There has never been a more important time in business to consider the privacy of your customers. Personal information is more accessible than ever before, and with that, comes the need to create and define boundaries around personal information in the private sector. New laws have just been implemented which expand the scope of privacy law in Australia. This it seems is not merely being ‘over-cautious’ with privacy. A recent survey on identity crime shows it has officially become one of the more common crimes in Australia. Results from a survey of 5,000 Australians on their experiences of identity crime and misuse conducted by the Australian Institute of Criminology (AIC) on behalf of the Attorney-General suggest identity crime directly affects around 1 million Australians each year.
The survey has found almost 1 in 10 people experienced misuse of their personal information in the previous 12 months, and 1 in 5 people experienced misuse of their personal information at some point in their lives, with 5% of people experiencing identity crime or misuse resulting in a financial loss in the previous 12 months. Identity theft can impact the finances and the credit rating of victims. If your business handles personal information, this Privacy Awareness Week 2014, with its emphasis on education of Australia’s new Privacy Laws, is a good time to ensure you are meeting your responsibilities to consumers and to your business around Privacy, particularly if your business has obligations under the Privacy Act 1988 (Cth).
By Graham Doessel, Non-Legal Director of MyCRA Lawyers www.mycralawyers.com.au.
With the emphasis on privacy protection in Australia’s new Privacy Laws, businesses which handle personal information are required to update their Privacy Policies and possibly their systems to fall in line with new changes. Under the new privacy law the IPPs and NPPs has been replaced by the new, unified, Australian Privacy Principles (APPs) – these will apply to businesses with a turnover of at least $3 million, as well as government agencies. This is just one of the many significant changes to the Privacy Act 1988 (Cth).
The Federal body which handles Privacy in Australia, the Office of the Australian Information Commissioner (OAIC) has previously suggested some basic questions for businesses to prompt further investigation if necessary into possibly obligations under the Privacy Act 1988 (Cth).
• Does your business or agency handle personal information? There are some changes to what constitutes personal information under the Privacy Act
• Do you need to review your business or agency’s privacy policy? You should have an up-to-date policy that is reviewed regularly. The new laws set out some requirements for privacy policies
• Do you need to review your business or agency’s outsourcing arrangements? You will need to do this particularly if you are sending personal information overseas.
• Do you use direct marketing to reach your customers? If you do, you will need to provide an easy way for people to opt-out of receiving these communications. There are some new rules in the area of direct marketing
• Does your business or agency receive unsolicited personal information. There are some new rules on how to handle this information
• Do your information security systems need to be reviewed and updated?
On Monday, the OAIC launched ‘A guide to developing an APP privacy policy’ to assist organisations and agencies meet this challenge. The Guide sets out a step-by-step process for developing privacy policies and a helpful checklist. There are also a number of tips to ensure that privacy policies are accessible and clearly expressed.
The OAIC also launched ‘A revised Guide to undertaking privacy impact assessments.’ A Privacy Impact Assessment (PIA) is an assessment tool that ‘tells the story’ of a project from a privacy perspective. PIAs analyse the possible privacy impacts on individuals’ privacy and recommend options of managing, minimising or removing these impacts. PIAs are one way of building an organisational culture that respects privacy while also minimising the risk of data breach which can result in reputational damage and a range of other costs.
What else can businesses do to ensure it is creating a culture of respect for Privacy of its customers?
Privacy and your business
Good privacy practice is important for more than just ensuring compliance with the requirements of the Privacy Act. If an entity mishandles the personal information of its clients or customers, it can cause a loss of trust and considerable harm to the entity’s reputation. Additionally, if personal information that is essential to an entity’s activities is lost or altered, it can have a serious impact on the entity’s capacity to perform its functions or activities.
It is important for entities to integrate privacy into their risk management strategies. Robust information-handling policies, including a privacy policy and data-breach response plan, can assist an entity to embed good information handling practices and to respond effectively in the event that personal information is misused, lost or accessed, used, modified or disclosed without authorisation. (OAIC Guide to Information Security)
There is a large amount of help in the OAIC’s Privacy Business resources section on their website, including a Privacy checklist for small businesses.
It is important businesses don’t leave privacy to chance. Possible ramifications of not protecting personal information can be that customers are left embarrassed, distressed, or potentially financially affected. In the case of identity theft, where personal information is used to assume the identity of the victim, there is a grave potential for credit to be taken out in the vicitm’s name. Their credit rating can be destroyed for 5 to 7 years due to defaults they haven’t actually incurred themselves. Click here to find out more about the ramifications of identity theft on the credit rating. (Article courtesy of MyCRA Credit Repair).
Under the amended laws, the Privacy Commissioner has been given enhanced powers to conduct assessments of privacy performance for government agencies and businesses, as well as the ability to accept enforceable undertakings and importantly, to seek civil penalties in the case of serious or repeated breaches of privacy.
MyCRA Lawyers is an Incorporated Legal Practice focused on credit file consultancy and credit disputes. MyCRA Lawyers means business when it comes to helping those disadvantaged by credit rating mistakes.
MyCRA Lawyers is a proud partner for Privacy Awareness Week 2014.
Link to see more on the AIC Survey on Identity Theft and Misuse in Australia
Image 1: pakorn/ www.FreeDigitalPhotos.net
Image 2: Stuart Miles/ www.FreeDigitalPhotos.net