Are you ready for the new privacy rules?

Directors need to ensure their organisations are prepared for sweeping new privacy rules that take effect next week to avoid copping tough new penalties from a regulator with wider powers.

On 12 March, the Australian Privacy Principles (APPs) come into force, replacing the existing Information Privacy Principles and National Privacy Principles. The 13 APPs significantly raise the bar on how businesses and federal government agencies collect, store and handle individuals’ personal information. Organisations will also need to comply with increased legal obligations regarding overseas disclosure of personal information and direct marketing.

The new rules also beef up the privacy regulator’s enforcement powers with the Office of the Australian Information Commissioner now able to levy penalties of up to $1.7 million and impose enforceable undertakings on non-compliant organisations.

But according to Alison Baker, a partner at Hall & Wilcox Lawyers, and Aaron Greenman, director of IT security and privacy at consulting firm Protiviti, many companies are still unprepared for the changes.

Greenman notes: “Organisations will be saddled with a raft of new responsibilities including ensuring they have processes to deal with privacy complaints, making sure they are accountable for personal information disclosed to overseas parties, establishing security measures to prevent information breaches, and many more.

“These wide-ranging changes will have a big impact on organisations that collect a lot of personal information such as online businesses, retailers, utilities, healthcare providers, communications companies and most businesses in the finance and insurance sectors. Yet, while government departments are generally well-prepared, regrettably, our experience has shown that the majority of corporates are not.”

Baker says: “Failure to comply with the new Privacy Act principles puts business at serious reputational, legal and financial risk. It’s a big change from the previous regime, which was much softer on privacy breaches.”

She says every business needs a privacy policy to satisfy compliance with the new principles; those with an existing policy will need it amended.

To avoid potential problem areas, she advises directors to ensure third-party supplier contracts address the new principles and place contractual obligations for privacy compliance on third-party suppliers.

“Businesses engaging with overseas suppliers need to ensure they have good contracts in place. If they already have a relationship agreement, they should look to enter into data transfer deeds with their overseas suppliers,” she says.

“All processes around collecting and storing personal information, as well as access, correction and complaint handling processes, need to be reviewed. This includes destroying or de-identifying personal information when it is no longer needed.”

Greenman warns that companies which have not already done so, need to take immediate steps to become APP-compliant.

He says the steps your organisation should take to become APP-ready include:
  • Identifying the classes of personal information collected and held. Examples include contact details, employment history, educational qualifications, racial or ethnic origin, tax file numbers and health information.
  • Identifying how such information is collected, held, used and disclosed, and the purposes for which it is collected and used.
  • Identifying the scope of any cross-border disclosures, including where possible, the countries where recipients are likely to be located.
  • Reviewing and updating procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction.
  • Implementing security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails.
  • Implementing procedures for identifying and reporting privacy breaches and for receiving and addressing complaints.
  • Implementing access and correction procedures.
  • Introducing procedures to give individuals the option of not identifying themselves or of using pseudonyms.
  • Establishing a process to conduct a privacy impact assessment for any new projects where personal information will be handled.
  • Establishing governance mechanisms to ensure ongoing compliance with the APPs, such as appointing designated privacy officers and regular reporting to the board and management.

“With the rise of online technologies and social media, community concerns about how organisations use or misuse private information are at an all-time high,” says Greenman. “Today, privacy is an issue that if done well, builds deep bonds of community trust and customer loyalty. But on the flipside, when things go horribly wrong, such as when a major security breach occurs, the public backlash and negative publicity can inflict long-lasting damage to corporate reputations and see customers deserting a company for a very long time.”

Company directors’ new Q&A video with former Australian Privacy Commissioner Malcolm Crompton will help directors better understand the amendments to the Privacy Act that come into force on 12 March.

The video is a companion to its new book, also written by Malcolm Crompton, Privacy Governance: A Guide to Privacy Risk and Opportunity for Directors and Officers.


Telstra Cloud ad