12 March 2014. It’s the day the new Australian Privacy Principles come into force. There are new rules and strong penalties for breaking them. Read on to find out more about how the changes impact marketers.
Schedule 3 of the current Privacy Act 1988 contains ten National Privacy Principles (NPPs), which will be replaced with the Australian Privacy Principles (APPs) from the 12th of March 2014. Although the content of the thirteen APPs is largely similar to the existing NPPs, more specific requirements in relation to privacy policies, cross-border disclosures and access to personal information, as well as a principle that deals solely with direct marketing, have been added.
With new penalties of up to $1.1 million for company breaches of the Act, and some advisors claiming that penalties could be up to $1.7 million, it’s important to be aware of the changes and adjust corporate policies and procedures to comply.
Australian Privacy Principle 7: Direct Marketing
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 includes Australian Privacy Principle 7, which focuses on direct marketing and privacy. This is in contrast to the current NPP dealing with the use and disclosure of personal information that lists direct marketing as a potentially secondary use of collected data.
The existing NPP 2.1 states that an organisation must not use or disclose personal information about an individual for a secondary purpose unless one of the listed exceptions applies. Some of these exceptions include where:
- - the secondary use is directly related to the primary purpose of collection and the individual would reasonably expect the organisation to use or disclose their personal information (2.1 (a))
- - the individual has consented to the use or disclosure of their personal information (2.1 (b))
- - the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing (2.1 (c)).
The new, more specific, APP 7.1 states that “if an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing”. However the APP 7 subclauses also set out a number of exceptions where direct marketing uses are permissible. Organisations can use the personal information (other than sensitive information) they have collected from individuals themselves if these individuals would reasonably expect their information to be used for that purpose and there is a simple and free opt-out mechanism in place (7.2).
Under APP 7, organisations can also use personal information (other than sensitive information) obtained from a third party for direct marketing, or information that individuals would not necessarily expect to have used for that purpose, if:
- - the individual has consented to the use or disclosure of the information for that purpose or it is impracticable to obtain that consent (7.2 (b)); and
- - the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation (7.2 (c)); and
- - in each direct marketing communication with the individual the organisation draws attention to the fact that they can opt out of the communication (7.2 (e)), and provides a clear and easy way of doing so (7.2 (d)).
Sensitive personal information, such as the individual’s race or ethnicity, their political beliefs or health data, may only be used for direct marketing if the person has agreed to the information being used for that purpose (7.4). Furthermore, if an individual requests not to receive direct marketing communications from the organisation, or requests that their personal information not be shared with other organisations for that purpose, the organisation which collected the individual’s information must “give effect to the request within a reasonable period” (7.7 (a)). Of course, APP 7 will work in correlation with other privacy laws, with the Do Not Call Register 2006 and the Spam Act 2003 taking precedence (7.8).
Border protection
Another important change to the Privacy Act 1988 which could affect direct marketing practices is in regards to the sharing of personal information with overseas entities. APP 1 states that in an APP entity’s privacy policy, not only should the organisation fully disclose the kinds of personal information it collects and how it is stored, but it should also clarify whether it is likely to disclose information to overseas recipients (1.4 (f)), and if so, in which countries these recipients are likely to be located (1.4 (g)).
Also relating to the cross-border disclosure of personal information, APP 8 builds on the existing NPP 9 but increases the responsibility of organisations to ensure that the overseas entity has similar privacy principles to the APPs. APP 8 states that before an organisation transfers an individual’s personal information to an overseas recipient, it “must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information” (8.1).
There are a number of subclauses that allow for exceptions to APP 8.1, including the informed consent of the individual for their personal information to be transferred to the overseas entity (8.2 (b)), or the organisation’s reasonable belief that the overseas recipient is subject to a law or binding scheme similar to the APPs and that this law or binding scheme is enforceable (8.2 (a)).
The APPs’ more detailed and prescriptive requirements protect and enhance the rights of individuals over their personal information, as well as increasing the responsibilities of organisations. For direct marketing businesses and users, it’s important to be aware of the amendments to the Privacy Act 1988 and how it will affect your privacy practices and data collection.
For a detailed analysis of the Amendment’s changes, the Australian Government has produced a comprehensive comparative guide outlining the differences between the NPPs and the APPs.
To ensure your organisation’s data privacy policies and practices are up-to-date and address the APPs, make sure you can complete this Data Privacy Compliance Checklist.