A client recently asked us about the new changes to the privacy laws (that came into effect in March this year): “I just need to update our privacy policy and privacy statements, don’t I. That’s it isn’t it?” This sums up the view amongst many businesses that we’ve come across recently. However, the raft of changes to the privacy laws are more than just about requiring changes to business documentation; they are an attempt to shape the cultural attitude towards personal information and privacy.
The businesses that recognise this shift and quickly adopt business practices that reflect this will be the businesses that will really leverage the commercial potential of the privacy laws. This is why we tell all our clients that the Privacy Laws matter to all businesses – not only those that are “technically” caught by the laws.
The Commissioner’s new powers
Broadly speaking, the Privacy Laws apply to Australian government agencies and certain private sector entities – namely, those with an annual turnover of more than $3 million, or which provide health services (for example: dentists, doctors, gyms etc) or trade in personal information (for example: recruitment companies engaged in head hunting, real estate agencies with a tenancy database, database providers etc).
But this round of amendments to the privacy laws has triggered more concern amongst businesses because the amendments now give the Office of the Information Commissioner increased powers – including the power to undertake privacy performance assessments, accept enforceable undertakings, and (the real jaw dropper) seek civil penalties of up to $1.7 million. At last, the Commissioner has your attention!
We will no doubt be seeing more headlines like these as the Commissioner is finally able to sink some teeth into those organsiations that breach privacy. But it’s not the size of the fine that will be damaging to a business. It’s the PR disaster – the damage to your brand – that could cause immeasurable costs to your business. Then, there may also be the increased cost of insurance (query whether your insurance policy will even cover such incidences where it is questionable whether your management have made adequate efforts to comply with the law); lost time and productivity; lost revenue, and the potential loss of partnerships and important business contracts. In the USA, data breaches have even cost executives their jobs.
Make it Your Competitive Advantage
But it’s not all doom and gloom. By using the new Privacy Laws as an opportunity to design your information handling practices in a way that respects personal information, you are branding your business as customer-centric and secure. Create trust where your competitors may not be, or may not be doing it adequately.
For smaller business that would otherwise fall within the small business exemption under the Privacy Laws, we are seeing more and more (particularly those in professional services and industries that collect “sensitive” information) choose to adopt Privacy Law compliant practices. This will certainly motivate others to change their practices too.
For start ups and businesses with exit strategies tied to asset (read: data) sales or acquisitions by entities that are caught by the Privacy Laws, it is important to consider adopting information handling practices that are consistent with the Privacy Laws to avoid potential issues arising when you come to exiting your business.
And for businesses that operate internationally, it could be important to take extra steps with data security such as ensuring encryption of personal data. Especially as experts are suggesting that Australian privacy laws are moving towards data protection regimes that exist in the UK and Germany, which both have quite high standards in relation to how an organisation holds personal information and explicitly requires encryption of such data.
Tips For Your Business
So, the amendments to the Privacy Laws are more than just a compliance obligation. Sure, you do need to update your privacy policy to refer to “Australian Privacy Principles or APPs” rather than “National Privacy Principles or NPPs”. You also need to detail whether you disclose personal information overseas and the countries to which you make the disclosures; and you need to ensure that when you collect personal information you provide a collection statement that meets the specified requirements of APP 5.2. But more than these though, you also need to ensure that the culture within your business is one that takes a conservative approach to the collection of personal information, and one that in practice respects individual privacy.
So our top 5 tips for businesses looking to leverage the Privacy Laws are:
- Start today. Audit your personal information handling practices by asking: who is collecting personal information; why; how do you secure it; who do you disclose it to, and do you still need the personal information?
- Train your staff and contractors in your information handling practices. A well-written privacy policy and collection statement is not worth much if they are not implemented in practice.
- Assess your data storage and security systems. Firewalls and password protection will not always be enough. Simple things, such as whether you have the latest version of software updates, can be critical.
- Don’t collect personal information that is unnecessary for your business or “just in case” it becomes necessary.
- Review your supplier contracts – including security and cloud computing agreements. Is it clear which party is responsible for monitoring security and dealing with security breaches? Do you have rights under your agreements to ensure your contractors are meeting their privacy obligations?
Aspect Legal has put together a privacy pack that will help you get your business compliant with the new privacy laws.
If you have any questions about how the privacy laws apply to your practice, or to any of your client’s businesses, email us here or call us on our priority accountants line : 02 8006 0830.
We have a number of privacy services available (including a simple Privacy Pack to help get businesses compliant), but are also happy to just talk through any individual situation.
Disclaimer: The material contained on this website is provided for general information purposes only and does not constitute legal advice. You should not depend upon any information appearing on this website without seeking legal advice. We do not guarantee that the contents of this website will be accurate, complete or up-to-date.