Privacy law in Australia is governed by the Privacy Act 1988 (Cth) (the ‘Act’) and the Australian Privacy Principles which affect the handling of personal information.
The principles were introduced in 2014 to bring Australia’s privacy laws (first introduced in 2001) in line with advancing technology trends and to provide more transparency around the capture and use of personal information.
The principles make it difficult for businesses to collect information about consumers without their knowledge and prescribe how businesses handle, use and store personal information and engage in direct marketing.
These principles have been further strengthened by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) which imposes mandatory reporting requirements on entities subject to existing obligations under the Act, for an ‘eligible data breach’.
If your business is affected, you may need to update your privacy policies and your procedures and systems to comply with the law.
Which businesses are affected by the privacy laws?
The Act applies to Australian Government agencies, businesses with an annual turnover of $3 million or greater, credit reporting bodies, and smaller entities ‘trading in personal information’.
What does ‘trading in personal information’ mean?
Personal information is information that identifies, or could reasonably identify, an individual. This includes names, addresses, dates of birth and bank account details, as well as opinions about an individual who is reasonably identifiable.
Trading in personal information includes collecting or providing personal information to a third party for a benefit, service or advantage. If you collect personal information and then provide it to a business to manage your direct marketing, you may be trading in personal information.
What are the key obligations?
Businesses subject to the Act must:
- have procedures and systems in place to ensure they comply with the Act and the privacy principles;
- understand what an ‘eligible data breach’ is and implement policies to deal with such breaches.
Entities affected by the Act may face significant fines for serious or repeated breaches.
How do I ensure my business complies?
Businesses affected by the Act should review and identify how they deal with personal information. The following elements need to be addressed:
When you collect personal information, inform individuals of your organisation’s name, contact details, the purpose of collection and to whom it will be disclosed.
- What personal information you collect.
- How you collect the personal information.
- The purposes for which you use and disclose it.
- If you provide personal information to parties overseas you need to disclose that and, if practicable, specify the countries where those parties are located.
- Setting out how you secure and store personal information.
Establish a system to ensure that:
- Staff who handle personal information comply with all privacy laws.
- Individuals can access their personal information and correct out of date or incorrect information.
- You have a process to deal with complaints about your compliance with the laws.
- Enables recipients of direct marketing material to unsubscribe.
Understanding eligible data breaches
An eligible data breach happens if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
An entity must give notification of an eligible data breach:
- if it has reasonable grounds to believe that a breach has occurred; or
- if information has been lost and unauthorised access or disclosure of that information is likely to occur;
and, in either case, the breach would likely result in serious harm to the individuals to whom the information relates.
Dealing with eligible data breaches
If a breach occurs, an entity must notify any affected individual and the Office of the Australian Information Commissioner (OAIC).
If an entity suspects a breach has occurred, it must investigate the circumstances of the possible breach within 30 days of becoming aware of it, to determine whether it is an eligible data breach.
Notification must include:
- the entity’s identity;
- details of the data breach – i.e. how the breach occurred;
- the information that is the subject of the breach;
- the recommended actions that individuals should take in response to the breach.
Notification is not required if an entity is able to quickly remedy a data breach so that it is unlikely to result in serious harm.
Entities that fail to carry out the investigation and notification processes prescribed by the reforms will breach their obligations under the Act and may face civil penalties.
Business entities that handle personal information must understand and comply with privacy laws. Staff should be trained, and policies implemented on how to collect, store and manage personal information. Policies should identify systemic problems when collecting and handling information and set out appropriate solutions.
Staying one step ahead of your privacy obligations, and minimising the potential for data breaches to occur, is essential to safeguard against fines and loss of reputation.
This information is for general purposes only. If you or someone you know wants more information or needs help or advice, please contact us on (03) 9600 2768 or email [email protected].