One year ago today the amendments to the Privacy Act 1988(Cth) came into effect. The Privacy Act, which incorporates the Australian Privacy Principles, regulates how personal information should be handled.
Personal information is information or an opinion about a person, or a reasonably identifiable person, no matter whether that information or opinion is true or not. A person’s name, email address, phone number and credit card details will be personal information. Some personal information will be ‘sensitive information’, for example, information or an opinion about a person’s ethnic origin, religious beliefs or their health.
Your business will need to comply with the Privacy Act if:
- it is an APP entity – an ‘organisation’ with an annual turnover of more than $3 million or an ‘agency’;
- it is a health service provider and holds health information about people;
- it discloses personal information about a person to anyone else for a benefit, service or advantage;
- it provides services under a contract with the Commonwealth; or
- it is a credit reporting body.
If you are doing business outside of Australia, but your business has an ‘Australian link’, then the Privacy Act will also apply to any acts your business does outside of Australia even if your business has an annual turnover of $3 million or less.
Some compliance tips
Only collect what you need to: It’s tempting to collect a lot of information about your customers as it might be useful one day. But your business should only collect personal information that is reasonably necessary to carry out its functions and activities. Put simply, if you don’t need it, don’t collect it. The more personal information you collect and hold, the more you will need to do to comply with the Privacy Act.
Protect personal information: Businesses like publicity, but not when that publicity comes as a result of an inadvertent leak or disclosure of customers’ personal information. Your business needs to take steps that are reasonable in the circumstances to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
The guide recently published by the Office of the Australian Information Commissioner suggests that what ‘reasonable’ steps are for a business will depend on factors such as the nature of the business, the type of personal information the business holds and the practical implications of implementing security measures for the business1.
Train your staff: You need to train your staff so that they are aware of obligations under the Privacy Act. Nominate someone senior within your business as the Privacy Officer and make it the task of the Privacy Officer to monitor compliance with the Privacy Act. The Privacy Officer should also be available to help staff members with any questions they may have about privacy and to respond to customer complaints or queries about privacy.