woman processed online information security

Tips for businesses to protect consumers’ personal information

Malcolm Campbell ||

Co-authored by Olivia Camilleri

Appropriately handling consumers’ personal information (information or an opinion that can identify or reasonably identify an individual) and keeping it safe is critical for businesses in this digital age.

With the release of the Privacy Act Review Report, data protection and privacy must be at the forefront of business’ minds.

Ahead of reforms to Australia’s privacy and data protection framework, it’s timely to reinforce how organisations can protect consumers’ personal information and mitigate privacy risks. This article will review the legal requirements outlined in the Privacy Act 1988 (Privacy Act). We will discuss why protecting consumers’ personal information is important and provide our top tips on how to protect personal information.

The Privacy Act

The Privacy Act protects consumers’ rights to privacy by regulating how Australian organisations protect personal information. Under section 20Q of the Privacy Act, a reporting organisation must protect personal information from misuse, interferences, loss, unauthorised access, modification, or disclosure. A reporting entity/body is an organisation with an annual turnover that exceeds $3 million. Reporting entities/bodies must comply with the Privacy Act.

Section 6D of the Privacy Act exempts small businesses with an annual turnover under $3 million to comply, provided they obtain consent from individuals to collect and disclose their personal information. However, there are exceptions. Some organisations meeting the definition of a “small business” may have to comply with the Privacy Act under section 6D (4) if they:

  • Provide a health service to an individual;
  • Disclose or sell personal information as part of their business;
  • Are a contracted service provider for a Commonwealth contract; or
  • Are a credit reporting body.
The 13 Principles

Schedule 1 of the Privacy Act outlines the Australian Privacy Principles (APP). The APP provide a framework for businesses to adequately comply with the Privacy Act and are comprised of the following:

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information.

It’s crucial that businesses that meet the mandatory requirements under the Privacy Act apply these principles and guidelines.

Reporting breaches of personal data

Under section 26WK of the Privacy Act, a business must comply with the Notifiable Data Breaches scheme when it knows that a breach of personal information has occurred. This scheme ensures that all breaches of personal information are reported to the individual affected and the Office of the Australian Information Commissioner (OAIC).

Why is it important to protect personal information?

Protecting personal information is critical in ensuring consumers rights and confidentiality are protected, and in upholding a positive perception of your organisation’s reliability. Recent data breaches in major companies emphasise the importance of developing a robust system of protection of personal information and the impact a lack of consumer confidence can have on a business. This impact was demonstrated by the 2022 Optus cyber attacks. The attacks resulted in the personal information of approximately 10 million customers being compromised. Similar instances occurred with Medibank and Woolworths which both experienced data breaches resulting in the disclosure of customers’ personal information.

Due to the digital nature of data breaches, individuals compromising consumers’ personal information are protected by a layer of anonymity. This restricts finding and prosecuting cyber criminals. In turn, it’s highly probable that cyber criminals will continue to target businesses, emphasising the need for businesses to comply with the Privacy Act and establish strong procedures to adequately protect personal information.

Top five tips to protect personal information
1. Limit the quantity of personal information your organisation accumulates

Only collect personal information that is necessary for your purposes. If the information is necessary, businesses should seek this information directly from the party involved. Securely delete, destroy and de-identify what you don’t need.

2. Secure your personal information

Make sure the personal information your business collects is subject to strict security. Take steps to protect it from any loss, misuse, modification, unauthorised access or disclosure.

3. Establish robust processes and procedures surrounding the protection of personal information

Establish, implement and regularly review your business’ processes, practices and policies when it comes to personal information. Don’t forget to train your team!

4. Limit access to personal information

Limit access to personal information. It should only be on a need-to-know basis.

5. Create a Privacy Policy

If your business is covered by the Privacy Act, ensure you have a compliant privacy policy. A strong privacy policy shows transparency in privacy protection, establishes trust, credibility and corporate responsibility. The OAIC outlines what an organisation or agency’s privacy policy must disclose to consumers including:

  • The name and contact details of the organisation/agency
  • The type of personal information they collect and store
  • How personal information is collected and where it is stored
  • Their reasons for collecting personal information
  • How personal information will be used and disclosed
  • How consumers can access their personal information and correct/amend their information
  • How consumers can lodge a complaint if they feel their information has been mishandled and how their complaint will be dealt with by the organisation
  • If the organisation is likely to disclose consumer information internationally, it must state the countries they will likely disclose information to (if practical).

Businesses should treat the above as a checklist to ensure their privacy policy is adequately detailed and informs consumers.

Four key takeaways:
  1. The Privacy Act holds businesses accountable to ensure personal information is protected.
  2. Cyber criminals have successfully obtained large quantities of personal information by breaching major corporations’ databases and will likely attempt to continue to do so.
  3. Successful data breaches hinder consumers’ confidence in organisations.
  4. Businesses should seek to implement robust procedures and policies to adequately comply with the Privacy Act and protect personal information.

To discuss how to ensure that your business is compliant with its obligations under the Privacy Act, please contact Coleman Greig’s Privacy and Data Protection specialists.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230