The Australian Privacy Commissioner’s latest decision against AAPT is a timely warning to your business to review its privacy obligations in light of the substantial changes to the Privacy Act, that came into effect on 12 March 2014. The Privacy Law changes reflect that Australians are more concerned about their privacy than ever before, and may be willing to abandon companies they believe misuse their information. AAPT was found to have breached the Privacy Act by not taking reasonable steps to secure its customer’s personal information (including sensitive information such as web history and identity verification details). AAPT was found to be using old versions of software and applications on its server managed and operated by a third party. The hacker group ‘Anonymous’ was able to exploit this failure by hacking and publishing AAPT customer personal information online. The negative publicity and loss of reputation AAPT suffered ought to have been avoided. Fortunately for AAPT, the existing law does not permit the Commissioner to impose any penalties or seek enforceable undertakings. However, the new privacy law gives the Commissioner such powers, including new civil penalties of up to $1.7 million for corporations and $340,000 for individuals. The Privacy Act governs the collection, use and disclosure of “personal information”, being data that can be used to identify an individual. Under the new Australian Privacy Principles (APPs), which in effect hold entities to higher standards, businesses will need to do the following:
- Have an up to date privacy policy.
- Only collect information from the customer that is reasonably necessary for your business to function.
- Ensure that reasonable steps are taken to ensure personal information is held securely and that your software and applications are up to date.
- Consider any contracts with service providers, especially those involving storage of data in the cloud that may have privacy law implications.
- Consider what personal information is no longer needed and should be de-identified or destroyed (AAPT also breached this obligation).
- Consider whether your business is likely to disclose personal information to overseas recipients.
- Ensure your privacy policy is available on request and that customers may update or access their details.
- Ensure that your business has a representative or “Privacy Officer” responsible for privacy compliance and policy procedures.
- Ensure that your business provides an opt-out function for any personal information collected for direct marketing purposes.
We can assist your business to:
- Conduct a privacy audit to identify the gaps between your current policy and procedures, and what is required under the new law. Such an audit should involve the identification of all types of information collected, the ways in which it is collected, and how it is used, stored and disclosed; and
- Following the privacy audit, update your privacy policy.
The consequences of non-compliance are significant and the beefed up Privacy Laws come into effect in less than four months.
