Six important points your business should be following under the new privacy rules introduced in Australia this week.
Today new amendments to the Privacy act come into place will enforce tougher security and privacy requirements on all organisations with an annual turnover of more than $3 million, along with government agencies.
This should be of interest if you are a business that collects data about customers, suppliers, staff or anyone else you deal with.
The 13 new Australian Privacy Principles (APPs) will replace the National Privacy Principles and Information Privacy Principles and will apply to organisations and Australian Government.
There's a comprehensive fact sheet about the 13 principles made available by the government. But what does a business that is subject to these principles need to do?
Here's our quick summary of some of the high-level things your business might need to do. Remember – this isn’t specific legal advice. If you believe that your business will be affected by these changes you need to get your own counsel.
The fact sheet tells you what sorts of things the policy needs to contain and that it needs to be easily accessible at no charge.
2. Anonymity and what data you collect
Only collect data you reasonably need and remember that individuals must have the option of not identifying themselves, or of using a pseudonym.
Also, you can’t use government identifiers like Tax File Numbers or Medicare Card numbers as identifiers within your systems.
3. You can’t keep data indefinitely
Here's where it gets tricky. If you receive some personal data that you didn't solicit and you would not have received that data under normal circumstances, you need to destroy the data and ensure that the data is de-identified.
4. Be transparent when you collect data
If you collect data about someone you need to let them know you're collecting and storing it. And, if you collect data about someone for a specific purpose, you can't re-use or share that data for direct marketing.
5. The rules cross borders
There may be instances, which are completely legitimate, where you need to send data offshore and share it. If that happens you must ensure that the overseas recipient does not breach the Australian Privacy Principles.
6. Quality, security and access
The principles explicitly state that you need to take reasonable steps to ensure that the data you hold is correct, up to date and complete. It needs to be secured against unauthorised access.
Personal information about individuals needs to be made available to those individuals if they request it.
Here are some links for further reading:
- Privacy Fact Sheet
- Privacy Law Reform
- Smaller companies could get leeway in security breaches
- Understanding Australia's new Privacy Act