred upon the Office of the Australian Information Commissioner, including the ability to develop binding Privacy Codes.

>> Changes to credit reporting laws that call for a specific dispute resolution schemes.

>> The adoption of 13 new Australian Privacy Principles (“APPs”), which consolidate and replace the two separate acts (one for the private sector and one for government agencies) that had been in place until March of this year when the “New Act” became law. Most notably:

  • An enhanced interpretation of “Personal Data” which now means information or an opinion about an individual.
  • Greater precision about the definition of Sensitive Personal Data and the circumstances under which it can be collected. The new definition includes things like racial or ethnic origins, sexual preferences, philosophical or religious beliefs, political opinions, memberships in groups like trade associations or unions, health or genetic information, and biometric data about an individual.
  • An organization is prohibited from collecting personal information unless the information is “reasonably necessary” to perform one of its functions or activities. Upon its collection, the organization must take reasonable steps to let the individual know the identity of the information collector, how to contact them, why the information is being collected and how the information will be used, and to whom the information might be transferred. The individual must also be notified how they can complain about a breach, and how their complaint will be handled, and whether the organization is likely to disclose their information to overseas recipients and if so, the countries in which the recipients of the information may be located.
  • An organization must not disclose personal information collected unless the information collected is necessary to perform its activities; the individual consents; it is required by law; a serious threat to an individual’s health or safety exists and the release of the information would lessen the threat; or it is for research or statistics that serve public health or safety.
  • In APP 7, data used for Direct Marketing must also ensure that the individual can easily opt out in an obvious manner, and the individual has not previously requested to opt-out of direct marketing communications. The collecting organization can use the information collected if the individual can reasonably expect that their information would be used for direct marketing.
  • Where Sensitive Information is collected, new requirements are now in place that limit the circumstances of such collection. Permissible circumstances include those where the individual has consented, the collection is required by law, the information is required in some sort of legal action, the individual has been unable to consent and the collection is required due to a serious or imminent threat to the individual’s life or health.
  • Off Shore Transfer is now only allowed when the organization believes the transfer will be handled within a set of laws that offer no less protection than Australia’s Privacy Act; the individual consents; consent collection is impractical and would likely be approved by the individual if practicable; the organization has taken reasonable steps to ensure that the information will be handled in a manner consistent with Australia’s Privacy Act.

Australia is quite serious about its Data Protection Policy. We strongly urge anyone using data collected on Australian citizens to carefully review the practices of the data collector and any related agency entities to ensure compliance. For help with International Data Compliance Review Services, please contact us.