The Private Practice Summer 2013/14 Page 29

The Private Practice

Summer 2013/14

MEDICO LEGAL

· APP 13 correction of personal
information
APP 13 introduces new obligations
with respect to the correction of
personal information. This principle
now requires an organisation to take
reasonable steps to correct personal
information to ensure that, having
regard to the purpose for which it is
held, it is accurate, current, complete,
relevant and not misleading.

An organisation must also respond

to a correction request within a
reasonable period after the request
is made, and must not charge the
individual for making the request.

When refusing an individual's

correction request, an organisation
must generally provide to the
individual written reasons for the
refusal and notify them of available
complaint mechanisms.

POWER SHIFT

The Australian Information
Commissioner has been provided
with significantly increased powers,
which will generally be exercised
by the Privacy Commissioner, to
encourage and enforce compliance
of the new regime.

The Information Commissioner

will soon be able to assess the privacy
performance of businesses and
agencies, which includes being able to
conduct investigations and audits. The
Information Commissioner will also be
able to make determinations, accept
enforceable undertakings, commence
legal proceedings and, in cases of
serious or repeated breaches, seek civil
penalties of up to $340,000 against
individuals and $1.7 million against
bodies corporate.

Note: The content of this article is intended to provide a general
overview and guide to the subject matter. Specialist advice should be
sought about specific circumstances.

YOUR CHECKLIST

Conduct an audit of the current policies, procedures and practices on

privacy issues/handling of personal information.

Carefully review those materials and practices, and identify any gaps

with respect to the new requirements.

Update those privacy materials and practices accordingly. APP 1

contains the base requirements and should be used as a starting point.

Create procedures for dealing with both unsolicited information

and unauthorised access to information/notifying of any breach.

Conduct an overall review and update of all procedures to promote

compliance, including any collection statements, direct-marketing
procedures, information-technology policies and
confidentiality agreements.

Test all new policies, procedures and practices, and set timeframes

for their review.

Provide the policies and procedures to staff in both electronic and

hard-copy format.

Educate and train staff about the new requirements, and test

those staff members.

Identify if any offshore data storage or processing provider is used, and

conduct a careful due diligence on any provider. The due diligence should
include a review of any statutory framework, complaint or legal process
which applies to that provider, with respect to privacy.
(Note: If this relationship is to continue, then the practice or organisation
could consider seeking, but only as an additional measure, an undertaking
or indemnity from the provider with respect to any future privacy breach.)

For more information contact Natasha Leedman, Senior Associate or
Enore Panetta, Director, Panetta McGrath Lawyers, Perth on 08 9321 0522
or visit

www.pmlawyers.com.au