Late last year the government passed amendments to the Privacy Act 1988, implementing changes to Australian privacy law in a number of areas.
A key change is the replacement of the current National Privacy Principles (NPPs) with a unified set of 12 new ‘Australian Privacy Principles’ (APPs) to regulate the handling of personal information.
These changes take effect from 12 March 2014 and will have significant impact on the way companies collect and deal with various forms of personal information.
If you are yet to prepare your business for these changes, particularly in relation to computer systems and cyber safety, make it a priority now! Here’s a summary to help you get started.
What are the key changes in relation to protection of information?
The APPs will introduce an obligation to companies, and individuals, to take reasonable steps to protect personal information from ‘interference’, such as attacks on computer systems.
This is just one example of the new way in which entities will need to proactively protect personal information, and will apply in addition to existing obligations to protect personal information from misuse and loss, unauthorized access, modification and disclosure.
What are the new powers and penalties?
Under the Privacy (Enhancing Privacy Protections) Act 2012, the Office of the Australian Information Commissioner (OIAC) will have its functions and powers expanded to include the power to investigate and monitor compliance, and to award significant civil penalties for serious or repeated breaches of privacy.
Penalties of up to $1.7 million can apply to body corporates and $340,000 to APP entities that are not body corporates, including individuals.
Some examples of how you could be exposed include:
Accidentally emailing sensitive information, i.e. names, email addresses and personal information
- Allowing employees to access sensitive data without any need or right
- Loss of sensitive data due to computer errors or viruses
- Data being stolen by a network or cloud hacker anywhere around the globe
- Misusing data, i.e. for the purpose of direct marketing and soliciting emails
- Leaking secure information via blogs, flash drives, attachments, instant messaging and webmail
- Costs related to disaster/document recovery - a lawsuit stemming from a security failure or penalties for non-compliance
So, what do you need to do?
- Privacy policies need to be updated and practices, procedures and systems will need to be revised and implemented.
- Review methods for data collection, storage and destruction.
- Ensure that any third-party outsourced vendor agreements meet the new standards.
- Take out an insurance policy which provides compensation for expenses incurred as a result of a privacy breach and penalties imposed (penalty cover not offered by all insurers).
No company or individual is immune to cyber-attacks and/or privacy breaches, which is why you can’t afford to put your head in the sand!
For more information or to speak to one of Whitbread’s cyber-safety specialists call Whitbread on 1300427627.
This Whitbread insight article is not intended to be advice and you should not rely on it as a substitute for any form of advice. Please contact Whitbread Associates Pty Ltd ABN 69 005 490 228 Licence Number: 229092 trading as Whitbread Insurance Brokers for further information or refer to our website.