Australian businesses have less than six months to prepare for far stricter federal privacy requirements, and need to start preparing now, experts tell SmartCompany.
The 250 pages of amendments to the Privacy Act, passed in November 2012 with the majority taking effect from March 2014, will affect all Australian companies turning over more than $3 million a year.
A carve-out of the laws has been retained for businesses smaller than that. It wonโt affect your corner deli.
But for businesses who do meet the threshold, the changes are quite significant, says David Smith, a partner at Corrs Chambers Westgarth. โItโs a far higher bar than what existed previously.โ
From March, businesses that fall under the act will have to publish a freely available privacy policy, which must contain:
The Spam Act will continue to apply to marketing materials, which means you have to give people easily accessible ways to unsubscribe from mailing lists. However, the Privacy Act changes will also place new restrictions on direct marketing materials sent in the mail, requiring you to maintain a simple mechanism by which people can opt out of further marketing, and including a statement on your marketing saying how they can do so.
Two exceptions to the act continue to apply: employees will not have the same rights to access their data, nor will corporate bodies have a right to access information you might keep about their company.
Businesses who fail to comply with the new standards face fines of up to $1.7 million for repeated or serious breaches of the act. It’s a significant increase to the powers of the Privacy Commissioner, says Justin Cudmore, a partner at Marque Lawyers.
“Under the current act, the Commissioner has little ability to do anything to enforce the privacy laws,” he tells SmartCompany.
“As a result of the changes, the Commissioner will be able to seek civil penalties for privacy breaches (ie. make you pay up to $340,000 for individuals and $1.7 million for companies), and accept enforceable undertakings (meaning you promise to do something regarding privacy, and if you break that promise you could be required to pay compensation).
“The Commissioner will also have much broader powers to investigate suspected privacy breaches. To date he has generally only investigated where there has been a serious complaint or a lot of media attention.”
The most onerous obligation on businesses, Cudmore says, is that they have to ensure the overseas entities they supply data to comply with Australian privacy laws. This can be tricky with cloud storage, although, he notes, often cloud storage providers do not actually access or use the information kept on their services.
Smith says the biggest change is likely to be cultural.
โOne of the new requirements is that you have to have a formal privacy compliance program,โ he says. โMost businesses have some sort of program, but this really ups the ante. Now, it has to be formal, and apart from anything else, that means it has to be documented.
โBusinesses really need to do a review before March, if they havenโt already, that looks at their privacy compliance. If necessary, they need to formalise it and make it more thorough.โ
Part of this formalisation of privacy procedures extends to things like having a privacy officer, and having internal policies to deal with breaches of privacy and privacy complaints.
โItโs also about training your staff who deal with personal information,โ Smith adds.
Myriam Robin is a reporter for SmartCompany and its sister site LeadingCompany. She has degrees in economics, international studies and journalism. She likes writing about businesses taking risks and doing new things.
Comments