As a business owner, you must be aware of the responsibilities that come with collecting, possessing and disclosing information about individuals (“personal information”). This applies even if you unintentionally collect the information or have no plans to use or deal with it in any way. This article explores how you can proactively ensure that your business complies with the Privacy Act 1988 (Cth).
1. Ensure You Have a Privacy Policy
A privacy policy is a standard document for a business that receives or handles personal information. If your business is an APP entity, then you must have a privacy policy. However, even if it is not compulsory for your business, we recommend you have one for best practice.
An APP entity is subject to the Australian Privacy Principles. Your business may be an APP entity if it:
- generates over $3 million in annual turnover; or
- engages in specific activities, including but not limited to handling health information, trading personal information, or fulfilling a Commonwealth contract.
You should speak to a lawyer to confirm whether your business is an APP entity.
A privacy policy can address the key Australian Privacy Principles. Your privacy policy should outline to your customers what information you collect from them. Also, your privacy policy should state how you intend to use this information. Businesses commonly use this document for dealings with the public. Furthermore, it can help foster trust amongst your customer base. Your privacy policy should be available to customers through a link or pop-up on your website. If customers can create an account on your website, you should clearly indicate which personal information is optional for them to disclose.
2. Develop a Privacy Manual
While a privacy policy is a public-facing document, a privacy manual is an internal document that outlines how you will collect, use, store and handle the personal information of people in your organisation. You can introduce a privacy manual into your business through formal training processes. Sometimes businesses appoint a privacy officer who can answer employee questions or take enquiries from the public regarding privacy compliance. You will be more inclined to successfully manage privacy if you ensure your employees understand your policy.
Continue reading this article below the form3. Ensure Data Security
There are some practical methods you can implement to ensure your compliance with the Australian Privacy Principles. This can include limiting access to personal information to authorised personnel who require it to perform their everyday tasks. This can also include only collecting and storing personal information that is absolutely necessary and nothing more, as well as ensuring the proper disposal of personal information if you have no plans to use it. By ensuring you have properly destroyed personal information once you no longer need it, you lessen the likelihood of external third parties gaining access to this information. Periodically reviewing the personal information you store can ensure you are purging outdated or unnecessary data from your systems.
You should implement strong data protection controls, including:
- data encryption;
- access control;
- cyber security detection systems; and
- employee training.
4. Plan for Data Breaches
A data breach involves unauthorised access to or disclosure of personal information. In today’s digital landscape, it is not a question of whether your business will experience a data breach but when. Therefore, preparing for these incidents is crucial.
If your business is an APP entity, under the Notifiable Data Breaches (NBD) scheme, you must notify the Office of the Australian Information Commissioner (OAIC) and your affected customers of the breach if it is likely to lead to significant harm to individuals involved.
You can prepare a Data Breach Response Plan that clearly outlines all roles and responsibilities in handling a data breach. This will position your business in good stead when a data breach occurs, and your business will be able to respond proactively instead of reactively, minimising brand or reputational damage and financial losses.
5. Privacy Collection Notice
Having a Privacy Collection Notice (PCN) available at the point of collecting personal information of your customers is essential if you are an APP entity, but also best practice if you are not. A PCN is like a mini Privacy Policy and will inform your customers of what personal information you are collecting from the individual in that particular situation, why you are collecting it, and how it will be used or disclosed.
This fact sheet outlines the changes to data and privacy protection in 2023.
Key Takeaways
As a business owner, you must ensure your business is compliant with the Privacy Act. Non-compliance with the Privacy Act can have adverse repercussions. Customers may be releasing their information through various means. Although you may find it quite easy or straightforward to collect personal information, you must understand and do need to consider your obligations around privacy. Whatever your business does, you will likely have a level of access to your customers’ personal information. By keeping the above pointers in mind, you will be better equipped to address privacy issues in your organisation.
If you are unsure of your privacy obligations or what your organisation needs to do to comply with the Privacy Act, contact our experienced privacy lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
