AUGUST 2013 | HIRE
AND
RENTAL
NEWS
| 15
INDUSTRY IN FOCUS
By: Michael Cossetto
From 12 March 2014, the Australian
privacy landscape will undergo significant
change, including a new unified set of
privacy principles known as the Australian
Privacy Principles (APPs) and major changes
to the credit reporting provisions.
It is important hire businesses start
preparing for compliance
now because: hire businesses
typically collect, store, use
and disclose large amounts
of personal information,
including credit information;
and the penalties have been expanded
to include fines of up to $1.1 million for
serious or repeated breaches.
Some of the key changes introduced by
the reforms and the new APPs are:
Privacy Policies:
While most hire businesses
already have a written privacy policy,
the APPs now prescribe specific types of
information those policies must include.
There is also a new positive obligation
to implement practices, procedures and
systems to comply with the APPs and any
registered APP codes.
Unsolicited Information:
Where a
hire business comes into possession of
unsolicited personal information, it must
now consider whether the information
is of a kind it could have collected itself
under the APPs. If not, and the information
is not contained in a Commonwealth
record, the information must be destroyed
or de-identified.
Direct Marketing:
Using personal
information for the purposes of direct
marketing is prohibited unless one of
several exemptions applies – eg: where
consent has been obtained or where
the individual would reasonably expect
their information will be used for direct
marketing. Individuals will be entitled to
ask a business which sends them direct
marketing materials where that business
obtained their personal information.
Overseas transfer of personal information:
The transfer of personal information into
foreign jurisdictions will be more restricted
under the APPs. This may affect businesses
which have offices in other countries,
which outsource their data storage or
which use ‘cloud’ IT solutions. When
collecting information, hire businesses
will need to let individuals know their
information will be transferred offshore
and, if it is practicable to specify, the
countries in which the recipients are likely
to be located.
Also, before a hire business discloses an
New privacy APPs - more compliance
individual’s personal information to an
overseas recipient, the business must take
reasonable steps to ensure the overseas
recipient does not breach the APPs, in most
cases, under a written contract. There are
some exceptions to this general rule, but
having robust contractual arrangements
with the overseas recipients of personal
information is best to manage the risk.
Credit Reporting:
There are significant
changes which affect credit providers. A
‘
credit provider’ includes a hire business
which provides credit in relation to
the hire of goods, for example where
payment is deferred for at least seven days.
Appropriate consents must be obtained
from individuals if credit information
about the individual is to be disclosed to
credit reporting bodies. Hire businesses
must ensure they have a privacy policy
which specifically deals with how personal
information used in
credit reporting is
collected, stored, used
and disclosed. The
changes also include
the development of a
new credit reporting
code, which credit
providers will also need
to comply with.
Enforcement:
The
Australian Information
Commissioner’s powers
have been expanded.
The Commissioner
will have the
power: (i) to initiate
investigations of its
own accord – without
a complaint having
been received; (ii) to
conduct compliance
assessments of an
entity’s information
maintenance practices;
(
iii) to accept written
undertakings that may
be enforced in court;
and (iv) to seek civil
penalties of up to $1.1
million for serious or
repeated breaches.
Hire businesses bound
by the APPs should use
the period to March
2014
to get ready.
Step 1: Conduct
a privacy audit
of the business
to identify what
and how personal
information is
collected, stored,
used and disclosed,
especially re: credit
information.
Step 2: Review any instances where
personal information may be transferred
to foreign jurisdictions. New contractual
arrangements may be required.
Step 3: Revise and update privacy
policies and practices. Hire businesses may
also need to update their hire agreements
and credit account application forms.
Step 4: Train staff as appropriate,
to ensure those handling personal
information are aware of their obligations
and any restrictions on the access, use and
disclosure of personal information.
For more contact 02 8281 7892 or visit
HR
“
It is important hire businesses start
preparing for compliance now...”