Every business that turns over more than $3 million is regulated by the Privacy Act 1988 (Cth). The Act and the Australian Privacy Principles set out rules for how you collect, use and store personal information.
A business lawyer can reduce your risk of a breach.
The Principles require most businesses to consider the privacy of personal information, including ensuring that they manage personal information in an open and transparent way. The most important and least complied with the Principle that we encounter is the requirement to have a Privacy Policy. If you do not have a Privacy Policy, you are at risk of breaching the Privacy Act.
The Privacy Policy must contain:
- the kind of personal information the business collects;
- how personal information is collected and held;
- the purposes for which the personal information is collected, held, used and disclosed;
- how an individual may access personal information about themselves and seek the correction of such information;
- how an individual may complain about a breach of the Principles, or a registered Australian Privacy Principle code (if any) that the business is bound by, and how the business will deal with such a complaint;
- whether the personal information is likely to be disclosed to overseas recipients; and
- if the business is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
- New Amendments to the Act
It’s not all that simple.
While you may be looking at creating a Privacy Policy or reviewing your existing policy, you should also be aware of the amendments to the Act which took effect on 22 February 2018.
Prior to February 2018, the law did not require you to notify an individual who may be affected by there being a failure to take reasonable steps to protect personal information. The amendments now provide that you must report a data breach to the Commissioner and the harmed individual, if either:
(i) there is unauthorised access to, or unauthorised disclosure of, information held by an entity; or
(ii) information is lost in circumstances where there is likely to be unauthorised access to or unauthorised disclosure of information; and
a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relies.
The amendments to the Act place further obligations on business owners and their staff to maintain security and report data breaches of personal information. As a starting point, we recommend that your internal privacy procedures be reviewed, and your Privacy Policy be amended. Should you not have a Privacy Policy, we strongly recommend contacting us to prepare one, even if you are not required to do so under the Act.
This article is written by Alex Martin and was first published on the Taurus Legal Management website.
If you would like legal advice from Alex Martin, you can choose a Quick Match or browse Our Lawyers.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practising lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Legally Yours Pty Ltd accepts or assumes responsibility, or has any liability, to any person in respect of this article.
