This month the Australian government introduced new privacy rules for all businesses and government organisations. The penalties for not following these new laws include not only hefty fines but bad media publicity for organisations who don't take care. Below are six key points your business should follow under the new privacy laws.
The new amendments to the Privacy act will enforce tougher security and privacy requirements on all organisations with an annual turnover of more than $3 million, along with government agencies.
This should be of interest if you are a business that collects data about customers, suppliers, staff or anyone else you deal with.
The 13 new Australian Privacy Principles (APPs) will replace the National Privacy Principles and Information Privacy Principles and will apply to organisations and Australian Government.
There's a comprehensive fact sheet about the 13 principles made available by the government. But what does a business that is subject to these principles need to do?
Here's our quick summary of some of the high-level things your business might need to do. Remember – this isn’t specific legal advice. If you believe that your business will be affected by these changes you need to get assistance from your own legal adviser.
The fact sheet tells you what sorts of things the policy needs to contain and that it needs to be easily accessible at no charge.
2. ANONYMITY AND WHAT DATA YOU COLLECT
Only collect data you reasonably need and remember that individuals must have the option of not identifying themselves, or of using a pseudonym.
Also, you can’t use government identifiers like Tax File Numbers or Medicare Card numbers as identifiers within your systems.
3. YOU CAN’T KEEP DATA INDEFINITELY
Here's where it gets tricky. If you receive some personal data that you didn't solicit and you would not have received that data under normal circumstances, you need to destroy the data and ensure that the data is de-identified.
4. BE TRANSPARENT WHEN YOU COLLECT DATA
If you collect data about someone you need to let them know you're collecting and storing it. And, if you collect data about someone for a specific purpose, you can't re-use or share that data for direct marketing.
5. THE RULES CROSS BORDERS
There may be instances, which are completely legitimate, where you need to send data offshore and share it. If that happens you must ensure that the overseas recipient does not breach the Australian Privacy Principles.
6. QUALITY, SECURITY AND ACCESS
The principles explicitly state that you need to take reasonable steps to ensure that the data you hold is correct, up to date and complete. It needs to be secured against unauthorised access.
Personal information about individuals needs to be made available to those individuals if they request it.
Here are some links for further reading: