The reforms to the Privacy Act 1988 (Cth) have been well publicised. Australian businesses were required to comply by 12 March 2014, with updates to the Australian Privacy Principles (APPs) most recently in April 2015. What do you need to do? This guide sets out 5 key steps to help your business comply with the new laws, including the new Australian Privacy Principles. Why do you need to comply? The Privacy Commissioner now has stronger powers. There are now fines for breach, of up to $1.7 million for companies, or $340,000 for sole traders and individuals, for serious or repeated breaches of the Privacy Act.
1. Conduct a Privacy Audit
Audit your business to understand how you deal with personal information, including on the following key points:
- what personal information your business collects;
- how your organisation uses, discloses and stores personal information; and
- how you address complaints.
Some areas of increased risk under the new laws are:
- when you conduct direct marketing you need to provide an opt-out mechanism. This is similar to what is required under the Spam Act for email and SMS marketing; and
- if your organisation discloses personal information overseas, your organisation may be responsible for any breach of the APPs by the party overseas.
- Refer to the Australian Privacy Principles not the National Privacy Principles.
- State whether your business uses personal information provided by third parties. For example, do your customers book through a third party booking agency?
- State whether your business provides personal information to third parties. For example, do you provide personal information to a third party marketing agency?
- State whether you’re likely to disclose personal information overseas, and if so the countries where the recipients are likely to be located.
- Explain how an individual can correct their information.
- Explain how an individual can complain about a breach of the APPs and how you’ll deal with a complaint.
3. Provide a Privacy Notification when you collect personal information
4. Internal Privacy Manual – Compliance program part 1
The APPs require organisations to take reasonable steps to put procedures and systems in place to comply with the APPs. A compliance program includes 2 key parts: an internal privacy manual, and staff training. An internal Privacy Manual includes, among other things:
- An overview of privacy law requirements and why privacy compliance is important.
- How your organisation collects, stores, uses and discloses personal information.
- How your organisation will deal with a privacy complaint, a request by an individual for access to their data, or a privacy breach.
- Guidance on receiving personal information from third parties.
- Guidance on providing personal information to third parties, including disclosing personal information overseas.
- Who is responsible for privacy compliance within your organisation.
5. Appoint Privacy Officer and train key staff – Compliance program part 2
An important part of your compliance program is training staff who handle personal information about how to comply with privacy law, including your Privacy Manual. There are basic training materials on the Privacy Commissioner’s website, or we can assist you to prepare some tailored, practical training for your organisation. It is prudent to appoint a Privacy Officer, so someone in your organisation is responsible for privacy compliance. We can assist you with these 5 steps, to help your organisation to comply with the privacy law reforms. Contact us today for a free initial assessment and a fixed fee price, for your peace of mind.