If you own a business which collects personal information, you may need to conduct a privacy audit of your business. Australia is regulated by privacy laws and the Australian Privacy Principles (APPs) which outline your business’ privacy obligations. Similarly, the introduction of the EU General Data Protection Regulation (GDPR) in May 2018 has placed privacy at the forefront of internal compliance agendas for businesses around the world. Therefore, if you collect personal information, you may need to comply with the APPs and the GDPR. This article will set out whether the APPs and GDPR apply to your business and what steps you should take to meet your privacy obligations.

What is a Privacy Audit?

A privacy audit compares your business’ privacy protections to the relevant laws and regulatory requirements. This process should highlight gaps in your privacy compliance measures and allow you to adjust your business practices before any issues arise. You should conduct a privacy audit to know precisely:

  • what personal information your business is collecting;
  • how you are collecting, processing and storing information; and
  • which privacy laws apply to you.

Do the APPs Apply to You?

The first object of your privacy audit should be determining whether APPs apply to your business. The APPs will apply if you are considered an APP entity. An APP entity is classified as any sole trader, partnership, trust, company or unincorporated association that:

  • has an annual turnover of over $3 million;
  • has less than $3 million turnover but is classified under an exception. These include health service providers and businesses which disclose personal information for a benefit; or
  • businesses that are not classified as APP entities, but still choose to voluntarily comply with the APPs.

Complying with the APPs

If you are an APP entity, you will need to comply with the APPs. Key questions you should ask as part of your privacy audit include:

  • what personal information are you collecting? It is common for most businesses to collect personal information such as such names, addresses and emails. However, you should be especially aware of collecting sensitive information. Sensitive information includes information about race, religion, political affiliation, health and sexual orientation. This information attracts stronger protections under the APPs.
  • whether you have a readily available, clearly expressed and up to date Privacy Policy? This policy should tell your clients how and why you collect and manage personal information.
  • Are you using personal information for purposes other than what was disclosed to your customers?
  • Are you disclosing personal information to an overseas recipient? For example, using offshore service providers. If so, you may be required to ensure the overseas recipient handles the personal information in accordance with the APPs. You may also be liable should the overseas recipient breach the APPs in relation to personal information you provide. Therefore you will need to vet third party providers as part of your privacy audit.
  • How are you processing and storing personal information? You should consider whether you have adequate processes in place to protect your client’s personal information.

Notifiable Data Breaches

If you are an APP entity, then you will also need to comply with the Notifiable Data Breach (NDB) scheme which came into effect on 22 February 2018. The NDB scheme places an obligation upon APP entities to report eligible privacy breaches to the Officer of the Australian Information Commissioner and inform anyone affected by the breach, such as the person whose data is exposed.  

An eligible privacy breach refers to breaches which are likely to result in serious harm to any of the individuals the information relates to. An eligible data breach arises when the following three criteria are met:

  • unauthorised access to or disclosure of personal information occurs, or an entity loses personal information;
  • that information may cause serious harm, whether physical, psychological, emotional, financial or reputational; and
  • the entity was unable to take positive steps to prevent the likely risk of serious harm or provide remedial action.  

Remedial action example: An employee loses a company phone that has access to a client’s personal information. Immediately upon realising this, the employee informs IT support to wipe the phone clean. IT support is confident the time was too short for anyone to have accessed the phone.

If an eligible privacy breach occurs then you must recommend safety measures to affected people. For example, cancelling credit cards or changing online passwords. You should also be aware that your obligation may extend to third party providers you may use, such as online software as a service platforms. Therefore, you should ensure your third party providers notify you of any breaches in their data which compromise people’s personal information.

Does the EU GDPR apply to you?

As part of your privacy audit, you should consider whether the EU GDPR applies to your business. Unlike the APPs, the GDPR casts a broader net and does not have a minimum turnover or class of service to require compliance. Your business may need to comply with the GDPR if it collects data and:

  • is established in the EU;
  • supplies goods or services to individuals in the EU; or
  • monitors the behaviour of individuals in the EU.

If your business checks any of the above, you should consider completing a GDPR Compliance Checklist and seeking legal assistance as to what you need to do to comply. For many established businesses, compliance has meant changing systems, processes, policies and contracts. If you are a new or pre-launch business, you should determine whether the GDPR applies so that you can implement the requirements now as opposed to later.

Key Takeaways

Most businesses that provide goods or services to the public will collect personal information. You should conduct a privacy audit if you have not conducted one since the NDB scheme and GDPR came into effect. Primarily, your privacy audit should address:

  • what personal information your business collects;
  • how you are you collecting, processing and storing information; and
  • what privacy laws apply to you.

With so many aspects to consider, navigating privacy law and regulation can be difficult. If you need assistance determining your privacy requirements, get in touch with one of LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Justin Ocsan
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.