Your Obligations for Customers’ Personal Information
As a business, you may have obligations under the Privacy Act regarding how you handle your customers’ and employees’ information. Here’s your guide to understanding your obligations on managing a customer’s personal information.
Which businesses have responsibilities under the Privacy Act?
The Office of the Australian Information Commissioner (OAIC) details which type of businesses the act covers. It refers to ‘organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions’.
Even if you are a small business with an annual turnover of $3m you may still have obligations under the Privacy act, such as if you:
Even if you are a small business with an annual turnover of $3m you may still have obligations under the Privacy act, such as if you:
Buy or sell personal information
Are a contracted service provider for an Australian Government contract
Are a private health service provider including traditional or complementary health, gym, weight-loss clinic, child-care centre, and private education
Are a residential tenancy database operator
Are a credit provider or credit reporting body
Are a business accredited under the Consumer Data Right System
Are a business that has opted into the Privacy Act
Are a business related to one covered by the Privacy Act
Are a business prescribed by the Privacy Regulation 2013.
What constitutes personal information?
Under the Privacy Act, personal information can be relatively broad and depend on whether a person can be identified or reasonably identified in a scenario. The act does not apply to the personal data of people who have died.
The OAIC says personal information can include:
Someone’s name, address, phone number, date of birth, or signature
Photographs
Employee record information
Internet protocol address
Voice print and facial recognition biometrics
Geographical location information from a mobile device.
The Federal Attorney-General’s department has been reviewing the Privacy Act 1988. It’s looking to broaden the definition of personal information to include identifiers, location data, online identifiers, and other technical details typically used in digital advertising programs. Fines and enforcement powers are also expected to increase, with the maximum penalty to hit $10 million.
Check this official website for updates on the review. You might also be interested in this government website about digital identity for business owners.
How to protect customer PI
If you’re a business to which the Privacy Act applies, here’s how to protect your customers’ information, according to the OAIC. (It’s also good practice to follow even if the act doesn’t apply to you).
Review your company’s internal privacy policies, processes, and procedures (including responding to a breach) to ensure they’re fit for purpose and the data is held securely
Assign a senior manager to have overall accountability for how your business handles privacy. They’ll need to deal with access and correction requests and inquiries about your practice
Build privacy considerations into project planning, mainly if it involves new or changed personal information handling practices (here’s a guide to doing a privacy impact assessment)
Collect only the personal information you need now, not for later. Legally it would help if you let people interact anonymously with your business in most cases
Use and disclose personal information (internally or externally) only for the primary purpose under which it was given unless the individual has consented otherwise, if reasonable to do otherwise or legal to do so
Get savvy about disclosing personal information overseas – recipients of the data must comply with the Australian Privacy Principles.
If the personal information your business holds is breached – accessed, lost, or disclosed without authorisation – you’ll need to report those (if eligible) to the Privacy Commissioner and affected individuals. Find out more about notifiable data breaches here.
Have the right insurance in place
Depending on your business activities and risks the following insurance cover may be appropriate:
Cyber liability
Management liability
Legal expenses
We can customise insurance options that suit your unique business.
The key to success is to focus on goals, not obstacles
Austbrokers SPT Insurance Tweet
The advice on this website is general in nature and has been prepared without taking into account your objectives, financial situation or needs. You must decide whether or not it is appropriate, in light of your own circumstances, to act on this advice. You should ensure you obtain and consider the Product Disclosure Statement for the policy before you make any decision to acquire it.
Content created and provided by ONEAFFINITI, LLC