There has been plenty of warning as the legislation amending the Privacy Act was enacted on 29 November 2012, but many businesses have not taken steps to comply. The Australian Financial Review on 10 March 2004 under the heading “Firms lax on changes to Privacy Law” warns that the Privacy Commissioner Mr Timothy Pilgrim has said that “the days of ‘softly, softly’ privacy enforcement are over”.
A summary of the APPs appears in the DW Report for Summer 2014.
Cyber attacks do not mean businesses are ‘off the hook’.
The statement goes on to say:
APP11 requires an organisation that holds personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP11. The OAIC has previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.
Businesses may assume that they are not required to comply with the APPs if they are under the $3 million threshold for a small business, but there are exceptions, particularly in the health services area. Any business that provides any form of health service will be caught, regardless of size, if health information is held by the business.
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.