We now live in a world that is awash with data and how organisations handle data is key to their business success.
That data is also likely to include personal information about individuals.
With the digital age, the amount of personal information held by businesses has risen. This also means there is an increased risk that the personal information may fall into the wrong hands – through inadvertent or deliberate actions of employees, phishing or hacking to name a few methods.
When the Privacy Act 1988 (Cth) (Privacy Act) first came into force in 1988, there was no internet, and the use of computers to store data had only just begun.
In 2014, amendments were made to the Privacy Act to bring it into the digital world. Further amendments were made, which came into force on 22 February 2018, which introduced mandatory reporting of data breaches by organisations covered by the Privacy Act.
What does this mean for you?
Is your business covered by the Privacy Act?
Generally, all organisations which carry on business in Australia, and have an annual turnover of more than $3 million must comply with the Privacy Act. Some types of businesses, for example those in the health services, have their own legislation. Before the recent amendments, your business was required, subject to exceptions:
- to provide an option for an individual to deal with your business anonymously or by pseudonym (for example when making enquiries about a product or service)
- to only solicit and collect personal information reasonably necessary or directly related to your business
- to destroy or “de-identify” certain types of unsolicited personal information
- to only use the personal information for the purpose for which it was collected, unless consent has been provided, or it is required or authorised by law
- not to use or disclose personal information for the purpose of direct marketing
- to ensure that an overseas recipient of personal information also complies with the relevant privacy principles
- not to use or disclose a government related identifier
- to take reasonable steps to ensure the personal information collected is accurate, up-to-date and complete
- to take reasonable steps to protect the personal information that it holds, and to destroy or de-identify that information when no longer needed
- to give an individual access to the personal information of that person; and
- to take reasonable steps to correct incorrect personal information.
From 22 February 2018, businesses covered by the Privacy Act are also required to:
- have a data breach response plan; and
- disclose significant data breaches both to the individuals who are the subject of the breach and the Office of the Australian Information Commissioner.
If your business fails to comply with these requirements, you may be at risk of receiving penalties as well as disruption to your business.
We suggest that compliance may in fact be good business practice in any event. Consider the potential reputational damage a cyber-attack may have on your business, particularly if it results in the release of your customers’ personal information. Some of that damage may be mitigated if you have a data breach response plan in place, and can act quickly and effectively.
You may want to also, at the time you are reviewing your Privacy Policies, check with your insurance broker that you are covered if there is a breach. The damage that may be caused by a breach of personal information will vary from business to business. Such damage may include public relation expenses, loss of income and expenses to mitigate losses caused by the public reporting of a data breach. Insurers are now offering products that cover a wide range of businesses and risks. You may also, at the same time, like to discuss with your insurance broker cover for other forms of cyber-risk, such as fraud, hacking, ransom, and denial of service attacks.
The future of data collection
The storage and management of personal information is likely to become more onerous and expensive with the increase in the amount of data that businesses generate and use.
There may be relief with the development of new applications of blockchain technology. There may soon be a time where individuals will hold all their own personal data, however acquired or generated, in their individual wallet: from medical records to shopping habits. Access to this data may be granted from time to time by the individuals to organisations, so that there is no need for businesses and organisations to store personal information. We wait this development with anticipation.
To discuss the changes to the Privacy Act further, please contact Lavan’s special counsel Amanda Kailis on 9266 6623 or Amanda.firstname.lastname@example.org.
You can also contact Lavan’s partner Cinzia Donald on 9288 6755 or Cinzia.email@example.com or Quadrant Advisory’s Managing Partner Paul O’Farrell on 9288 6607 or Paul.firstname.lastname@example.org to discuss litigation or banking matters.