So, you’ve scrambled to update your privacy policy now that the changes to the Privacy Act have come in with the accompanying risk of big fines.

But you should do so much more to make sure you don’t get done by the Privacy Commissioner.

Along with having a privacy policy, organisations must take reasonable steps to implement practices, procedures and systems that will ensure compliance with the new Australian Privacy Principles. What you should do to comply depends on a number of issues like your size, the type of business you operate, the nature of personal information you hold (eg. do you deal with sensitive information like health records), and the practicality of the measures you might take.

Some of the things to consider when determining what are reasonable steps for you:

  • Do you have a procedure for identifying and managing privacy risks?
  • Are your security systems strong enough to ensure information is not misused, disclosed, lost, hacked etc?
  • Do you have a procedure for identifying and dealing with privacy breaches and for dealing with complaints?
  • Is someone in your organisation charged with overseeing privacy issues?
  • Have staff who deal with personal information received training on privacy compliance?

It’s basically all about policies and being reasonable. One of the regulator’s recommendations is a password policy. Seriously.

While these obligations are not that new, they are much more important now that the Commissioner has power to impose penalties of up to $1.7 million.