Privacy laws have changed, meaning that you need to review your privacy policies and procedures to comply with the law and to avoid the consequences for not complying. The Privacy Act 1988, together with the National Privacy Principals, set out the obligations of businesses in relation to obtaining, storing and dealing with private information.
In February, the Federal Parliament passed new legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017, which regulates how businesses deal with data breaches. A data breach is defined as a situation where there has been unauthorised access or disclosure of personal information about individuals. If the unauthorised access or disclosure is likely to lead to a risk of serious harm to those individuals whose data has been breached, the business must assess that breach and notify the Commissioner as well as any affected individuals. The only exception is if the business can show that despite a breach, there is no risk of harm to an individual.
In this regard, “serious harm” includes the following; physical harm, psychological harm, financial harm, economic harm, and harm to reputation.
If a business does not comply with their obligations under the new Act, they will be deemed to have interfered with the privacy of an individual, which can have serious consequences, including civil penalties.
To reduce the risks of being in breach of the Privacy Act, together with the new legislation, you must:
- Review and amend your privacy policies to ensure that they comply with the National Privacy Principals.
- Update your internal privacy policies to include a plan for how you will deal with a data breach – including what you will do if a breach is suspected or discovered. This plan should comply with the obligations in the new legislation.
- Assess how and when you will need to notify customers.
- Determine what action you would take so that no harm arises from a breach, and so notification to customers is NOT required and.
- Review your contracts with service providers, to ensure that any other business you share information with also has policies regarding how they deal with personal information and what happens in the case of a breach.