Australian Business could face penalties of up to $1.7million for a privacy breach following changes to the Privacy Act. Our guest columnists Alison Baker (Partner) and Rhiannon Nixon (Lawyer) from Hall & Wilcox lawyers outline what you need to know.
Reforms to the Privacy Act 1988 (Cth) which came into force on 12 March 2014 impose more onerous obligations on most businesses when handling personal information
The key changes to the Privacy Act include the introduction of:
- 13 Australian Privacy Principles (APPs);
- Greater powers given to the Australian Information Commissioner, including powers to seek penalties, for serious or repeated breaches, of up to $1.7 million against corporate entities and $340,000 against non-corporate entities; and
- A comprehensive credit reporting system, under which a broader range of credit related personal information is accessible to credit providers.
What should businesses do?
While businesses should seek independent advice tailored to their specific enterprise, generally speaking, they should take the following steps to improve compliance.
- Know what personal information they collect and ensure they are only collecting personal information that is reasonably necessary for one or more of their functions or activities.
- Implement processes through which individuals can make enquiries or complaints about the handling of their personal information, or seek access or correction to their personal information.
- Implement security measures to protect personal information from misuse, interference and loss from unauthorised access, modification and disclosure.
- Review contracts and/or implement data transfer deeds with third party suppliers, particularly those overseas. Under the reformed Privacy Act, a business can be found liable for privacy breaches committed by an overseas entity to which the business has disclosed personal information.
- Review direct marketing procedures and ensure consent processes are in place where required and that recipients of marketing communications can easily opt out of receiving further material.
- Train staff on privacy compliance.
- Appoint a Privacy Compliance Officer responsible for overseeing privacy compliance in the business.
Written by Alison Baker, Partner, Hall & Wilcox (Ph: (03) 9603 3568, email: firstname.lastname@example.org) and Rhiannon Nixon, Lawyer, Hall & Wilcox (Ph: (03) 9603 3477, email: email@example.com)