Retailers and suppliers that collect personal information, such as on a warranty card, a competition entry form or simply for a call back when product comes in should take note: new privacy laws came into effect during March covering the collection, use, disclosure and storage of personal information.
The new laws apply to government agencies, businesses with an annual turnover of $3 million or more and businesses that buy or sell personal information. Retailers must be wary of how they handle customer information or risk fines of up to $1.7 million for a privacy breach by a company and $340,000 for individuals.
Privacy Commissioner Timothy Pilgrim called the new rules the “most significant change to privacy laws in 25 years”.
The 13 new Australian Privacy Principles (APPs) that have been introduced require more transparency around how personal information is handled. Businesses must have a clear and up-to-date privacy policy and procedures to deal with inquiries or complaints from individuals concerning private information. The APPs allow individuals to access and correct their personal information.
Click here to sign up for our free daily newsletter
Privacy law specialist Peter Karcher, a partner at ClarkeKann Lawyers, said the days of creating a privacy policy and forgetting about it are over. Businesses are now more accountable for the information they collect.
“Companies need to update their privacy policy and review their whole process around privacy and notification,” he said.
Karcher recommends businesses audit their processes for collecting and storing information, review current practices to ensure compliance and notify customers of their privacy policy.
Another major change relates to the disclosure of personal information overseas. Steps must be taken before information is disclosed overseas to ensure that the recipient does not breach Australian Privacy Principles in relation to the information.
Karcher says businesses must be aware of where their data is stored and who it is being disclosed to as they are now liable for the actions of a third party.
Under the APPs, businesses must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete. Reasonable steps must also be taken to protect personal information from misuse, interference and loss. Under certain circumstances a business may be required to destroy sensitive information.
Individuals must also have the option of not identifying themselves or of using a pseudonym.
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met, such as providing an easy opt-out option. A business must disclose when it collects personal information about an individual – must notify the individual.
Aaron Greenman from IT consultancy Protiviti and Nalini Kara from Salmat have offered their tips for complying with the new laws.