The new regimes for privacy of personal information and credit information in the Privacy Act have been in force since 14 March 2014. The Office of the Australian Information Commissioner (“OAIC”) has indicated that it will actively enforce the new laws and, where appropriate, use new powers and apply substantial penalties applicable for breaches.
Statements from the OAIC make it clear that it is not just enough for an organisation to update its policies – it must have systems and procedures to back these up.
The following 10 steps are some which may be essential for organisations that are affected by the new laws (there may be more):
Some comments on each of these steps follow.
This will depend on whether your organisation is either or both:
Whether your organisation is an APP entity usually depends on whether it carries on any business that is not a small business, with an annual turnover less than $3 million. If an entity (a natural person or company or partnership or other entity) is not a small business operator it will be an organisation that is an APP entity.
However, some types of organisation are expressly excluded from being a small business operator and are caught by the laws, regardless of turnover. These include organisations that:
Your organisation will be a credit provider regardless of turnover or other matters if you allow time for payment of the debt due for the sale of goods or the supply of services for 7 days or more.
The allowance of time to pay a debt due for goods or services is credit and even if your organisation does not make loans, issue credit cards or do other things that would normally be considered to be providing credit, the deferral of payment for at least 7 days will mean the organisation is a credit provider.
If your organisation is an APP entity and/or a credit provider, you should conduct an audit, or a process to collect for review and amendment, if necessary, all of your existing policies, procedures or systems, as listed below including, of course, your existing:
(if these do exist).
You should also establish a checklist for each of the policies, procedures and systems that will be required to determine whether these are to be updated, or to be put in place if they do not exist.
As with other policies and procedures, it would be wise to have the APP policy reviewed by a legal practitioner for compliance.
If the organisation is a credit provider then it must have a credit information policy (a clearly expressed and up-to-date policy about the management of credit information and credit eligibility information by the provider).
A Credit Information Policy must contain the matters required by the Privacy Act, and “notifiable matters” that are specified in the Credit Reporting Privacy Code (“CR Code”).
What is required will depend on the nature of the organisation. Internal policies/protocols for employees, contractors or others who may deal with personal information or credit information may be required, including:
There are two main components of data management and security systems for an organisation:
Information technology (IT) and electronic data present the most complex areas for consideration. Some of the issues to be considered, and areas in which systems and procedures will be required are:
An organisation should obtain appropriate professional IT advice and assistance in establishing its systems and procedures.
For hard copy records the issues are not as complex as for electronic data, but must be considered. Issues include:
The most likely reason for a breach of requirements for privacy of personal information or credit information in an organisation will be some action or omission of staff, whether employees or contractors, of the organisation. It is essential for the organisation to ensure awareness of its staff of the obligations for privacy for personal information and credit information, as applicable.
As well as providing appropriate policies and protocols, which should be published and made available so that staff are actually aware of these, an organisation should consider:
It may also be appropriate to include specific obligations to comply with policies and directions in relation to data security in contracts of employment or other contracts.
As noted in relation to a number of points above, an organisation should, where appropriate, obtain professional advice and assistance. This is likely to be particularly appropriate for:
If an organisation has received appropriate external assistance, this should be taken into account by OAIC if there is a breach of privacy in relation to personal information or credit information, despite the steps that have been taken by the organisation.
An organisation should make an appropriate person responsible for the oversight, management and control of:
This may be the same person, and it may be that the person also has the role of maintaining data security generally for the organisation.
The Privacy Officer/Credit Information Officer should have an appropriate level of authority and will usually be the appropriate person to notify for contact in the event of a complaint.
An organisation should keep a file or record of the various steps, policies, procedures etc that are taken to ensure privacy compliance for personal information and/or credit information.
This will assist the organisation if a breach does occur, and the OAIC makes enquiries.
While some of the steps that may be necessary for an organisation to comply with requirements for privacy of personal information and/or credit information may seem onerous or bothersome, data security for an organisation to preserve its own confidential information may be extremely important, and the need to ensure privacy for personal information and credit information of individuals can be seen as only a subset of this.
In a recent publication released by the World Intellectual Property Organisation, examples are given of cyber theft of valuable information worth many millions of dollars and it is said that:
“Ultimately, cyber crime is not strictly speaking a technology problem. It is a strategy problem, a human problem and a process problem.”
The time to act is now!
DW Fox Tucker can assist your organisation with:
 Economic Impact of Trade Secret Theft produced by The Centre for Responsible Enterprise and Trade and PriceWaterhouseCoopers LLP.
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.