The Privacy Act 1988 (Privacy Act) provides protection to individuals against the mishandling of personal information and applies to organisations which include individuals, partnerships, corporations and unincorporated associations. It does not apply to individuals in a non-business capacity.
Amendments were passed to the Privacy Act in November 2012 with the new privacy regime taking effect from 12 March 2014. This new regime, including the adoption of a single set of 13 Australian Privacy Principles (APPs), apply to Government agencies and private sector organisations (‘APP entities’) which include community pharmacies, pharmacist consultants and other pharmacy businesses. The APPs set out what can and cannot be done with an individual’s personal and health information. Details of each APP are available from www.oaic.gov.au
The Office of the Australian Information Commissioner (OAIC) has adopted an enforcement approach to the reforms. The OAIC compliance focus in the months following 12 March 2014 will be on working with entities to ensure that they understand the new requirements and have the systems in place to meet them. In resolving matters brought to the attention of the OAIC it will take into account the steps taken by entities to genuinely prepare for the changes and to comply with the new legal requirements.
In the case of individual complaints the OAIC would expect to see the individual try to resolve a matter with the organisation or agency first. If the respondent is a member of a recognised External Dispute Resolution scheme, the OAIC would expect the individual to have first accessed that scheme. If a matter is accepted by OAIC, the OAIC will always attempt to resolve issues through conciliation. In relation to Commissioner initiated investigations the OAIC will work with respondent organisations and agencies to resolve the matter.
Where conciliation or working with entities is not effective, the OAIC may use other tools, including determinations, enforceable undertakings or in the case of serious or repeated breaches, initiating court proceedings for civil penalties. This is consistent with OAIC current practices and the approach of the OAIC for some time.