Australian businesses have less than six months to prepare for far stricter federal privacy requirements, and need to start preparing now, experts tell SmartCompany.
The 250 pages of amendments to the Privacy Act, passed in November 2012 with the majority taking effect from March 2014, will affect all Australian companies turning over more than $3 million a year.
A carve-out of the laws has been retained for businesses smaller than that. It won’t affect your corner deli.
But for businesses who do meet the threshold, the changes are quite significant, says David Smith, a partner at Corrs Chambers Westgarth. “It’s a far higher bar than what existed previously.”
- The kinds of personal information your business collects
- How you collect that information
- The purposes for which you collect, hold, use and disclose that information
- How individuals can access the personal information you hold on them and seek to correct that information
- How individuals can complain to you about a breach of the Australian Privacy Principles, and how you will deal with complaints
- Whether you are likely to disclose information to overseas recipients, and if so, in which countries are those recipients likely to be based
The Spam Act will continue to apply to marketing materials, which means you have to give people easily accessible ways to unsubscribe from mailing lists. However, the Privacy Act changes will also place new restrictions on direct marketing materials sent in the mail, requiring you to maintain a simple mechanism by which people can opt out of further marketing, and including a statement on your marketing saying how they can do so.
Two exceptions to the act continue to apply: employees will not have the same rights to access their data, nor will corporate bodies have a right to access information you might keep about their company.
Businesses who fail to comply with the new standards face fines of up to $1.7 million for repeated or serious breaches of the act.
Smith says the biggest change is likely to be cultural.
“One of the new requirements is that you have to have a formal privacy compliance program,” he says. “Most businesses have some sort of program, but this really ups the ante. Now, it has to be formal, and apart from anything else, that means it has to be documented.
“Businesses really need to do a review before March, if they haven’t already, that looks at their privacy compliance. If necessary, they need to formalise it and make it more thorough.”
Part of this formalisation of privacy procedures extends to things like having a privacy officer, and having internal policies to deal with breaches of privacy and privacy complaints.
“It’s also about training your staff who deal with personal information,” Smith adds.