What is your legal obligation?
Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act)
The reforms were introduced on March 12, 2014, requiring organisations to greater safeguard peoples’ personal information. It also includes giving greater powers to the Australian Information Commissioner to seek civil penalties in the case of serious or repeated privacy breaches, and to conduct assessments of privacy performance.
There are many small businesses that have been forced to write new or create Privacy Policies, in order to continue doing business with APP (Australian Privacy Principles) Entities, as a result of the reforms.
There are 13 New Reforms under the Amendment, in order to simplify the requirements of the New Reforms, we have provided extracts and Links allowing you a quick overview of the definitions, this information is readily available from the Office of the Australian Information Commissioner. www.oaic.gov.au
Chapter 11:APP 11 – Security of Personal Information
APP 11 …..requires an APP entity to take active measures to ensure the security of person information it holds, and actively consider whether it is permitted to retain personal information.
- This link will provide the Key points to the New Reforms
Destroying or de-identifying personal information
11.22 An APP entity must take reasonable steps to destroy personal information or ensure it is de-identified if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs (APP 11.2). Destroying personal information — irretrievable destruction.
Destroying personal information — irretrievable destruction
11.36 Personal information is destroyed when it can no longer be retrieved. The steps that are reasonable for an organisation to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.
11.37 For example, for personal information held:
- in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.