With heightened public and regulator scrutiny of the Property & Construction sectors, it’s more important than ever to ensure that you understand what the risks are and have the right measures in place to protect data.
1: Managing the personal information of employees, contractors and visitors
Whether you’re building or managing a residential or commercial space, you have legal obligations in respect of the personal information you collect and use. You likely collect data about employees, contractors, tenants and visitors. Failure to handle this data in accordance with the requirements of the Australian Privacy Principles under the Privacy Act (APPs) could see you facing fines of up to $2.1m (soon to be the greater of $10m, 3 times the benefit and 4% of the annual domestic group revenue), damages of around $10,000 per complainant and irreparable damage to your reputation.
Ensure you are aware of all data you collect, hold and/or share that could constitute personal information. That is, information that could reasonably identify an individual, including if mixed with other generally available information .
Also, contrary to the prevailing wisdom, the collection of employee personal information is not exempt from the APPs.
Where you collect sensitive information (e.g. a webcam photo of employees or a visitor’s face or health information) you must obtain consent to such collection and the proposed uses of that information.
The APPs include requirements relating to the storage, use and sharing of personal information, notification of all ‘eligible data breaches’ and a requirement that you delete or de-identify personal information when it is no longer required by law to be kept and no longer needed for the purpose(s) for which it was collected. How long are you keeping visitor registration information?
We recommend that you conduct an audit/review of your information holdings and processes to ensure that you are collecting, using and disclosing personal information in an open, transparent and compliant manner, that any consents you require are actually being obtained and your data breach response plan is appropriate.
2: Public Wi-Fi and e-marketing
If you offer public Wi-Fi for visitors to your property (even if provided by a third party on your behalf), you are likely to be collecting personal information through a ‘captive portal’.
3: Are your contractors privacy and information security compliant?
You might have a number of contractors involved in services provision at your site or property (including, for example, provision of Wi-Fi). If just one lets you down on privacy or information security compliance you may be left picking up the pieces (and be liable for it).
The best line of defence against this is to ensure that all of your contractual arrangements have privacy and information security requirements built in. We can conduct a gap analysis of current contractual terms and help you to negotiate terms that sensibly and fairly allocate privacy and information security obligations across the supply chain. We can also help you propose contract terms that put you in good stead in relation to privacy and information security in new contracts.
Key terms to consider in all services agreements include business continuity, data breaches and incident response and catch-all privacy and information security compliance obligations.
4: Tracking, surveillance, fleet management and data analytics
There are numerous privacy issues to consider. In particular, where such information is collected in tandem with technologies offered by social media platforms and/or where such data is used as part of a data analytics program. Also, surveillance data footage is personal information and can only be held as long as required for the notified purposes of collection. Once these purposes are fulfilled (and if not otherwise required to be kept by law) it must be deleted or de-identified. While surveillance (of all sorts) can be done in a privacy-compliant way, we have rarely seen such done well in practice without assistance. We recommend undertaking a privacy review (starting with data flow mapping) of all tracking, surveillance and analytics activities.
5: Do you need to comply with GDPR?
The EU General Data Protection Regulation (GDPR) introduced major new privacy, security and marketing obligations and individuals’ rights from 25 May 2018. It also has a much wider application outside of the EU and to non-EU companies than the previous EU privacy laws. Generally, the GDPR applies:
- where you have an ‘establishment’ (whether physically or online) in the EU;
- where you offer goods or services in the EU; and/or
- where you monitor/track individuals in the EU.
In practice, this means that if you (as an Australian company) have a branch/sales office in the EU or otherwise target potential investors/buyers/tenants in the EU and collect information about individuals located in the EU (e.g. for these purposes or for enhancing your digital marketing strategy) the GDPR will likely apply to you. Failure to comply with the provisions of the GDPR, where applicable, may result in fines of up to the greater of €20m or 4% of annual global group turnover. However, before undertaking an expensive GDPR compliance uplift, we recommend first obtaining legal advice to ascertain if you are caught by GDPR and, if so, whether changes to any activities reduce or eliminate the impact of GDPR.
6: FIRB sharpens its focus on acquisitions of/investment in data-rich Australian assets
The Foreign Investment Review Board (FIRB) is directing greater regulatory scrutiny to proposals that involve foreign investors gaining access to the personal information of and data about Australian residents (e.g. visitors to shopping centres). This reflects heightened awareness that data protection is of critical importance to Australia’s national interest. This may adversely affect capital availability or potential buyers. However, this is likely to be less of an issue for those Australian businesses with a greater emphasis on robust data protection and better-practice privacy management controls in place.
2019 saw the introduction of a significantly expanded whistleblower protection regime covering the majority of larger businesses (all public companies and all private businesses with 50+ staff, $12.5m+ in group assets or group revenue of $25m+). Staff who report on a broad range of conduct (including ‘misconduct’ and an ‘improper state of affairs’, whether or not the whistleblower reveals their identity and whether or not they act in ‘good faith’) must now be protected.
A compliant whistleblowing policy must be implemented by all larger business by 1 January 2020. This policy must include certain mandatory content. Failure to do so by 1 January 2020 is a criminal offence. You must also be prepared to respond to ‘emergency disclosures’ and ‘public interest disclosures’ (disclosures which can be forwarded to the media in certain circumstances) and ensure your processes are robust enough to comply with this significantly expanded regime. As time is running out to prepare and implement your whistleblowing policy, we are happy to discuss this with you now.