Privacy Act changes: What your start-up must know
Start-ups are being warned to consider changes to the Privacy Act to avoid unwittingly exposing themselves to massive fines in the crucial set-up phase.
You could be forgiven for thinking “What changes?” in response to this. So, what does your business need to know when it comes to privacy?
The Federal Government says changes to the Privacy Act will better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.
The bill was introduced in May and if enacted, the changes will represent the most significant developments in privacy reform since the Privacy Act was introduced in 1988.
Attorney-General Nicola Roxon says the new privacy laws give power back to consumers over how organisations use their personal information.
“In an online world, we are sharing our personal information more than ever before – whether that be paying our bills online, buying some footy tickets for the weekend, or connecting with friends and family through social media.”
“Both consumers and governments have a role to play to protect privacy. In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families,” Roxon says.
Telstra avoids a fine
Luckily for Telstra, fines aren’t yet being imposed on businesses that breach the Privacy Act. In June this year, the telco was slapped on the wrist for uploading 734,000 customer’s details online in December 2011.
The Australian Privacy Commissioner, Timothy Pilgrim, says a database containing the details of customers with a range of Telstra services was made accessible via a link on the internet.
The database contained information such as customer names, phone numbers, order numbers and, in a very limited number of cases, dates of birth, driver’s licence and credit card numbers.
If Privacy Act reforms are introduced, Telstra could have incurred massive fines for this breach.
Pilgrim says the Privacy Act could soon give him the power to impose penalties or seek enforceable undertakings from organisations he has investigated under his own initiative.
In fact, the amendments could see fines as high as $1.1 million imposed on businesses.
“Privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations,” Pilgrim says.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 is currently before Federal Parliament and is subject to review by the House Standing Committee on Social Policy and Legal Affairs, and the Senate Legal and Constitutional Affairs Legislation Committee.
Reports on the bill from these committees are due to be released in August and September this year.
A legal perspective
Legal experts agree that the changes to the Privacy Act would have major ramifications on Australian businesses.
Firstly, it would grant the Australian Information Commissioner new powers to pursue large fines for companies found to have engaged in serious or repeated breaches of an individual’s privacy, according to James Deady, senior associate in intellectual property and technology for Melbourne law firm Hall & Wilcox.
Direct marketers and firms that rely on offshore data storage, including cloud storage, should be especially conscious of the changes, Deady says.
“Companies that engage in direct marketing should be particularly cautious, as the bill contains significant restrictions on the use of personal information for direct marketing purposes.”
“As well as increasing penalties and investigative powers, the amendments will place a greater onus on companies to secure customer information, particularly if that information is transferred overseas.”
“For instance, if an Australian company sends customer data offshore to a third-party storage provider, and that provider on-sells the information, or it is hacked, under the new law, the Australian company could be liable for the privacy breach,” he says.
There are some major concerns about the impending Privacy Law reforms.
The Australian Privacy Foundation has voiced significant concerns about the bill and recommends it be defeated or withdrawn. In its current form, it is a backward step in Australia’s privacy protection, it says.
The Australian Direct Marketing Association (ADMA) also has concerns about proposed changes.
ADMA CEO Jodie Sangster says the changes will restrict the way businesses can communicate with their customers through traditional marketing channels as well as digital channels such as online and social media.
“We will be the only country in the world with such a restriction, which will place Australian businesses and consumers at a distinct advantage,” Sangster says.
ADMA is also concerned that the new law includes a provision that states that direct marketing is prohibited, which is completely misleading given direct marketing is still permitted under the new law, but within certain confines.
“The statement that direct marketing is prohibited is going to lead to consumer confusion given that consumers are going to continue to receive direct marketing from companies. This will lead to an increase in complaints,” Sangster says.
A good solution would be to require companies to include opt-out mechanisms in their privacy policies, which should be accessible via a company website.
“This would ensure the consumer always knows where to go to express their preferences. It would also set a clear industry standard that all companies can adhere to,” she says.
How to remain protected
Direct marketers and any companies that hold large amounts of customer data should conduct a thorough audit of their privacy policies and processes, Deady says.
While the bill is being considered, businesses should conduct an evaluation of their data security and privacy practices, he says.
“Businesses are often caught out breaching privacy despite their best intentions. If a company is unlucky enough to breach privacy in the near future, it could have substantial financial consequences,” Deady says.
Pilgrim also highlights the importance of conducting a Privacy Impact Assessment (PIA) when commencing new projects.
“Build your privacy in at the beginning; don’t bolt it on as an afterthought,” he says.
“All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place.”
What is a Privacy Impact Assessment?
A PIA is an assessment tool to help businesses manage privacy impacts. It can help identify when personal information collection may be unnecessary, or when a project has poor accountability or oversight processes.
While the Privacy Act does not refer to PIAs or require organisations to complete one, it is in an organisation’s best interests to complete one for any projects that handle personal information.
Analysing privacy impacts during a project’s design phase enables a business to manage negative privacy impacts and avoid costly or embarrassing privacy mistakes.
For more information click here.
Six key areas of the privacy reforms:
- Clearer and tighter regulation of the use of personal information for direct marketing.
- Extending privacy protections to unsolicited information.
- Making it easier for consumers to access and correct information held about them.
- Tightening the rules on sending personal information outside Australia.
- A higher standard of protection over sensitive information, including health related data, DNA and biometric data.
- Greater power to the Privacy Commissioner to resolve complaints, conduct investigations and promote privacy compliance.
Source: Federal Government