The most significant suite of changes to privacy law in over twenty years take effect on 12 March 2014.
In order to comply trustees must have a privacy complaints process and a new type of privacy policy. Most importantly they must control how the personal information they collect is stored, accessed and used, or risk fines of up to $1.7 million.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Act) introduced the Australian Privacy Principles (APPs), which are far more demanding than the old National Privacy Principles.
The Act also brought in a much stricter compliance and penalty regime directed at limiting how organisations hold, collect, transport, access and use personal information.
The first step towards compliance is to understand what personal information you hold and work out how to control it, which is more difficult than it might first appear.
The term “personal information” is broadly defined, but includes information or an opinion about an identified individual, or an individual who is reasonably identifiable whether true or not and whether recorded in a material form or not.
It’s a given that information on administration and contact management systems will be personal information, and putting controls around these ought to be relatively easy because they’re discrete and easily identifiable but:
- Do you know how much personal information is sitting around unprotected on email servers, USB drives and laptops?
- Are you sure what happens to the information given to your mail house to post annual statements after the letters are gone?
- Are you sure your administrator isn’t storing or sending personal information offshore, even if administration is done in Australia?
- Who prepares extracts from the administration and contact management systems, are they encrypted and who can request them?
- How are insurance files stored, accessed and secured?
Let’s also not forget that scathing email you might have written about whoever was bothering you on the wrong day? It probably contains opinions that are personal information too.
The reality is that unless you’ve systematically identified the types of personal information collected, put rules around use and controlled how it’s disclosed you can’t show the existence of reasonable privacy protections, and that’s the fast track to an infringement notice.
Another vital step towards compliance is making sure that rules around collection, use and control of personal information matches what’s written in your collection statement.
You do have a collection statement don’t you? And you are certain it’s given to all new members and beneficiary applicants aren’t you?
If not you better check because all individuals must be notified of personal information collected including specific reasons for collection, uses permitted and intended disclosure.
It’s arguable that trustees should have one collection statement for members and a different one for every other type of beneficiary applicant (such as death claimants), but most trustees should be able to use just one collection statement providing it’s carefully worded.
Another issue requiring particular care is how you deal with sundry third parties, and three general circumstances standout as potentially problematic.
Because the Act prohibits use or disclosure of personal information for direct marketing (with some exceptions), trustees that partner with additional benefit providers (such as health insurers) should consider whether they’re inadvertently breaching the new privacy rules.
There’s also the issue of ensuring that occasional but important service providers, such as market researchers and mailing houses, are able to access the information they need (but only the information they need) to do their job. This is where a catch-all purpose, such as use of personal information for the good management of the fund, can come in handy. But be careful not to rely too heavily a catch-all purpose because the Act requires specific disclosure.
Finally there’s the problem of unsolicited information received from employers for new members and doctors for disability benefit applicants. Use and management of this should be clearly defined, or you may end up having to collect the same information form the member again.
The new Act isn’t easy, but taking time to get it right is much easier that explaining a fine for getting it wrong.
David Galloway is a superannuation fund executive and lawyer
