The Privacy Act 1988 is an Australian Commonwealth law that regulates the handling of personal information about individuals. Personal information is defined by the Act as information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples of personal information include a person’s name, address, date of birth, telephone number, signature, bank account details, medical records or other commentary or opinion about a person.
Recent changes to the privacy act
The possibility of data breaches from online social media and other websites such as Facebook and Uber have given rise to heightening concerns about the privacy of personal data in the digital world. Cybercrime, as it has been coined, is estimated to cost the global economy around $500 billion each year. As a result, recent changes to the Privacy Act have aimed at bringing the Act into line with advances in technology and the pervasiveness of internet use.
The changes, which came into effect on 22 February 2018, introduced a framework for mandatory reporting of data breaches by businesses to not only the individuals that are the subject of the breach, but also to the Australian Information Commissioner. These changes mean that some businesses now need to develop and implement an effective data breach response plan, enabling them to comply with the new requirements of the Act.
Who do the changes effect?
These changes apply to businesses covered by Section 6 of the Act including individuals, body corporates, partnerships and other unincorporated associations or trusts. However, the changes do not affect small business operators as defined in Section 6D of the Act. This includes small business operates, whether an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses only. A small business is defined as one that, in any financial year, has an annual turnover of $3,000,000 or less.
However, small business operators may still be indirectly affected by the mandatory reporting and disclosure requirement. For example, if a small business operator is a subsidiary of a larger parent company or if they are transacting with an organisation within the meaning of the Act, they may fall under the ambit of the new requirements. Businesses with an annual turnover of less than $300,000,000 who routinely handle private information, such as lawyers, psychologists, accountants, brokers, insurance providers and the like, will also be affected.
What should you do?
Review your current plans for data breaches
The first step in complying with these new changes is to review your current policies and procedures for reporting and managing data breaches. Your current plan should include requirements that are suitable for your business. This may include:
- Providing an opportunity for individuals to deal with your business anonymously when making inquiries about a product or service;
- Destroying or de-identifying certain unsolicited personal information;
- Enforcing policies to ensure that personal information is only used for the purpose for which it was collected unless otherwise authorised by law;
- Prohibiting disclosure of personal information for marketing or other purposes that are not consented to;
- To allow an individual access to their personal information stored by your business;
- To take reasonable steps to correct stored personal data; and
Education and Enforcement of Privacy Policies
Consider your software
Although sometimes overlooked, your software may assist in protecting against data breaches. Regular reviews of the software you are using and the protection programs you use may reduce the risk of data breaches.
Seek legal advice where necessary
Failure to act in the event of a data breach is a serious matter and is punishable under the Privacy Act by fines of up to $360,000 for individuals and $1.8 million for organisations making it essential to obtain quality legal advice as to your rights and responsibilities with respect to data and privacy laws.
If you are unsure if your business is fully compliant with the requirements of the Privacy Act, seek legal advice. Go To Court Lawyers can review your policies and advise if you are compliant with the Act or if there is more you should be doing. We can also review your insurance policies to ensure that you are covered in the event of a data breach.