50 million reasons to be privacy compliant in Australia
This holiday season has seen major changes to the trade and compliance space that require immediate action from businesses. So, the team at Macpherson Kelley is making sure you’ve made a list and you’re checking it twice!
We’ll be releasing a series of accessible guides and articles on what your business needs to do to stay on Santa’s nice list this year – with the help and guidance of our trade and compliance team.
The Privacy Act 1988 (Cth) (Privacy Act) and its 13 Australian Privacy Principles (APPs) were introduced to promote and protect the privacy of individuals and to regulate organisations with turnover of more than $3 million (with some exceptions), as to how they collect, hold, use, store, disclose and destroy personal information collected from individuals.
“Personal information” is defined by the Privacy Act as information, or an opinion, that could identify or reasonably identify an individual (an individual’s name, address, phone number, photograph etc).
The APPs provide the framework for privacy protection – including standards and rights and obligations around personal information, data protection, accountability, correction, and the individual’s right to access the personal information held about them by a business.
Privacy compliance
Generally, an organisation with annual turnover of over $3 million, is required to comply with Australia’s privacy laws and have in place a privacy compliance program.
A privacy compliance program involves quite a few components, however as an initial starting point, the organisation must have a clearly expressed and up-to-date privacy policy describing what personal information it collects and how it is managed, stored, disclosed and secured.
The next step is to look at the organisation’s overall privacy compliance, which needs to be tailored, relevant and useful for it to actually be used and effective. The Privacy Act and APPs indicate that, as a minimum, a business’ full privacy compliance program should include the following 8 elements.
- Audit of the business’ existing privacy practices to identify gaps in compliance.
- Draft, implement and maintain an up-to-date privacy policy.
- Update or implement data collection forms (notification statements) and consent forms.
- Update or implement complaints handling
- Update or implement access & correction request
- Draft, implement and maintain a data breach response plan.
- Train your staff.
- Audit your compliance measures from time to time.
Key focus for businesses
With the current media focus on Medibank and Optus, consumers expect businesses to be more accountable for data breach incidents, and are sometimes hesitant to provide their personal information.
Businesses need to remember that although it is only these large-scale businesses that have been recently and heavily publicised, data breach incidents occur every day to all different sized businesses. It is not just large businesses being targeted by cyber criminals. It is important for businesses to remember that data breach incidents extend beyond targeted cyber attacks and can be simple such as a company laptop (containing personal data) stolen from a car, or an employee working in a public space and an unauthorised individual viewing the computer screen.
With the rapid advances in technology, and the heavy reliance on email and other IT systems, data breach incidents are almost certain to occur at some stage in the business’ lifecycle, even if only as simple as a staff member leaving a memory stick in an Uber. Businesses need to prepare themselves well in advance for how to handle data breaches and train staff accordingly.
Recent changes to the Australian privacy legislation
Recent changes to the Australian privacy legislation have also been passed by the Government, and which significantly increase penalties for breaches and non-compliance.
These changes include:
- increase of maximum penalties for individuals to $2.5 million
- increase of maximum penalties for companies to the greater of:
- $50 million;
- 3 times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy; or
- 30% of the entity’s adjusted turnover in the relevant period.
For further information check out our recent alert.
Proposed future changes to Australian privacy legislation
The Government considers some of the Privacy Act to be “outdated” and lagging behind current business practices and threats. As such, the Privacy Act has undergone a review which is likely to bring even further future changes to Australian privacy and data protection legislation.
It is likely that a lot of the future changes to the Privacy Act will be around digital platforms, as a result of the digital platforms inquiry. The digital platforms inquiry highlighted that there is a clear intersection of privacy, competition, and consumer protection considerations.
Indeed, Australia’s competition and consumer protection regulator (the ACCC) has taken greater interest in “privacy”-related matters, but through a “consumer protection” and “misleading and deceptive conduct” lens. For further information, see an ACCC success story against Google and a very recent defeat in the Courts.
Macpherson Kelley is here to help
If you are a business with turnover greater than $3m, there are a few things you should be asking yourself.
- Do you have a Privacy Policy that complies with the Australian Privacy Principles?
- Do you have a Privacy Compliance Program?
- Do you understand your obligations and key timeframes if your business experiences a data breach incident?
