You’re a General Counsel responsible for overseeing legal compliance. You know the privacy law changes commence in March 2014. You are losing sleep... what do you do?
Time is running short, budgets are tight and the changes are complex. So, how can you find a way through the legislation and get ready without spending a fortune on external assistance?
Our pointers are below. The purpose is to identify your compliance gaps under the new regime and address them efficiently to close off key risks.
The trend towards greater protection of individuals’ personal information is worldwide and Australia is no exception.
Privacy requirements will continue to grow in coming years and privacy compliance will be increasingly important for private enterprise and the government sector.
The March 2014 changes give the Privacy Commissioner much stronger powers than before, including the ability to seek civil penalties of up to $1.7 million for a serious or repeated privacy breach. The Commissioner’s power to act after an “own motion” investigation will also be bolstered.
Underlining the intention behind the reforms the Commissioner said recently, “I will not be taking a softly softly approach.”
Businesses and Commonwealth government agencies will need to meet substantially higher privacy requirements. Changes must be made to current business practices, including:
- What you say to individuals when you collect personal information about them.
- How you use direct marketing.
- How you ensure privacy education and compliance within your organisation.
- The contractual terms under which you disclose personal information outside Australia, e.g. to an IT services provider.
What to do
Conducting a privacy audit within your organisation is the starting point. The audit should identify gaps between current practice and the new privacy requirements. It should also cover the Spam Act since it’s closely related to privacy law.
Apart from your legal team, the audit project should involve senior management from IT, Marketing and HR, to identify the types of personal information collected, how it’s collected and used, to whom it’s disclosed and how it’s stored.
Key documents relating to the collection and handling of personal information should be compiled, e.g. web forms where consumers can join your mailing list and contracts with overseas IT services providers.
The aim is to identify key areas where current practice doesn’t meet the standards mandated under the legislation. At the same time, you can educate internal stakeholders (IT, Marketing, HR, Legal) about the new requirements.
The outcome of the privacy audit will be a list of action items that need addressing before March 2014. This list can be worked through to close the compliance gaps.
Whether or not the privacy audit is handled internally or with assistance from an external legal firm depends on the privacy and spam law expertise of your in-house legal team.
When to act
Privacy audits should be under way now. If your audit identifies compliance gaps – which is likely – sufficient time will be needed to close them by March 2014. Leaving it until next year carries the real risk of running out of time.
If the Privacy Commissioner chooses to make a public example of someone next year, make sure it’s not your organisation!