Private Business: The five step guide to the all-new Privacy Act
Businesses that collect information about customers have a new set of legislation to study up on; ignoring recent changes to the Privacy Act could lead to catastrophe.
The changes bring the law up-to-date with the online age and are likely to affect a huge number of businesses. Those that are not fully across the new legislation run the risk of unforgiving auditors and hefty fines.
Increased power has been given to the Privacy Commissioner including new investigative and enforcement powers and the ability to issue fines of up to $1.7 million to companies found to be in breach of the Privacy Act.
The amendments, which came into effect on March 12, deal with the development of the internet and online storage solutions. Businesses engaging with overseas suppliers, who engage in direct marketing with personal information or who store information on the ‘Cloud’ are the most at risk of breaching the new laws if they do not take immediate action to ensure their compliance.
There are five key changes to the Privacy Act to be aware of:
1. Government level responsibility
The privacy principles that apply to government agencies and those applicable to private sector companies have been merged to create the Australian Privacy Principles. This means additional obligations for private sector companies.
2. Overseas alarm bells
The amendments place greater significance on cross-border disclosure. Companies now must disclose to the customer/client if personal information is transferred overseas to third party suppliers or if personal information is stored on overseas servers.
3. Under lock and key
Companies may now be at fault for third party breaches of a customer’s personal information.
It’s critical that businesses understand exactly what information they collect, and how it’s disclosed, stored, and most importantly how it’s protected. Online shysters have long targeted personal information but now the company can be held accountable for customer data that’s been stolen from them.
4. Revenue review
Small businesses with a turnover of less than $3 million are exempt from the Privacy Act. By no means does this make it safe for small companies to be complacent with their customer’s information but they can rest easy knowing they won’t be slapped with a $1.7 million fine.
5. Transparency increase
Direct marketing provisions have been amended and now require further disclosure. This means all businesses must amend their privacy policy and communicate those changes to their database.
This may seem like a pain, and many businesses have the valid concern that doing this will cause their mailing list to shrink considerably but the key is to give incentive and turn it into a positive.
Some organisations have been offering prizes for customers who opt in to direct marketing arrangements by accepting their new privacy policy.
A good approach is to send an email bulletin to your mailing lists to let them know about the changes in your privacy policy. You can hyperlink to the policy on your website, where customers can accept the new policy electronically.
What to do next
It’s time to do a full review of how your company handles customer information. This means looking into existing contracts with service and storage providers and considering whether they need to be amended with new indemnity provisions.
It’s critical that all staff members are aware of the new rules -- all it takes is one person in the business to misuse customer information and you could be pinched.
Seek advice on compliance procedures and discuss whether your privacy policy is compliant with the new amendments. Make sure that your policy is tailored to reflect how your business actually collects, stores and handles information. Using a ‘boiler plate’ policy can expose you to unnecessary risk.
Think outside the square to get your customers familiar with your new or updated policy to avoid being caught out by the new laws.
There’s no need to panic. With some research and effort these laws are easily adopted into any organisation.
Fotini Kypraios (accredited FBA Adviser) & Sean Greenland, Meerkin & Apel Lawyers