By Curwoods Partner John Snelgrove and Michael Mitchell Special Counsel.
Major changes to Australia’s existing privacy law came into effect yesterday (March 12, 2014). Any business with a turnover of $3 million or more is subject to the privacy law . Some smaller businesses are also required to comply, including those which trade in personal information, or are related to a larger business or provide health services.
How are the laws changing?
A new set of Privacy Principles which apply to both government and the private sector include:
• A business must have ‘practices, procedures and systems’ in place that comply with the privacy laws and a mechanism which will enable that business to respond to complaints
• A business will be responsible for personal information of individuals which it sends overseas. It must take steps to ensure that personal information is protected at the same level as their Australian operations, which may be difficult where business uses cloud computing
• A business must take reasonable steps to notify individuals where it receives their personal information, including in instances where the information was obtained from third parties. This would include personal information which is publicly available, or obtained from another organisation.
What are the penalties if you break the law?
The Information Commissioner can seek compensation for individuals who have been harmed by a breach of privacy, and make determinations including directing businesses to, make public apologies or destroy information they hold. These determinations can be enforced by the courts.
The Federal Courts have power to impose civil penalty of up to $340,000 for individuals and $1.7 million for businesses where there have been serious or repeated breaches of privacy.
Businesses should consider whether reputational damage may follow if there is a complaint that they have breached privacy, particularly if the breaches are serious or repeated.
If an individual suffers loss or damage, as a result of a breach of privacy, they may sue the business concerned for negligence. In this instance, it is very important to ensure that business have adequate insurance.
Do the changes become effective immediately?
The changes came into effective on March 12, 2014, so it is important that businesses do not delay their compliance.
What are the key things businesses need to do to prepare for these changes and cover themselves?
Immediate key preparations should include:
• Review of ‘systems, practices and procedures’ for compliance and response to complaints. It is much easier to comply if the business has ‘privacy by design’, where information is classified correctly as soon as it comes into an organisation
• Review of the insurance arrangements with your broker or legal adviser.
How will this affect the events industry?
The events industry often deals with ‘personal information’, which means any information that can reasonably identify an individual, including their contact details and preferences for particular products or services.
Members of the events industry should review all aspects of their operations for compliance with the new privacy laws. Key considerations should include whether:
• Personal information is sent to overseas recipients, including overseas head offices, suppliers and other international partners
• Cloud computing is used for the storage of data
• Personal information received from other organisations is properly accounted for and dealt with
Curwoods, in partnership with the Italian Chamber of Commerce, is hosting a free seminar on March 19 to educate business owners about the changes to these laws. If you would like to attend, RSVP by tomorrow to Martina Patti: (02) 8354 0777 / [email protected]