From 23 February 2018 your business has a statutory obligation to report a data breach involving personal information to the Australian Information Commissioner. If this is not handled correctly your business could be at serious risk.

Who is subject to the Privacy Act?

All businesses and not-for-profit organisations with an annual turnover of more than $3 million are subject to the Privacy Act 1988 (Privacy Act).

If you do not comply with the provisions of the Privacy Act as far as collection, use, storage and disclosure are concerned or if correct procedures are not followed then you could be the subject of an investigation by the Commissioner and could face civil penalties for individuals up to $360,000 and up to $1,800.000 for companies. In addition the reputational risk to your organisation could be significant.

You need to ensure that you/your business has an up-to-date privacy policy which is visible and available at all times including on your website, that your key documentation (contracts and notices) is in order and that you have processes in place (including a data breach response plan) to ensure that you comply with Australia’s privacy legislation.

We urge you to assess how you and your business are handling and protecting your clients’ personal information.