Australian businesses have less than six months to prepare for far stricter federal privacy requirements, and need to start preparing now, experts tell SmartCompany.
The 250 pages of amendments to the Privacy Act, passed in November 2012 with the majority taking effect from March 2014, will affect all Australian companies turning over more than $3 million a year.
A carve-out of the laws has been retained for businesses smaller than that. It won’t affect your corner deli.
But for businesses who do meet the threshold, the changes are quite significant, says David Smith, a partner at Corrs Chambers Westgarth. “It’s a far higher bar than what existed previously.”
- The kinds of personal information your business collects
- How you collect that information
- The purposes for which you collect, hold, use and disclose that information
- How individuals can access the personal information you hold on them and seek to correct that information
- How individuals can complain to you about a breach of the Australian Privacy Principles, and how you will deal with complaints
- Whether you are likely to disclose information to overseas recipients, and if so, in which countries are those recipients likely to be based
The Spam Act will continue to apply to marketing materials, which means you have to give people easily accessible ways to unsubscribe from mailing lists. However, the Privacy Act changes will also place new restrictions on direct marketing materials sent in the mail, requiring you to maintain a simple mechanism by which people can opt out of further marketing, and including a statement on your marketing saying how they can do so.
Two exceptions to the act continue to apply: employees will not have the same rights to access their data, nor will corporate bodies have a right to access information you might keep about their company.
Businesses who fail to comply with the new standards face fines of up to $1.7 million for repeated or serious breaches of the act. It’s a significant increase to the powers of the Privacy Commissioner, says Justin Cudmore, a partner at Marque Lawyers.
“Under the current act, the Commissioner has little ability to do anything to enforce the privacy laws,” he tells SmartCompany.
“As a result of the changes, the Commissioner will be able to seek civil penalties for privacy breaches (ie. make you pay up to $340,000 for individuals and $1.7 million for companies), and accept enforceable undertakings (meaning you promise to do something regarding privacy, and if you break that promise you could be required to pay compensation).
“The Commissioner will also have much broader powers to investigate suspected privacy breaches. To date he has generally only investigated where there has been a serious complaint or a lot of media attention.”
The most onerous obligation on businesses, Cudmore says, is that they have to ensure the overseas entities they supply data to comply with Australian privacy laws. This can be tricky with cloud storage, although, he notes, often cloud storage providers do not actually access or use the information kept on their services.
Smith says the biggest change is likely to be cultural.
“One of the new requirements is that you have to have a formal privacy compliance program,” he says. “Most businesses have some sort of program, but this really ups the ante. Now, it has to be formal, and apart from anything else, that means it has to be documented.
“Businesses really need to do a review before March, if they haven’t already, that looks at their privacy compliance. If necessary, they need to formalise it and make it more thorough.”
Part of this formalisation of privacy procedures extends to things like having a privacy officer, and having internal policies to deal with breaches of privacy and privacy complaints.
“It’s also about training your staff who deal with personal information,” Smith adds.