professional business woman is working and using keyboard typing processed company online information security defense hacked with back view photo.

Tips for businesses to protect consumers’ personal information

Ersel Akpinar ||

Co-authored by Olivia Camilleri

Appropriately handling consumers’ personal information (information or an opinion that can identify or reasonably identify an individual) and keeping it safe is critical for businesses in this digital age.

With the release of the Privacy Act Review Report, data protection and privacy must be at the forefront of business’ minds.

Ahead of reforms to Australia’s privacy and data protection framework, it’s timely to reinforce how organisations can protect consumers’ personal information and mitigate privacy risks. This article will review the legal requirements outlined in the Privacy Act 1988 (Privacy Act). We will discuss why protecting consumers’ personal information is important and provide our top tips on how to protect personal information.

The Privacy Act

The Privacy Act protects consumers’ rights to privacy by regulating how Australian organisations protect personal information. Under section 20Q of the Privacy Act, a reporting organisation must protect personal information from misuse, interferences, loss, unauthorised access, modification, or disclosure. A reporting entity/body is an organisation with an annual turnover that exceeds $3 million. Reporting entities/bodies must comply with the Privacy Act.

Section 6D of the Privacy Act exempts small businesses with an annual turnover under $3 million to comply, provided they obtain consent from individuals to collect and disclose their personal information. However, there are exceptions. Some organisations meeting the definition of a “small business” may have to comply with the Privacy Act under section 6D (4) if they:

  • Provide a health service to an individual;
  • Disclose or sell personal information as part of their business;
  • Are a contracted service provider for a Commonwealth contract; or
  • Are a credit reporting body.
The 13 Principles

Schedule 1 of the Privacy Act outlines the Australian Privacy Principles (APP). The APP provide a framework for businesses to adequately comply with the Privacy Act and are comprised of the following:

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information.

It’s crucial that businesses that meet the mandatory requirements under the Privacy Act apply these principles and guidelines.

Reporting breaches of personal data

Under section 26WK of the Privacy Act, a business must comply with the Notifiable Data Breaches scheme when it knows that a breach of personal information has occurred. This scheme ensures that all breaches of personal information are reported to the individual affected and the Office of the Australian Information Commissioner (OAIC).

Why is it important to protect personal information?

Protecting personal information is critical in ensuring consumers rights and confidentiality are protected, and in upholding a positive perception of your organisation’s reliability. Recent data breaches in major companies emphasise the importance of developing a robust system of protection of personal information and the impact a lack of consumer confidence can have on a business. This impact was demonstrated by the 2022 Optus cyber attacks. The attacks resulted in the personal information of approximately 10 million customers being compromised. Similar instances occurred with Medibank and Woolworths which both experienced data breaches resulting in the disclosure of customers’ personal information.

Due to the digital nature of data breaches, individuals compromising consumers’ personal information are protected by a layer of anonymity. This restricts finding and prosecuting cyber criminals. In turn, it’s highly probable that cyber criminals will continue to target businesses, emphasising the need for businesses to comply with the Privacy Act and establish strong procedures to adequately protect personal information.

Top five tips to protect personal information
1. Limit the quantity of personal information your organisation accumulates

Only collect personal information that is necessary for your purposes. If the information is necessary, businesses should seek this information directly from the party involved. Securely delete, destroy and de-identify what you don’t need.

2. Secure your personal information

Make sure the personal information your business collects is subject to strict security. Take steps to protect it from any loss, misuse, modification, unauthorised access or disclosure.

3. Establish robust processes and procedures surrounding the protection of personal information

Establish, implement and regularly review your business’ processes, practices and policies when it comes to personal information. Don’t forget to train your team!

4. Limit access to personal information

Limit access to personal information. It should only be on a need-to-know basis.

5. Create a Privacy Policy

If your business is covered by the Privacy Act, ensure you have a compliant privacy policy. A strong privacy policy shows transparency in privacy protection, establishes trust, credibility and corporate responsibility. The OAIC outlines what an organisation or agency’s privacy policy must disclose to consumers including:

  • The name and contact details of the organisation/agency
  • The type of personal information they collect and store
  • How personal information is collected and where it is stored
  • Their reasons for collecting personal information
  • How personal information will be used and disclosed
  • How consumers can access their personal information and correct/amend their information
  • How consumers can lodge a complaint if they feel their information has been mishandled and how their complaint will be dealt with by the organisation
  • If the organisation is likely to disclose consumer information internationally, it must state the countries they will likely disclose information to (if practical).

Businesses should treat the above as a checklist to ensure their privacy policy is adequately detailed and informs consumers.

Four key takeaways:
  1. The Privacy Act holds businesses accountable to ensure personal information is protected.
  2. Cyber criminals have successfully obtained large quantities of personal information by breaching major corporations’ databases and will likely attempt to continue to do so.
  3. Successful data breaches hinder consumers’ confidence in organisations.
  4. Businesses should seek to implement robust procedures and policies to adequately comply with the Privacy Act and protect personal information.

To discuss how to ensure that your business is compliant with its obligations under the Privacy Act, please contact Coleman Greig’s Privacy and Data Protection specialists.



Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.


More posts

Understanding roles in the strata scheme

A strata scheme is a building or group of buildings that have been divided into lots which can be apartments, villas, offices, units or townhouses. This will be articulated in the strata plan.

Can i put my home on Airbnb?

Airbnb is a form of short-term rental accommodation. To add your property to Airbnb in NSW, you are required to meet several laws and regulations governing short-term rentals.

When are liquidators required to seek approval to retain legal counsel?

When does a liquidator (or the company he or she is appointed to) need court, creditor, or committee approval to validly retain a solicitor to act in a liquidation matter which is likely to extend for longer than three months?  The answer to this question has only recently been settled.

Proposed changes to building and construction law in NSW

The Building Bill 2022 (the Bill) is the key avenue through which the NSW Government has proposed to reshape the culture of the building and construction industry by eliminating poor performance and improving the quality of building statewide.

Can you dismiss an employee who fails to return to the office?

Slowly but surely, most employers are requiring employees to return to the office for at least a portion of their working week. Some employers continue to struggle with employees resistant to returning to the office or those who have an expectation that they can continue to work from home whenever it suits them.

New powers to combat phoenixing in construction

The rise of phoenixing in the building and construction industry in Australia in recent years has proved a significant challenge to regulators. Mismanagement of time or cashflow can quickly propel businesses into insolvency.

The NSW Building Commission’s extraordinary powers

In late 2023, the NSW Government passed the Building Legislation Amendment Bill 2023 (Amendment Bill). The Amendment Bill established the NSW Building Commission and granted it extraordinary powers to enter construction sites, inspect work and take away information and materials.

© 2024 Coleman Greig Lawyers   |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230