Proposed amendments to the Privacy Act 1988 could mean the introduction of a mandatory reporting scheme for serious data breaches.
The complete article appeared in the February 2016 edition of Not-for-Profit Law Notes.
Changes to the Privacy Act
On 12 March 2014, a series of amendments to the Privacy Act 1988 took effect. The Privacy Act is one of many Acts which govern privacy in Australia. One of the key components of the Privacy Act is that it requires certain entities to comply with privacy principles.
The Privacy Act currently contains the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs). The NPPs apply to organisations. An organisation is:
(a) an individual; or
(b) a body corporate; or
(c) a partnership; or
(d) any other unincorporated association; or
(e) a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory. If a not for profit organisation is an organisation under the Privacy Act, it must comply with the NPPs.
There are three key parts of the amendments that apply to not for profit organisations:
(a) the amended definition of personal information;
(b) the Australian Privacy Principles (APPs); and
(c) the updated enforcement options.
Please do not hesitate toif you would like advice in relation to the amendments.
You might also like to read Nathan Croot's paper on the changes. This paper was written specificially for schools but has general application to all not-for-profits.