Bowen Buchbinder Vilensky

Keeping It Private – Are You Ready For The Privacy Law Changes?

By Les Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

19 February 2014

We see more and more cases of unwanted  and unlawful access by third parties (hackers) to business computer systems and the personal and confidential  information held in them. This can result in significant harm to those individuals whose personal and confidential information held in the computer system is accessed and later misused. This can, for example, be where a hacker steals a person’s online identity and later accesses Bank accounts to steal money or incurs debt in the name of the victim or it may be less sinister in the form of the negligent disclosure of personal information to third parties.

The Federal Privacy Act addresses these issues and seeks to protect the public from such loss and harm. There  are a number of significant changes to the Federal privacy laws which will come into effect on 12 March, 2014. Significantly, these changes include (but are not limited to):

  1. The introduction of uniform privacy principles to regulate the handling of personal information by Australian government agencies and businesses. These will impact on most businesses  which will need to ensure they are compliant;
  2.  Increased enforcement  powers for the Privacy Commissioner to, among other things, accept enforceable undertakings, seek civil penalties of up to $340,000 for individuals and $1.7 million for companies in the case of serious or repeated breaches of privacy and  conduct  assessments of privacy performance for both Australian government agencies and businesses.
  3. The recognition of external dispute resolution schemes, changes to credit reporting laws and the introduction of codes of practice.

Businesses will need to ensure that they comply with the new regime by 12 March, 2014.

In doing so, businesses will need to consider whether they handle “personal information”  or “sensitive information” as defined in the new Act.  If they do, then they will need to ensure  that “reasonable steps”   are taken to implement the new practices, procedures and systems requirements.

These steps should  include:

  1. Reviewing and/ or updating the businesses  privacy policy;
  2. Updating the businesses privacy statement on any website that it operates;
  3. Reviewing  practices, procedures and systems for the collection, use, disclosure, updating, notification and storage of information
  4. Implementing  practices, procedures and systems to allow others  to interact with businesses  anonymously;
  5. Updating existing staff training and other business operation manuals to cater for the new practices, procedures and systems, and to identify and manage privacy risk
  6. Carefully reviewing and, if necessary, amending business contract and subcontract documentation to ensure compliance with the new regime;
  7. Reviewing and identifying if there are any risks to the directors and officers of the business for possible  breaches of the new laws. This should factor in the Privacy Commissioner’s increased powers and the penalties that may be imposed on those guilty of breaches of the new privacy laws as well as the fact that a breach of the new privacy laws; and
  8. Undertaking a review of the existing insurance cover of the business to identify any remedy gaps in cover.

These new changes (especially the penalties) will force businesses to be more attentive to data protection and to preventing the inadvertent release of electronic personal information of customers, third parties and even employees held on computer systems under their control.

Failure to do so could prove damaging to reputation and very expensive!

Leave a comment


Leave a Reply

Please read the TERMS AND CONDITIONS before posting.

Current day month ye@r *