Know your privacy obligations - or penalties may apply
Know your privacy obligations or penalties may apply
People are becoming increasingly aware and concerned about the protection of their personal information. Given the latest cybercrime attacks on Optus and Medibank, the Federal Government has increased penalties under privacy laws. Do you know your privacy obligations and do you need help in complying with those obligations?
The Privacy Act - Overview
The Privacy Act, 1998 (Cth) ('Act') regulates the way an individual's personal information is handled. Organisations with an annual turnover of more than $3 million must comply with the Act. In addition, certain businesses, regardless of turnover, including health service providers and certain other activities, are covered by the Act.
Some of the obligations under the Act include:
having a clearly expressed and up-to-date privacy policy;
taking reasonable steps to implement practices, procedures and systems to ensure compliance with privacy laws;
notifying individuals as to why their personal information is being collected; and
taking reasonable steps to protect personal information from misuse, interference, loss and unauthorised access.
Data Breaches
Under the Act, certain data breaches require an organisation covered by the Act to notify the individuals concerned and the Office of the Australian Information Commissioner of the breach.
A data breach occurs when personal information is accessed or disclosed without authorisation or is lost. An example of a data breach is a cybercrime attack. According to the Australian Cyber Security Centre, in Australia a cybercrime is reported every 7 minutes.
A data breach can result in serious harm to individuals, can be extremely costly to your business and may result in heavy penalties. Customers may also lose trust and confidence in your business.
Penalty Increases
The Federal Government has passed a Bill to amend the Act. For companies, maximum penalties for serious or repeated acts that interfere with the privacy of an individual will increase from the current $2.22 million penalty to whichever is the greater of:
$50 million;
3 times the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.
The amendments also:
provide the Australian Information Commissioner with greater powers to resolve privacy breaches;
strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals;
equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers; and
lower the threshold for a foreign organisation to be covered by the Act.
What can Businesses do?
Business should know their obligations under privacy laws and ensure compliance. Contact us if you would like help with privacy related matters such as:
Preparing a privacy policy;
Putting in place a plan to deal with data breaches; and
Better understanding your obligations.
The material in this article was correct at the time of publication and has been prepared for information purposes only. It should not be taken to be specific advice or be used in decision-making. All readers are advised to undertake their own research or to seek professional advice to keep abreast of any reforms and developments in the law. Brown Wright Stein Lawyers excludes all liability relating to relying on the information and ideas contained in this article.