In brief – Deadline approaching for businesses to ensure their compliance with the new privacy legislation
Breaches of the new privacy laws can attract significant fines and regulators may publicise any breaches, so if your privacy and data management and protection policies have not been updated for compliance, time is running out.
Civil penalties of up to $1.7 million for corporations
New laws taking effect from 12 March 2014 impose new requirements on businesses and most government bodies that collect and transfer personal information in Australia. These laws also impact personal information that is collected outside Australia if that data is brought to Australia.
Non-compliance with the new legislation risks civil penalties of up to $1.7 million for corporations and $340,000 for individuals. In addition there are new government powers to investigate privacy and data loss events and to obtain enforceable undertakings in the event of a breach of the laws.
New privacy and data management obligations
The new privacy laws create new Australian Privacy Principles (APPs) that revise prior obligations on how and when any personal information can be collected and how that information can be transferred to third parties. These revised requirements impact:
• When personal information may be collected and when consent to collect certain types of personal information is required
• Rights of individuals to access, correct or delete personal information that has been collected
• How individuals may complain about interferences with their privacy
Updating your policies and educating your managers and directors
Most businesses must comply with the APPs. Your first steps should include updating privacy and data management policies, in particular:
• Collection statements and consent to transfer to third parties
• Procedures for handling unsolicited information
• Ability of individuals to review and revise collected information
• Direct marketing procedures
A key compliance tool will be the education of senior managers, executives and directors about these changes in the privacy regime and the steps your business is taking to review and maintain compliance.
The new legislation allows for investigation of breaches of data security (privacy) regimes and for the regulators to publicise any privacy breaches that occur.
Audit of compliance with privacy and data collection laws
For a fixed fee we will review your privacy and data collection policies and processes and advise whether they are compliant with new privacy laws and if not, how you can become compliant as quickly as possible.
Our review will focus on how your business manages and shares the information it collects from business users and service providers, with particular attention to personal information, including customer records, website cookies and customer information databases. If your business engages in direct marketing and credit reporting, these processes will be included.
We can also review how your business transfers the collected data - between group or subsidiary companies, and to and from third parties such as your customers and service providers, including your IT service providers. Your use of cloud computing and other remote services will also be reviewed.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2020.