Changes to the Privacy Act

Overview

The Privacy Act requires organisations to notify those impacted by certain data breaches and the Office of the Australian Information Commissioner of the breach. A data breach occurs when personal information is accessed or disclosed without the individual’s expressed permission, or is mishandled.

A data breach can result in serious harm to an individual’s reputation, financial position and also their confidence in you as a business. A data breach can be costly to your business as, not only can it result in large penalties, but also a damaged reputation and customers losing trust in you and your business.

The Privacy Act contains 13 Australian Privacy Principles which regulate the way personal information is collected, stored, accessed, used and disclosed.

As an individual, the Privacy Act gives you greater control over the way that your personal information is handled. The Privacy Act allows you to:

• know why your personal information is being collected, how it will be used and who it will be disclosed to
• have the option of not identifying yourself, or of using a pseudonym in certain circumstances
• ask for access to your personal information (including your health information)
• stop receiving unwanted direct marketing
• ask for your personal information that is incorrect to be corrected
• make a complaint about an organisation or agency the Privacy Act covers, if you think they’ve mishandled your personal information.

As a business, the Privacy Act obligates you to:

• take such steps that are reasonable to ensure your business complies with the Australian Privacy Principles
• have an up-to-date privacy policy
• only collect personal information by lawful and fair means
• notify individuals why their personal information is being collected
• take reasonable steps to protect customers personal information from misuse, interference, loss and unauthorized access.

Who is impacted?

The Privacy Act was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies, organisations with an annual turnover of greater than $3 million, and other certain organisations handle personal information.

The Privacy Act covers some small business operators with an annual turnover of $3 million or less, including:

• a private sector health service provider — an organisation that provides a health service includes:
  
  - a traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
  - a complementary therapist, such as a naturopath and a chiropractor
  - a gym or weight loss clinic or
  - a child care centre, private school and a private tertiary educational institution

• a business that sells or purchases personal information
• a credit reporting body
• a contracted service provider for a Australian Government contract
• an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009
• a business that holds accreditation under the Consumer Data Right System
• a business that has opted-in to the Privacy Act
• a business that is related to a business that is covered by the Privacy Act
• a business prescribed by the Privacy Regulation 2013.

Penalty increases

The Bill will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:

• $50 million
• three times the value of any benefit obtained through the misuse of information or
• 30 per cent of a company's adjusted turnover in the relevant period.

The Bill will also:

• provide the Australian Information Commissioner with greater powers to resolve privacy breaches
• strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals
• equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers
• lower the threshold for a foreign organisation to be covered by the Act.

What’s next?

The Federal Government has indicated that the introduction of the Bill is just one aspect of a wider review of the Privacy Act 1988.

If you’re unsure how these changes impact you and your business please make sure you talk with us to gain clear insights and guidance. Our team at BLG Business Advisers are Wollongong Accountants who service right around Australia. There is no cost or commitment involved in an initial chat with us, which leaves you free to decide if we are the right fit for you.

Whatever you decide we wish you and your business every success!

*This article is for general information purposes only and is not intended as legal advice.
This information is correct at the time of publishing and is subject to change.*