Privacy reforms: are you compliant?

Staying up to date with privacy law is not only good practice, it’s essential, with severe financial penalties for ongoing non-compliance.

Amendments to the Privacy Act 1988 came into force in March 2014 and introduced major reforms to the way Commonwealth government agencies and private businesses collect, use and deal with personal information.

Although the reforms relate to organisations with an annual turnover of more than $3 million it is strongly recommended that you apply the principle whether or not your turnover is less than $3 million. This not only accords with community expectations and is generally a commercially sound business approach, it also means that if your  turnover exceeds $3 million everything is already in place.

The new Australian Privacy Principles (APPs) largely mirror the National Privacy Principles (NPPs) they have replaced but there is a much greater onus on organisations to manage their privacy policies, systems and practices to ensure compliance and introduce more stringent controls on direct marketing and sending data offshore.

It is essential to review and update your privacy policies and undertake a review of the internal practices and procedures to ensure compliance. Under the new provisions the powers of the Privacy Commissioner have significantly increased. Organisations may face penalties of up to $1.7 million and individuals of up to $340,000 for serious non-compliance and repeated breaches.

KEY CHANGES

Open and transparent management of personal information (APP1)

The object is to ensure that the personal information is managed in an open and transparent way. An organisation must take reasonable steps to implement practices and systems that will firstly ensure compliance and secondly enable it to deal with any individual’s compliance inquiry.

Both franchisees and franchisors will need to collect personal information from individuals and must have readily available, free of charge to those individuals, a clearly expressed and up-to-date policy about the collection, use and management of their personal information. This privacy policy must relay to the individuals:

  • the kinds of personal information that is collected and held;
  • how the organisation collects and holds the information;
  • the purposes for which the personal information is collected, held, used and disclosed;
  • how an individual may access its personal information and seek the correction of same;
  • how an individual may complain about the organisation’s breach of the APPs; and
  • whether the personal information is likely to be disclosed to overseas recipients.

If you have not already reviewed and updated your privacy policy in line with the reforms, take action now. You should also undertake a risk assessment of the practices and procedures to identify any compliance and risk issues. These should be updated and managed accordingly. Privacy training should be organised for the franchisees and your employees to ensure that they are up to date with the changes and are aware of their duties.

Your privacy policy should be available on your website and you may include it as an annexure to your manuals noting that it is subject to change.

Notification of the collection of personal information (APP5)

If you are collecting personal information about an individual, wherever practicable, you must inform the individual at or before the time of the collection of the personal information of following matters:

  • the identity and contact details of the organisation collecting the information;
  • if collecting personal information from sources other than the individual (such as credit reporting agencies when undertaking due diligence on prospective franchisees), the individual must be informed of this fact and told why the collection is necessary;
  • details of any law or court order which requires collection of the personal information;
  • the purposes for which the personal information is collected;
  • the consequences (if any) for the individual if some of the information is not collected (for example, not being able to provide a service to your customers if certain information is not collected);
  • details of other entities and persons to which you usually disclose the personal information to (for example, if you are collecting customer information for purposes of marketing is that information shared with other franchisees, a marketing company and so on);
  • that your privacy policy sets out how an individual can seek access or correction of its personal information and complain about a breach of the APPs, and
  • the likelihood of offshore disclosure.

Collecting personal information from potential franchisees would be covered by the APPs, as would customer data from loyalty programs or competitions. Your first step should be to review and update your privacy policy, then undertake a review of your privacy collection statements to ensure that they address the mandatory matters. This may include a review of your franchise application form, prospective employees’ application form, loyalty program terms and conditions etc.

Unsolicited information (APP4)

If your organisation receives personal information about an individual that is not solicited (no active steps have been taken to collect the information) you are required to assess whether your organisation could have legally collected the personal information. If not, you must as soon as practicable destroy or de-identify that personal information.

For example, unsolicited data could be information obtained through job enquiries or franchise enquiries.
Your franchise system needs to have standardised policies and procedures to deal with this. There need to be procedures in place to help you identify unsolicited information and set out a step-by-step plan on how to deal with it (including securely de-identifying or destroying unsolicited information).

Direct marketing (APP7)

This prohibits the use or disclosure of personal information for the purposes of direct marketing unless:

  • there is consent from the individual to use the personal information for direct marketing purposes, or in collecting that information an individual would reasonably expect you to use or disclose the information for direct marketing; and
  • you provide a simple opt out mechanism for individuals to request not to receive the marketing information; and
  • the person is informed he or she can ask the organisation to stop using their personal information for purposes of direct marketing (and he or she has not made such a request).

The best practice is to always get an individual’s consent if you intend to use their information for direct marketing purposes. Don’t forget that it is essential to advise individuals that they can opt out getting direct marketing material at any time. The opt out mechanism needs to be clearly visible and accessible on each piece of direct marketing material that is sent.

Cross-border disclosure of personal information (APP 8)

If your franchise system is collecting and disclosing personal information to an overseas body it is important to remember that you may be directly liable for any privacy breaches. This could relate to material provided to the head franchisor who is resident outside Australia, and may also relate to cloud computer services who store data in overseas jurisdictions.

You must ensure overseas recipients do not breach the APPs.

We suggest undertaking due diligence on the overseas individual or organisation prior to disclosing the information and imposing suitable contractual obligations on them requiring the relevant compliance.

WHAT DOES THIS MEAN FOR YOUR FRANCHISE SYSTEM?

As a franchisor you should:

  • review and update your privacy policy and take care to ensure that your privacy policy is placed on your website;
  • update your internal practices and procedures ensuring that each APP is addressed;
  • undertake a risk assessment to identify any compliance and risk issues
  • regularly audit your systems to ensure their security and addressing any vulnerabilities;
  • ensure that you take reasonable steps to destroy and de-identify information that you no longer need or use (including unsolicited information);
  • appoint a privacy officer or key contact person who is well trained to deal with individual requests relating to their personal information and any complaints;
  • provide training to all staff and franchisees to ensure that they are up to date with the changes and are aware of their duties.

Your franchise system must have strategies and procedures in place that allow it to monitor compliance with the APPs. This should be a continuous process.

Remember that it is not enough to put policies and procedures in place – you must ensure that you adhere to them.

Tal Williams is a partner – corporate and commercial – and Sandra Ivanovic is senior associate at Holman Webb Lawyers: www.holmanwebb.com.au