Privacy + Data Protection: Protecting Yourself + Your Clients In This New Era
Privacy and data protection are currently at the top of everyone’s minds given recent media coverage. The Optus and Medibank data hacks have shown how vulnerable we all can be to this relatively new form of crime, and how far-reaching the personal impact can be when an organisation fails to protect its client data.
What we are seeing play out in these massive data hacks is a very clear divergence between laws requiring businesses to hold records about clients and transactions for significant periods of time, and the rights of individuals to have their private information de-identified and destroyed when no longer relevant to the business holding it.
Many businesses view their client lists and network contacts as commercial assets. This is an understandable conclusion, as it is your client information and network that will help your business grow and the data you hold can prove to be an important marketing tool. However, Attorney-General Mark Dreyfus, when recently introducing into Parliament a new bill aimed at strengthening Australia’s privacy laws, was very clear in rallying against this concept by stating:
Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset.
With significant funding being committed to the Office of the Australian Information Commissioner (OAIC), the body responsible for investigating and penalising privacy breaches, and a proposed increase in penalties for data breaches, businesses are now officially on notice that they should be making the privacy and security of any client information that they hold an absolute priority.
So, what can you do personally, or as a business owner, to protect yours or others’ data?
Australia’s Data Protection + Privacy Laws
The rules regarding the treatment of client information held by an organisation are set out in the Australian Privacy Principles (APP), which are contained in the Privacy Act 1988 (Cth). The APPs are summarised in the box below.
The APPs apply to “APP entities”, which are broadly defined as any agency or organisation, including any individual, sole trader, body corporate, partnership, unincorporated association, or a trust, unless it is a small business operator, registered political party, State or Territory authority or a prescribed instrumentality of a State.
The APPs are very complex, so we have pulled out the three main concepts to help you understand how the APPs operate and what you should be thinking about most when looking after your client information:
Small Business Exception
A small business operator with an annual turnover of $3 million or less is technically exempt from the APPs. However, importantly, if that small business provides a health service and holds health information (other than health information contained in an employee record), or they are engaged in direct marketing or lobbying, they are not exempt from APPs.
While you may have an annual turnover of less than $3 million, do not immediately assume you are exempt from the Privacy Act. Whether an exemption applies depends on the type of information, and for what purpose you are collecting or disclosing the information. In addition, there are indicators that the Government is considering removing the small business and political party exceptions, so businesses should assume the APPs apply to client information that they hold.
Given the current spotlight on this area, and the reputational damage that can be done to your business if a data breach occurs, it is probably best to err on the side of caution and ensure your privacy policies and internal systems are up to standard.
Personal or Sensitive Information
The APP provides very clear obligations in relation to the storing, use and disclosure of “personal information”. Even stricter parameters are set when it comes to what is considered “sensitive information”.
- Personal information is very basic and can include an individual’s name, address, email, telephone number, or bank account details. Most businesses would hold information that falls within the category of personal information.
- Sensitive information is a subset of personal information and can include information or an opinion about an individual’s racial or ethnic origin, political opinions or memberships, religious beliefs or affiliations, philosophical beliefs, trade or professional associations or memberships, trade union membership, sexual orientation/practices, or criminal record. It also includes biometric information and health information.
Health information is defined as:
Information or an opinion about the health or a disability of an individual, or an expressed wish about the future provision of health services, or a health service provided/to be provided to an individual.
If the information is sensitive information, you should seek express consent from an individual before collecting, using or disclosing it, given the greater privacy impact this could have. This is an important consideration to bear in mind if you operate in the National Disability Insurance Scheme (NDIS) space as you may not only hold personal information, but also a client’s sensitive information.
For What Purpose Was The Information Collected
The next important consideration is understanding the purpose for which the information was collected, or will be used to disclose, as this will best inform how you are allowed to deal with that information.
The specific function or activity for which the information is collected is generally known as the primary purpose. If the information is used to disclose for another purpose, this is known of as the secondary purpose.
