New privacy laws + compliance checklist

New privacy laws + compliance checklist

On 12 March 2014, the Privacy Amendment Act comes into full effect, introducing 13 new Australian Privacy Principles (APPs). With new fines of up to $1.7 million per breach, have you taken time to understand what these changes mean and what action you may have to take?

1. To whom do these new laws apply?

Those subject to the new laws are 'APP entities' consisting of government agencies, businesses with over $3 million annual revenue, as well as some with revenue under that amount, such as those trading in personal information.

2. What are the significant changes?

The new privacy laws affect how businesses collect, use, and store personal data, and the laws significantly increase the powers of the Privacy Commissioner. That office now has the power to conduct investigations even without an official complaint, as well the ability to enforce harsh new penalties.

3. Analyse how data flows through your firm

An important first step is to have a look at why, when, and where your organisation collects data, and how it stores the data it collects. Do you have a defined retention policy to ensure that old or obsolete data is destroyed or anonymised after a certain period? Who may have access to this data throughout the process? It is important to identify potential risks and ensure that data is protected from disclosure or misuse.

Another issue of particular concern is the use of cloud computing, and organisations are encouraged to take a practical and targeted approach where such systems are being used. Additionally, firms transferring data offshore are encouraged to review their contracts in light of the new cross-border accountability principles.

The changes mean you could be held vicariously liable for breaches by offshore third parties to whom the information has been disclosed, as well breaches by the provider of the cloud computing system.

Conduct a privacy audit and assess your current practices and policies to determine which steps need to be taken. Consider engaging a consulting or legal service to help confirm that you are heading in the right direction.

4. Make sure your privacy policy is in order

The first APP requires a clearly expressed privacy policy to be made publicly available and free of charge. It must outline how personal information is stored and managed and it also imposes an obligation to have practices, procedures, and systems in place for dealing with enquiries and complaints.

Your privacy policy can be improved by ensuring that it answers the following questions:

  • When will data be collected?
  • What type of data will be collected? This includes internet specific data collection such as number of visits, date/time of visits etc.
  • What will data be used for?  Provide a reasonable amount of detail and cover the usage of cookies, explaining how and why they are used.
  • Who may the data be disclosed to? This must include recipients in foreign countries and should outline in which countries the data is likely to be disclosed.
  • How is data quality managed, and how can individuals access and correct the data that is held about them?
  • What is your policy regarding data storage and security? Outline the measures in place to ensure that obsolete data is destroyed.
  • How can an individual contact you to make a complaint? Describe the complaints process and advise how and when you will respond.

Review your existing privacy policy or have something drafted if you don't already have one in place.  You may also find it practical to put a process in place to ensure that it is regularly updated, and designate one person as the Data Privacy Officer to make sure that it gets done.

5. Ensure your staff are up-to-date

Take the time to inform your team of the changes and ensure that they feel comfortable with the procedures for handling client enquiries and complaints. All employees should also be aware of their obligations around confidentiality and non-disclosure of information.

As noted by Jodie Sangster, CEO of the Association for Data-driven Marketing and Advertising, "so many departments within a company will touch data and everyone in the company needs to know what part they play in the process."

6. The consequences of failing to comply

In addition to the penalties that may be imposed by the Privacy Commissioner, the detriment to a business arising from a privacy breach could be widespread; including market devaluation, damage to reputation and customer mistrust.

If your company does meet the definition of an APP entity, the Office of the Australian Information Commissioner has provided a checklist outlining the main changes. Another checklist has been provided to assist smaller businesses that are unsure if the new laws will apply.

A full overview of the 13 APPs is right here (PDF).

Let's Start a project. Get in touch!