book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Privacy Awareness Week: Back-to-basics

01 May 2023
Ashley Hunt Kelly Dickson
Read Time 5 mins reading time

It’s Privacy Awareness Week and the theme this year is ‘back-to-basics’. This year, the Privacy team at Macpherson Kelley has sat down to answer some frequently asked Privacy questions and with all the buzz surrounding Aussie businesses and their cybersecurity and data retention practices – this handy guide could not come soon enough!

If any of the below, raises questions for you and your business, contact our friendly Privacy team, who would be more than happy to lend their expert ear.

Is my business subjected to the Privacy Act?

If your business has an annual turnover of $3 million or more it is an Australian Privacy Principles or APP entity and you must comply with the Privacy Act. And, if your business is a ‘Health Service Provider’ you must also comply with Privacy Act, regardless of how much your business’ annual turnover is.

Changes to the legislative regime have taken effect and could mean your business is liable up to $50 million in penalties for a ‘serious or repeated interference with privacy’. Penalties handed out for the same breach prior to December 2022 were capped at $2.2 million.

Government proposals to change the Privacy Act include a removal of the small business exemption. This means that if the proposals take effect, your business could be subjected to the Privacy Act even if the business has an annual turnover of less than $3 million.

What are my obligations when collecting personal information?

If your business collects the personal information of your customers there are strict obligations on how that information must be collected, held, used and disclosed.

Personal information is defined as – “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not”

Included in the definition of Personal Information is;

  • sensitive Information;
  • health Information; and
  • credit Information.

When collecting personal information, your business must have a clearly expressed and up-to-date policy outlining, among other things, the purposes for which it collects, holds, uses and discloses personal information.

The information a privacy organisation holds about an employee that forms an ‘employee record’ is exempt from the obligations of the Privacy Act

However, the employee must be a current or former employee! The exemption does not apply to unsuccessful job candidates, or volunteers, for example.

What happens if my organisation is exposed to a data breach?

A data breach is when personal information is lost or has been accessed or disclosed without authorisation.

An organisation must report an eligible data breach. This occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds; and
  • this is likely to result in serious harm to one or more of the individuals; and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If an organisation has fallen victim to an eligible data breach, they must notify the affected individuals and the Officer of Australian Information Commissioner (OAIC) as soon as practicable.

Optus, Medibank and Latitude have all recently suffered an eligible data breach. The companies notified eligible customers and informed the OAIC, leading to ongoing investigations.

What are recommended data retention practices?

A business must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

The OAIC has provided a recommendation that organisations who collect personal information should delete or de-identify that information when it is no longer needed.

With the advancement in the digital world, the principles of collecting only what is necessary and destroying what is not is even more important! Organisations that collect large volumes of customer data files digitally and fail to destroy them appropriately become prime targets for sophisticated cyber criminals.

How do I avoid the risk of human error?

Whilst cyber criminals are a significant threat to all organisations (especially those APP entities), the leading cause for data breaches is undoubtedly human error.

Accidents and mistakes are part of running a business! Long-standing executives or a newly employed staff member, and anyone in between, is capable of accidentally sending an email to the wrong person, opening a phishing email, or leaving a notebook at a café.

To minimise the possibility of costly mistakes affecting your organisation, it is important that your employees are trained and able to identify a possible security threat.

Even where your employees are well trained and highly diligent, sophisticated cyber criminals remain an ongoing threat. Data breaches are a matter of when not if. Policies are quick, cheap, and highly effective in preventing against, and managing, a data breach when a cyber threat occurs.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

stay up to date with our news & insights

Privacy Awareness Week: Back-to-basics

01 May 2023
Ashley Hunt Kelly Dickson

It’s Privacy Awareness Week and the theme this year is ‘back-to-basics’. This year, the Privacy team at Macpherson Kelley has sat down to answer some frequently asked Privacy questions and with all the buzz surrounding Aussie businesses and their cybersecurity and data retention practices – this handy guide could not come soon enough!

If any of the below, raises questions for you and your business, contact our friendly Privacy team, who would be more than happy to lend their expert ear.

Is my business subjected to the Privacy Act?

If your business has an annual turnover of $3 million or more it is an Australian Privacy Principles or APP entity and you must comply with the Privacy Act. And, if your business is a ‘Health Service Provider’ you must also comply with Privacy Act, regardless of how much your business’ annual turnover is.

Changes to the legislative regime have taken effect and could mean your business is liable up to $50 million in penalties for a ‘serious or repeated interference with privacy’. Penalties handed out for the same breach prior to December 2022 were capped at $2.2 million.

Government proposals to change the Privacy Act include a removal of the small business exemption. This means that if the proposals take effect, your business could be subjected to the Privacy Act even if the business has an annual turnover of less than $3 million.

What are my obligations when collecting personal information?

If your business collects the personal information of your customers there are strict obligations on how that information must be collected, held, used and disclosed.

Personal information is defined as – “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not”

Included in the definition of Personal Information is;

  • sensitive Information;
  • health Information; and
  • credit Information.

When collecting personal information, your business must have a clearly expressed and up-to-date policy outlining, among other things, the purposes for which it collects, holds, uses and discloses personal information.

The information a privacy organisation holds about an employee that forms an ‘employee record’ is exempt from the obligations of the Privacy Act

However, the employee must be a current or former employee! The exemption does not apply to unsuccessful job candidates, or volunteers, for example.

What happens if my organisation is exposed to a data breach?

A data breach is when personal information is lost or has been accessed or disclosed without authorisation.

An organisation must report an eligible data breach. This occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds; and
  • this is likely to result in serious harm to one or more of the individuals; and
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If an organisation has fallen victim to an eligible data breach, they must notify the affected individuals and the Officer of Australian Information Commissioner (OAIC) as soon as practicable.

Optus, Medibank and Latitude have all recently suffered an eligible data breach. The companies notified eligible customers and informed the OAIC, leading to ongoing investigations.

What are recommended data retention practices?

A business must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.

The OAIC has provided a recommendation that organisations who collect personal information should delete or de-identify that information when it is no longer needed.

With the advancement in the digital world, the principles of collecting only what is necessary and destroying what is not is even more important! Organisations that collect large volumes of customer data files digitally and fail to destroy them appropriately become prime targets for sophisticated cyber criminals.

How do I avoid the risk of human error?

Whilst cyber criminals are a significant threat to all organisations (especially those APP entities), the leading cause for data breaches is undoubtedly human error.

Accidents and mistakes are part of running a business! Long-standing executives or a newly employed staff member, and anyone in between, is capable of accidentally sending an email to the wrong person, opening a phishing email, or leaving a notebook at a café.

To minimise the possibility of costly mistakes affecting your organisation, it is important that your employees are trained and able to identify a possible security threat.

Even where your employees are well trained and highly diligent, sophisticated cyber criminals remain an ongoing threat. Data breaches are a matter of when not if. Policies are quick, cheap, and highly effective in preventing against, and managing, a data breach when a cyber threat occurs.