As technology and global connection makes easy data more readily accessible in the global environment, Privacy Law has been undergoing change to meet these challenges. Companies or individuals who collect data should be aware of their obligations for data management and the security of personal information. As at February 2018, those who collect personal information have additional reporting obligations in the event of data breach. Significant penalties apply, and companies and individuals who collect personal information should now prepare their systems and policies deal with data breaches.
All companies and individuals who collect personal information should review and seek advice on their privacy policies and personal data management procedures to ensure that they are compliant with the current and incoming laws.
Australian Privacy Principles
The Australian Privacy Law changed significantly in March 2014 with the introduction of the Australian Privacy Principles (APPs
). The APPs replaced the National Privacy Principles (NPPs
). The changes reinforce and increase the security and record-keeping obligations of personal and sensitive information of persons whose data the business receives.
The changes include the following:
- Use and disclosure of personal information related to health is now governed more strictly than personal information generally. This reflect the thinking that the release of certain health information can be extremely detrimental to a person’s wellbeing and quality of life, and a privacy breach involving personal information related to health is accordingly held to be very serious by the regulator.
- The APPs now require privacy policies to state the kinds of personal information collected by an entity, and how complaints may be made about a privacy breach, among other new requirements. The NPPs allowed privacy policies to be drafted in far more general terms APPs now allow.
- APP entities (entities to whom the Privacy Act applies) must now set out any overseas disclosure of personal information that may occur. On our experience, many (if not all) APP entities run the risk of overseas disclosure of personal information due to the online servers that are used in most correspondence by and with APP entities. Normally, online services commonly used by APP entities are not generally capable of locking personal information to domestic servers. It is common for APP entities not to realise that they are running the risk of overseas disclosure, and privacy policies are frequently deficient with respect to how they deal with this aspect of the APPs.
- Individuals must now be given the option to deal with APP entities anonymously or pseudonymously if that option is practicable for the APP entity.
- APP entities must disclose any use of personal information for direct marketing purposes.
- APP entities must respond to access requests within a reasonable period of time. This was not a requirement under the NPPs.
- APP entities must take reasonable steps to correct personal information they hold, and must ensure (so far as is reasonable in the circumstances) that it is accurate, up to date, complete, relevant and not misleading. Previously, it was the responsibility of the individual to correct personal information.
Repeated interferences with the privacy of one or more individuals can attract civil penalties of up to $420,000
for an individual, or $2,100,000
for a body corporate.
Recent Legislative Changes
Following the assent of the Privacy Amendment (Notifiable Data Breaches) Act 2017 on 22 February 2017, new notification requirements under the Privacy Act 1988 (Cth) (Privacy Act) will take effect by 22 February 2018. The new legislation will have the following effects:
EU Data Protection Legislation
- APP entities must notify individuals who may be affected by a data breach or the potential exposure of their data. Penalties apply for not doing so.
- Where there is a suspected data breach, an APP entity must carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an ‘eligible data breach’ of the entity. The APP entity must take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware that there are reasonable grounds to believe that there has been a data breach.
- An APP entity can avoid a suspected data breach from becoming an eligible data by taking remedial action before the any serious harms or loss of information occurs.
- If there is an eligible data breach, the entity must prepare a statement that sets out the identity and contact details of the entity, describes the data breach that there are reasonable grounds to believe happened, sets out the kind of information concerned, and recommends steps that individuals should take in response. Repeated interferences with the privacy of one or more individuals can attract civil penalties of up to $420,000 for an individual, or $2,100,000 for a body corporate.
New data protection legislation in the EU changes the way that ‘personal data’ must be managed by businesses operating in the EU. If you have customers in the EU, or are conducting business in the EU, call us now to ensure that your data management is compliant with the new environment.
Download this article in PDF.