So you store customer data in an offshore location and the host then sells this information to marketers. An obvious privacy breach. No drama, your contractual clauses will relieve you of any liability, right? Maybe not. You could soon be up for a $1.1m fine.
It’s all part of the Government’s long awaited Privacy Act reforms which passed through the Senate in November. The changes are the result of the Australian Law Reform Commission (ALRC,) which made 295 recommendations, more than half of which were implemented as part of the first stage of reforms (there will be two stages).
The bad news for start-ups is that every individual and company that deals with personal information, defined as ‘information that identifies or could identify a person’, has to consider how they currently collect, transfer and store such information and whether or not any changes need to be made to comply.
The good news for start-ups is that the amendments won’t become effective until March 2014.
Nonetheless you should start now to make sure you are ready for the changes and don’t face any unforeseen setbacks in a couple of years’ time.
Still not convinced? In June of last year it was discovered that Telstra had unwittingly breached both telecommunications and privacy laws by leaving 734,000 customer records accessible on the internet for eight months. However, the Australian Privacy Commissioner (APC), now the Office of the Australian Information Commissioner (OAIC), was helpless to impose any penalties and the telecommunications behemoth escaped with a mere slap on the wrist.
The APC will now have the power to impose up to $1.1m penalties for companies and up to $220,000 for individuals for such breaches.
Yep, time to make those changes.
So, what are the key changes and how do they affect startups?
Direct marketing – People will have the power and the right to know how direct marketers got a hold of their information and to opt out of further direct marketing and additional disclosure of their personal information. Is your database tracking this information?
Cross border disclosure – As touched on earlier, Australian companies may be held liable for the mishandling of personal information sent offshore. This would obviously have an impact on relationship management with third party services such as cloud providers and startups should tread carefully and discuss their exposure with a lawyer to make sure they gain sufficient protection to absolve them of any liability in the event of a breach.
Unsolicited information – The Act now extends to unsolicited information and requires that information not collected in line with the Australian Privacy Principles (APPs) must be destroyed
Disclosure statements – Additional information will need to be included in privacy collection statements and privacy policies such as complaint procedures
While this first release of amendments may give startups something to think about, a second release of changes is expected to go even further and require further housekeeping.
The release is anticipated to remove the small business exemption (defined as businesses with annual turnover of less than $3m), require that serious data breaches are made public, introduce a statutory path of action for serious privacy breaches and a national harmonization of privacy laws.
What your business should do?
- Review your exposure to privacy risk and make sure you have an effective control framework, to mitigate any exposure to potential privacy breaches
- Review and update privacy policies, disclosure statements and other materials in line with the amendments
- Review and where required amend third party contracts to account for foreign data breaches
- Update databases so that new disclosure requirements around direct marketing can be met
- Review the collection, transfer and storage of personal information for any gaps or control deficiencies
- Increase awareness of company and employee/contractor privacy obligations through training and other means of communication
- Keep an eye out for additional changes and guidance being developed
For more information go to www.oaic.gov.au