Businesses are being urged to review their cloud computing arrangements and their internal processes ahead of new privacy laws which will come into effect a week from today.
From March 12 businesses could be fined up to $1.7 million per breach of the new regulations, which aim to bring Australia’s privacy laws up-to-date with current technology trends.
The new laws will make it more difficult for businesses to collect information about consumers without their knowledge.
Association for Data-driven Marketing and Advertising chief executive Jodie Sangster told SmartCompany there are four main changes to the legislation which impact businesses.
“Number one, the definition of personal information has been extended to also account for certain information which is collected anonymously. This information when used with other information has the capacity to identify someone,” she says.
“There are also new requirements around transparency. Businesses must now notify individuals when information has been collected, how it’s used and where it’s stored.”
Sangster says businesses will also need to give consumers more control over their ability to opt-out of marketing communications.
“The big change with the opt-out function is that businesses will not only have to include one, but they should guide consumers to a preference centre where they can choose if they want to receive emails but not telephone calls, for example,” she says.
“There are also new requirements around data going overseas. The Australian company will now be responsible if something goes wrong and there is a privacy breach.”
The new Australian Privacy Principles will replace the current National Privacy Principles and Information Privacy Principles.
The laws will apply to businesses that turn over more than $3 million a year and collect personal data.
However, there are some small businesses which turn over less than $3 million that will still need to abide by the new legislation. For example, the laws apply if the business is a health services provider, related to a larger business, trades in personal information, or is a contractor which provides services under a Commonwealth contract.
The new legislation will see the Privacy Commissioner have greater powers to enforce the legislation.
The Privacy Commissioner, on behalf of the Information Commissioner, will be able to accept enforceable undertakings, seek civil penalties in the case of serious breaches, and conduct assessments of privacy performance for both Australian government agencies and businesses.
Sangster says businesses could face multimillion dollar penalties, although there is likely to be a transition phase.
“It’s not like from March 12 everybody will be fined, but I expect we will see fines issued under this legislation,” she says.
“I think it will be similar to consumer protection laws, particularly those regarding misleading advertising. There aren’t court cases every day, but they are frequent enough for businesses to know they have to be very careful.”
Sangster says for consumers the new laws guarantee more transparency around data and more opportunities to say what you’ll allow your data to be used for.
“Thirdly businesses will also have to be more responsible, and fourthly if enough complaints are made against a company consumers will know there is a chance for very serious penalties.”
Sangster says the privacy law amendments came about as the original laws weren’t applicable to the current technology-driven environment.
“When the privacy laws were first launched in 2001, we weren’t in a world of data and we weren’t attached to our mobiles. The legislation wasn’t made for our time and we had to update it, although that’s only been half achieved, I don’t think they did a great job.”
“Another push behind it was social media. There was a lot of concern at the time about information provided on social media and the availability of data.”
Sangster says businesses are going to need to ensure they have the appropriate safeguards in place.
“They’re going to have to change all their internal processes and procedures. They’ll also have to make sure data sets are kept totally separate because of this new consideration of the idea that two sets of information can lead to an individual being identified,” she says.
“In terms of the storage of data, businesses will also need to ensure they have water tight agreements in place with external companies to ensure there’s no chance of privacy breaches.”