Australian Privacy laws are changing

How will the new privacy laws affect your business?

As the digital age continues to evolve, so do the regulations surrounding data privacy. This can have a significant impact on businesses of all sizes, from multinational corporations to small startups. It’s important for businesses to stay up-to-date with the latest privacy laws to ensure compliance and protect their customers’ data.

For example, Australian privacy laws are undergoing a major overhaul with the introduction of the Notifiable Data Breaches (NDB) scheme. This requires businesses to notify customers and the Office of the Australian Information Commissioner (OAIC) if they experience a data breach. Businesses must also have processes in place to securely collect, store, and handle customer data.

In February 2023, Australia’s Attorney-General released the Privacy Act Review Report. It proposed significant reforms to the Privacy Act, aiming to strengthen Australia’s privacy framework and align it with global standards of privacy protection.

The changes to the Australian Privacy Laws include:

• A requirement to notify customers when a data breach occurs.
• Higher penalties for failure to comply with privacy laws.
• An obligation to take reasonable steps to secure customer data.
• A duty of transparency when handling customer data, including informing them of any risks that may arise from the collection of their data.
• Broadening the Privacy Act’s definition of “personal information”.

What is personal information under the new privacy act?

The definition of personal information under the new privacy act has been broadened to include any information that can be used to directly or indirectly identify an individual. This includes but is not limited to names, addresses, phone numbers, email addresses, financial information, medical records, and even IP addresses. The definition also applies to certain types of data generated by computers such as cookies and tracking data.

The report also provided guidance on the use of facial recognition and biometric data, as well as other emerging technologies such as artificial intelligence (AI). It proposed the introduction of a new “right to be forgotten” which would give individuals the right to request their data be deleted from a company’s systems. Businesses will also need to gain consent from customers before they collect, use, or disclose their personal information.

Basic steps to consider for your business

In order to ensure continued compliance with these new privacy laws, businesses should consider the following steps:

• Appoint a designated data protection officer to oversee and enforce data security measures.
• Review existing processes and systems for collecting, storing, and managing customer data to identify any potential gaps in security.
• Develop a comprehensive privacy policy that clearly outlines how customer data is collected, stored, and handled.
• Ensure customers are informed about how their data is being used and provide them with the option to opt-out.

By taking these steps, businesses can help ensure compliance with Australia’s new privacy laws and protect their customers’ data from potential breaches.

Stay up-to-date with privacy laws

It’s essential for businesses to stay abreast of the latest privacy laws and have processes in place to protect customer data. Doing so will help maintain compliance with the law and ensure customers feel their data is secure.

In addition to complying with the legal requirements, businesses should also consider introducing a privacy policy that outlines how they manage and use customer data. This will ensure customers know their data is secure and that their privacy is respected.

I’m a small business – does it apply to me?

The Privacy Act currently only applies to private sector entities if they either have an annual turnover of AU$3 million or above or if they undertake certain activities, such as providing a health service.

The Review Report proposes removing the exception for small businesses whose annual turnover is below AU$3 million, based on community expectations that entities should protect personal information regardless of their annual turnover and the risk posed by serious data breaches.

However, the Review Report also proposes that before the exception is removed, an impact assessment should be conducted. Other measures should be undertaken as well to ensure small businesses are in a position to comply with the Privacy Act’s requirements.

With the introduction of Australia’s new privacy laws, businesses have an opportunity to show their customers that they take their data security seriously. By investing in robust data protection systems and developing a comprehensive privacy policy, businesses can help ensure customer trust and loyalty in the long-term.

It’s also important to remember that privacy laws vary from country to country, so businesses must consider the specific regulations in each region where they operate. It’s a good idea for businesses to consult a professional if they’re unsure of how to comply with the laws in their area.

Who should I talk to – to ensure we have the right policies and systems in place to manage the requirements of the new privacy act?

Businesses should consider consulting professionals to ensure they have the right policies and systems in place to comply with the new privacy act.

This could include working with a lawyer who has expertise in data protection laws, as well as an IT specialist who can help review existing systems and put measures in place for secure data storage.

Additionally, organisations should take steps to educate staff on data protection measures, such as providing training sessions or implementing a security policy. This will help ensure customer data is handled securely and properly managed at all times. Furthermore, you may need to update your employment agreements to include information on privacy policies. Talk to your HR department/consultant about this.

Take steps now

Katherine Hawes from Digital Age Lawyers suggests that, before it becomes mandatory, you can take action now by undertaking a review of the following:

1. What data do you collect? Analyse what personal information you collect from customers or clients.
2. Why do you collect it? If it’s not a legal requirement to collect and store it, then determine the risk if that data was breached.
3. How is the data stored and who has access? Is it possible to limit access to archived data?
4. What permissions do you have from the person to use that data?
5. Delete unnecessary data – along with data that you are no longer required to keep.

These steps are designed to minimise the risk to your customers/clients if you suffer a data breach.

The key is to create a culture of privacy, where information is protected. This includes the work from home policies and procedures along with instilling the requirement to keep information confidential when working out of the office. For example, don’t take calls in the car or at coffee shops. Don’t use the home computer for work when others can access that data.

Digital Age Lawyers currently has an offer for small businesses to help them prepare:

Small Business Offer

1. Update Existing Privacy Policy + Website Terms & Conditions $375 +GST
2. Develop Privacy Policy + Website Terms & Conditions with a tailored Privacy Statement                                                                                                                                 $750 +GST
3. Staff Training Sessions on Data and Privacy Protection (1 hour up to 20 Staff via Zoom)                                                                                                                                                 $500 + GST

 

Find out more about Digital Age Lawyers here. https://www.digitalagelawyers.com

Author: Kerrie Sheaves

---

Become a member of the Sydney Hills Business Chamber so you can be supported by other business owners, connect with referral sources, and explore opportunities for joint-ventures and collaborations: