Privacy laws are something that affect all of us. We often hear and read about the privacy of information we are providing to businesses.
Amendments to the Australian privacy law are now in place. There are big changes to the implications for those who are affected.
The amendments seek to rebalance the competing objectives between protecting the privacy of individuals and protecting the interests of businesses and their legitimate functions or activities. Previously, the scale may have been in the favour of business interests. Not now.
Firstly, the new law applies to businesses with a turnover of $3m or more. Under $3m and your business is not affected.
Perhaps the most significant change is to reporting. Previously, reporting breaches of the law to the Privacy Commissioner was optional. Not now. Reporting of breaches is compulsory.
And there is a whack – penalties of up to $420,000 for individuals and $2,100,000 for companies may apply if breaches are not reported.
Reporting is required to the individual(s) affected and the Privacy Commissioner. A business will need to include a description of the breach, the kind of information concerned, and recommendations to affected individuals about the steps they should take in response to a breach. If a business doesn’t report, the financial penalties may be applied.
So, what might be a breach that needs to be reported? There’s no definitive list, but some to consider are the theft of customer details, theft of credit card details, paper records stolen from insecure bins and the loss or theft of paper, computers or USB devices containing personal information.
In the event of a breach, a business must be able to show it took reasonable steps to protect the personal information it holds, against unauthorised access, change and loss. What are ‘reasonable steps’ will depend on the business, but could include use of security software, having a data breach policy and response plan, disposal of hard copy records, visitor entry, scanning, passwords, two-factor authentication (2FA), firewalls and backing up.
We have prepared a discussion paper which provides more details of the changes. Please email or call if you would like a copy. We would be happy to answer your questions. In the meantime, businesses should be aware there are new amendments. Privacy policies and standard practices may need to be amended to comply with those new amendments.