Continuous advancements in technology and how organisations run their business has seen significant changes to the Privacy Act 1988 (Privacy Act) in March 2014, with the introduction of the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The new Australian Privacy Policy Principles (APP’s) within the amended act focuses on adapting to social and technological changes, and will affect how organisations collect client data, use, disclose and store personal information, engage in cross border transactions or use cloud technologies and direct marketing tools. The AAP’s apply to Australian and Norfolk Island government agencies and to private sector organisations with an annual turnover of $3 million or more.
Since the introduction of the AAP’s, a number of insolvency jobs SV Partners have received are from companies who are yet to review and update their privacy policies and procedures, resulting in a lack of compliance with the new reforms. This is evident in companies like retailers and recruitment companies who are dealing with sensitive personal data, including bank account details. Many of these businesses are unaware of the requirements they must comply with around data collection and storage, and having their privacy policy correct and easily accessible for their customers to review.
Tips for ensuring compliance
There are a number of tips and areas for consideration an organisation can review to assist with compliance:
- Conduct a privacy audit of your firm to determine which APP’s you must comply with
- Prepare an internal compliance guide, and train staff on how to comply with the relevant APP’s
- Review information holdings to determine whether ‘personal information’ or ‘sensitive information’ is handled
- Review practices, procedures and systems to ensure compliance with the new APP’s and any registered APP Codes
- Review your privacy policy and make this readily available in an appropriate format
- Review practices, procedures and systems for the use and disclosure of personal information and sensitive information
- Review practices, procedures and systems for sending personal information overseas (this may include reviewing outsourcing agreements)
- Review direct marketing practices, procedures and systems (including whether individuals are provided with an easy way to opt out of receiving direct marketing)
- Review practices, procedures and systems for ensuring personal information is protected from misuse, interference, loss and from unauthorised access, modification or disclosure
Penalties for non compliance can result in prosecution, with monetary penalties up to $1.1 million for corporate entities and $220,000 for non corporate entities. If you are unsure if your clients’ business is compliant with privacy laws, than we suggest undertaking a privacy audit, or visit the Officer of the Australian Information Commissioner website at www.oaic.gov.au for more information.