The new Australian Privacy Principles came into effect on March 12, 2014 and replace the National Privacy Principles and apply to all organisations (with some exceptions), as well as Australian government agencies.
The objective of the Principles is to ensure that organisations manage personal information in “an open and transparent way” and some of the key areas that relate to payroll functions include:
- All organisations must take reasonable steps to implement practices, procedures and systems to ensure the organisation complies with the Australian Privacy Principles and to provide a system of dealing with enquiries and/or complaints
- All organisations must have a clearly expressed and up to date policy about the management of personal information, including:
- The kinds of information the organisation collects and holds
- How the organisation collects and holds the personal information
- The purpose of the collection, holding, use and disclosure of the information
- How an individual may access personal information and correct any information
- How an individual may complain about a breach of the Principles
- Whether the organisation is likely to disclose the personal information to an overseas entity
- If the organisation is likely to disclose personal information to an overseas entity, the countries in which that may occur
- Organisations must not collect personal information unless the information is reasonably necessary for one or more of the organisation’s functions or activities
- Organisations must not collect “sensitive” information about an individual unless an individual consents to the collection and the information is reasonably necessary for one or more of the organisations functions or activities
- If “sensitive” personal information is collected as a requirement by law or a “permitted general situation exists in relation to the collection of the information”
- Where an organisation holds personal information that was collected for a particular purpose (the primary purpose), the organisation must not use or disclose the information for another purpose (a secondary purpose) unless the individual has consented, or the individual would reasonably expect the organisation to use or disclose the personal information for the secondary purpose, or if the use or disclosure of the personal information is required or authorised under an Australian law
- Before an organisation discloses personal information about an individual to an overseas recipient, the organisation must take all reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles
- An organisation must take reasonable steps to ensure the integrity of all personal information to ensure the information is accurate, up to date and complete
- An organisation must take reasonable steps to ensure the personal information is protected from misuse, interference and loss and from unauthorized access, modification or disclosure
If an organisation refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out the reasons for the refusal, the mechanisms available to the individual to complain about the refusal and any other matter prescribed by the regulations
All organisations must take reasonable steps to implement practices, procedures and systems to ensure the organisation complies with the Australian Privacy Principles and to provide a system of dealing with enquiries and/or complaints
All organisations must have a clearly expressed and up to date policy about the management of personal information, including:
If you are a Payroll Manager or hold a position of responsibility for the management, security, disclosure and use of personal information you can be fined under the Act for non-compliance, apparently up to $340,000. I’ve not studied the Act yet to understand whether this is per offence, which could be a devastating blow for an individual who is responsible for the disclosure of a substantial numbers of employee’s information, where there is a security breach or a non-compliant business practice.
If your organisation hasn’t made a big deal out of the new Australian Privacy Principles as far as payroll is concerned, especially if you outsource any part of your payroll function, you have a couple of days to establish how your payroll function will ensure compliance.
According to this Smart Company article on 5th March 2014 “The laws will apply to businesses that turn over more than $3 million a year and collect personal data.
However, there are some small businesses which turn over less than $3 million that will still need to abide by the new legislation. For example, the laws apply if the business is a health services provider, related to a larger business, trades in personal information, or is a contractor which provides services under a Commonwealth contract.”
For more information on the changes to the Privacy Act, visit the Office of the Australian Information Commissioner (OAIC) website.
If you are unsure whether the Privacy Act applies to your business, check out the Privacy Checklist for Small Business from the OAIC.
More articles on the Australian Privacy Principles from Australian Law Firms:
Australia: Are you compliant with new privacy laws coming into effect 12 March 2014? By Dan Brush of CBP Lawyers on mondaq.com
Australia: Major changes to Australia’s Privacy Act: Why they matter for foreign IT suppliers doing business in Australia by David Smith of Corrs Chambers Wesgarth on mondaq.com
Australia: Timely Guidance from the Privacy Commissioner – APP Guildelines Released by Sophie Bradshaw of Corrs Chambers Westgarth on mondaq.com
If you have any questions you would like to raise personally, please email Louise Vidler at The Professional Payroll Manager.
© 2014 Louise Vidler T/As The Professional Payroll Manager. All rights reserved.
All materials contained on this web site not otherwise subject to copyright of other parties are subject to the ownership rights of Louise Vidler T/As The Professional Payroll Manager. Louise Vidler T/As The Professional Payroll Manager authorises you to make a single copy of the content herein for your own personal, non-commercial, use while visiting the site. You agree that any copy made must include the Louise Vidler T/As The Professional Payroll Manager copyright notice in full. No other permission is granted to you to print, copy, reproduce, distribute, transmit, upload, download, store, display in public, alter, or modify the content contained on this web site.
The Professional Payroll Manager 
Leave a comment