The intent is that an entity will generally only use and disclose an individual’s personal information in ways the individual would expect. Therefore, client information and databases are not necessarily yours to use or distribute as you wish – you must always think about this purpose and whether client consent is needed before the information is used or disclosed. This is something to consider when, for example, planning to sell your business. Is the client list or database of information actually yours to transfer to the purchaser, would the client have consented to the transfer of their data to a new entity, or should you obtain consent.
Canny Legal can assist if you are currently considering a sale or transfer of your business.
Generally, you must always obtain express consent when it comes to the collection, use or disclosure of sensitive information. If taking a cautious approach, businesses should also obtain consent before any collection, use or disclosure of personal information too. While not always a legal obligation, our firm belief is that in this current climate. Our clients should be cautious and obtaining a person’s consent before dealing in any way with their personal information is likely to be the most sensible course of action.
What Do The Optus and Medibank Data Hacks Mean For You?
Currently, the maximum fine for serious or repeated breaches of the Privacy Act is $2.2 million. However, under the amendments to the Privacy Act currently before Parliament, the penalties are set to increase substantially to either $50 million, or 3 times the value of any benefit obtained through the misuse of the information, or 30% of a company’s domestic turnover in the relevant period, if the court can’t quantify the value of the benefit obtained. This massive increase in penalties shows the seriousness with which future breaches of the Privacy Act are set to be treated.
Ensuring you are keeping client data secure and using it for its proper purpose has never been more important. The following questions being put to Optus can act as an important guide for businesses in reviewing their own internal policies:
- Do you hold personal information for longer than you need to?
- Do you take reasonable steps to ensure the destruction or de-identification of personal information when no longer needed?
- Do you take reasonable steps to protect the personal information you hold from unauthorised access, interference, loss or disclosure?
- If a data breach occurs, have you met your legal obligations regarding notification and management of the data breach and its remediation?
Privacy Tips for Businesses
The main issue for businesses is that there are many conflicting ideas and laws at play.
On the one hand, personal data can be an important tool within your business, and there are laws requiring that personal information be stored and held by businesses for many years – for example, Medibank was actually required by state health record laws to keep its client information for seven years. However, the privacy laws are strict on the storage and use of personal information and require information to be de-identified or destroyed when no longer required.
So, as a business owner, how are you meant to navigate this minefield of legal responsibility?
Here are a few tips to assist your business meets its privacy obligations:
- First, review the information that your business holds and carefully consider whether it is necessary for you to continue to hold it. Are there any legal requirements for retaining this information? Has the purpose for which you were originally given the information been fulfilled? Would the individual be expecting you to continue to retain their personal or sensitive information?
- Conduct an internal compliance review. Are your systems going to protect your client’s information adequately? Are your staff trained in their privacy obligations? Do you have the capacity to review your internal information storage and management systems?
- Ensure you have clearly stated systems for systematically reviewing the data you have on file to see whether it should still be retained or needs to be deleted, destroyed or de-identified.
- Have your IT systems reviewed or upgraded to ensure they are as secure as possible from unauthorised access.
While having adequate policies and systems in place is obviously the best measure, being responsive when there is a data breach is also fundamentally important. There is a system of mandatory reporting of data breaches in Australia, known as the Notifiable Data Breaches (NDB) Scheme.
The NDB Scheme required that any organisation or agency covered by the Privacy Act must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. It was the NDB Scheme that compelled Optus, Medibank and countless other entities involved in the data breach in recent years to formally notify their customers and the OAIC immediately when the data breach occurred. If you would like further information on how to properly comply with the NDB Scheme contact Canny Legal for assistance.
Privacy Tips for Individuals
Unfortunately, data breaches are unavoidable and they are only going to become more common given the way we all operate and do business. No business is guaranteed against data breaches, so we must all take personal responsibility in choosing where to share our personal and sensitive information, and be absolutely vigilant in keeping an eye on all of our accounts.
It is extremely important that you constantly monitor the transactions in your bank accounts, and when it comes to emails or text or social media messages, do not reply or open links if they look unusual or suspicious in any way. Be particularly wary of anything requesting you to update contact details or change passwords, and if unsure jump on the phone and speak to whoever is making the request in order to verify their identity and substantiate the request.
Legal Advice + How Canny Legal Can Help
Get in touch to find out how we can assist.