Privacy issues are being reviewed globally and Australia is no exception. New privacy legislation and Australian Privacy Principles (APPs) came into effect on 12 March 2014 to regulate on how organisations handle personal information.
The APPs, replaced the Information Privacy Principles (IPPs) that previously applied to Australian and Norfolk Island Government agencies and the National Privacy Principles (NPPs) that previously applied to private sector organisations. The IPPs continue to apply to ACT Government agencies.
One of the changes to consider is the new definition of personal information
Information or an opinion about an identifiable individual, or an individual who is reasonably identifiable:
- Whether the information or opinion is true or not; and
- Whether the information or opinion is recorded in a material form or not.‛
The new definition of ‘personal information’ potentially captures more data than the previous definition. It includes data that can be used to identify an individual by name. It also potentially includes data where you can identify a single person even though you may not necessarily know the person’s name. This would include, for example, cookie information that identifies a single user.
Furthermore, information that you collect which is anonymous may also be considered personal if you intend to combine the anonymous information with other information that will identify an individual. Similarly, if you collect anonymous information that is likely to be combined with personal information you will need to treat that information as personal information from the beginning, even if there is no intention to do so.
If you want to avoid anonymous information becoming personal information you will also need to provide added capability and functionality to your sites to prevent that from happening.
Your privacy policy will also need to be adjusted to prevent the anonymous information from being identified, by enforcing the use encryption or passwords to protect data. Your processes will need to be adjusted to reduce the risk of re-identification. If you can’t (or choose not to) make a determination on re-identification, you should treat that information as personal information.
You must have open and transparent management of personal information. Organisations must have a clear and up-to-date privacy policy that is reviewed regularly. Staff should understand what the privacy policy means in practice, and be trained to implement it.
If you receive personal information that you did not request, then you are required to destroy or delete it unless you can show that you could have collected it under the rules for APP 3, Collecting Personal Information.
There are many other factors to consider and it’s not just limited to your websites. It includes Social Media, Twitter, Facebook, Google+
Lastly, the Privacy Commissioner has new enforcement powers. The Privacy Commissioner can request that you demonstrate your compliance with the new privacy laws even if no complaint has been lodged against you.
Under the new legislation, the Privacy Commissioner can seek civil penalties of up to $340,000 for individuals and up to $1.7 million for companies and organisations.
The APP regulates the handling of personal information across your entire business, including but not limited to your websites and Social Media accounts. In many cases you may not even be aware that your website is collecting personal information.
I terms of your Website, getting a ‘Website Assessment’ by a reputable company that understands compliance is a good start.