Why You Need A Privacy Policy NOW
Every business that turns over more than $3 million is regulated by the Privacy Act 1988 (Cth). The Act and the Australian Privacy Principles set out rules for how you collect, use and store personal information.
A business lawyer in Melbourne can reduce your risk of a breach.
The Principles require most businesses to consider the privacy of personal information, including ensuring that they manage personal information in an open and transparent way. The most important and least complied with Principle that we encounter is the requirement to have a Privacy Policy. If you do not have a Privacy Policy, you are at risk of breaching the Privacy Act. This is a key area to look at to keep yourself aligned with the business laws in Australia.
The Privacy Policy must contain:
- the kind of personal information the business collects;
- how the personal information is collected and held;
- the purposes for which the personal information is collected, held, used and disclosed;
- how an individual may access personal information about themselves and seek the correction of such information;
- how an individual may complain about a breach of the Principles, or a registered Australian Privacy Principle code (if any) that the business is bound by, and how the business
- will deal with such a complaint;
- whether the personal information is likely to be disclosed to overseas recipients; and
- if the business is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
- New Amendments to the Act
It’s not all that simple.
While you may be looking at creating a Privacy Policy or reviewing your existing policy, you should also be aware of the amendments to the Act which took effect on 22 February 2018.
Prior to February 2018, the law did not require you to notify an individual who may be affected by there being a failure to take reasonable steps to protect personal information. The amendments now provide that you must report a data breach to the Commissioner and the harmed individual, if:
either:
(i) there is unauthorised access to, or unauthorised disclosure of, information held by an entity; or
(ii) information is lost in circumstances where there is likely to be unauthorised access to or unauthorised disclosure of information; and
a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relies. The amendments to the Act place further obligations on business owners and their staff to maintain security and report data breaches of personal information. As a starting point, we recommend that your internal privacy procedures be reviewed, and your Privacy Policy be amended. Should you not have a Privacy Policy, we strongly recommend contacting us to prepare one, even if you are not required to do so under the Act.
Need a business lawyer in Melbourne yet? Leave it to us!
For further information regarding the review, amendment and preparation of Privacy Policies and privacy procedures, please contact Alex Martin on 9481 2000 or alex@tauruslawyers.com.au.