If you answered “No” to any of the above questions, you should contact our experts to avoid the risk of breaching the Privacy Act and avoid substantial penalties for non-compliance.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
50 million reasons to be privacy compliant in Australia
This holiday season has seen major changes to the trade and compliance space that require immediate action from businesses. So, the team at Macpherson Kelley is making sure you’ve made a list and you’re checking it twice!
We’ll be releasing a series of accessible guides and articles on what your business needs to do to stay on Santa’s nice list this year – with the help and guidance of our trade and compliance team.
The Privacy Act 1988 (Cth) (Privacy Act) and its 13 Australian Privacy Principles (APPs) were introduced to promote and protect the privacy of individuals and to regulate organisations with turnover of more than $3 million (with some exceptions), as to how they collect, hold, use, store, disclose and destroy personal information collected from individuals.
“Personal information” is defined by the Privacy Act as information, or an opinion, that could identify or reasonably identify an individual (an individual’s name, address, phone number, photograph etc).
The APPs provide the framework for privacy protection – including standards and rights and obligations around personal information, data protection, accountability, correction, and the individual’s right to access the personal information held about them by a business.
Privacy compliance
Generally, an organisation with annual turnover of over $3 million, is required to comply with Australia’s privacy laws and have in place a privacy compliance program.
A privacy compliance program involves quite a few components, however as an initial starting point, the organisation must have a clearly expressed and up-to-date privacy policy describing what personal information it collects and how it is managed, stored, disclosed and secured.
The next step is to look at the organisation’s overall privacy compliance, which needs to be tailored, relevant and useful for it to actually be used and effective. The Privacy Act and APPs indicate that, as a minimum, a business’ full privacy compliance program should include the following 8 elements.
- Audit of the business’ existing privacy practices to identify gaps in compliance.
- Draft, implement and maintain an up-to-date privacy policy.
- Update or implement data collection forms (notification statements) and consent forms.
- Update or implement complaints handling
- Update or implement access & correction request
- Draft, implement and maintain a data breach response plan.
- Train your staff.
- Audit your compliance measures from time to time.
Key focus for businesses
With the current media focus on Medibank and Optus, consumers expect businesses to be more accountable for data breach incidents, and are sometimes hesitant to provide their personal information.
Businesses need to remember that although it is only these large-scale businesses that have been recently and heavily publicised, data breach incidents occur every day to all different sized businesses. It is not just large businesses being targeted by cyber criminals. It is important for businesses to remember that data breach incidents extend beyond targeted cyber attacks and can be simple such as a company laptop (containing personal data) stolen from a car, or an employee working in a public space and an unauthorised individual viewing the computer screen.
With the rapid advances in technology, and the heavy reliance on email and other IT systems, data breach incidents are almost certain to occur at some stage in the business’ lifecycle, even if only as simple as a staff member leaving a memory stick in an Uber. Businesses need to prepare themselves well in advance for how to handle data breaches and train staff accordingly.
Recent changes to the Australian privacy legislation
Recent changes to the Australian privacy legislation have also been passed by the Government, and which significantly increase penalties for breaches and non-compliance.
These changes include:
- increase of maximum penalties for individuals to $2.5 million
- increase of maximum penalties for companies to the greater of:
- $50 million;
- 3 times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy; or
- 30% of the entity’s adjusted turnover in the relevant period.
For further information check out our recent alert.
Proposed future changes to Australian privacy legislation
The Government considers some of the Privacy Act to be “outdated” and lagging behind current business practices and threats. As such, the Privacy Act has undergone a review which is likely to bring even further future changes to Australian privacy and data protection legislation.
It is likely that a lot of the future changes to the Privacy Act will be around digital platforms, as a result of the digital platforms inquiry. The digital platforms inquiry highlighted that there is a clear intersection of privacy, competition, and consumer protection considerations.
Indeed, Australia’s competition and consumer protection regulator (the ACCC) has taken greater interest in “privacy”-related matters, but through a “consumer protection” and “misleading and deceptive conduct” lens. For further information, see an ACCC success story against Google and a very recent defeat in the Courts.
Macpherson Kelley is here to help
If you are a business with turnover greater than $3m, there are a few things you should be asking yourself.
- Do you have a Privacy Policy that complies with the Australian Privacy Principles?
- Do you have a Privacy Compliance Program?
- Do you understand your obligations and key timeframes if your business experiences a data breach incident?
If you answered “No” to any of the above questions, you should contact our experts to avoid the risk of breaching the Privacy Act and avoid substantial penalties for non-compliance.