On 12 March 2014, new privacy laws came into effect. Under the new laws, certain businesses may be liable to pay fines of up to $1.7m for serious or repeated breaches. The new laws change the credit reporting system and introduce a new set of binding privacy principles which regulate the way in which 'personal information' is handled.

'Personal information' includes an individual's name, address, telephone number, date of birth, bank account details, medical records and commentary or opinions about a person. It does not matter whether this information is true or not, or if it is recorded in a material form or not.

Other things you should consider:

  • Do you have a privacy policy about how your business manages personal information? Has the policy been updated to reflect the new privacy laws?
  • Do you collect personal information? Is it reasonably necessary for your business to collect all the personal information you currently correct?
  • How do you notify your customers that you are collecting their personal information? Do you notify them when it is collected?
  • For what purpose do you use and disclose the personal information? Do you disclose personal information overseas to third party providers? Where do your Australian technology providers store and hold your business' personal information?
  • Have you made contractual arrangements with your technology provider to ensure they comply with the new laws?
  • How do you secure your personal information? Do you have sufficient physical and electronic security practices and procedures to protect the personal information from misuse, interference, loss, unauthorised access, modification or disclosure?
  • Do any exceptions apply? How long does your business keep personal information? Do you have a data retention policy?

Recently we have assisted our clients by:

  • Preparing and/or amending privacy policies, collection notices and internal privacy procedure documents to comply with the new privacy law
  • Reviewing contractual arrangements with both onshore and offshore cloud providers to determine their collection, storage, management and destruction practices
  • Reviewing and/or drafting clauses in contracts to comply with the new privacy law
  • Conducting privacy questionnaires to understand privacy practices and procedures and
  • Providing privacy training to staff.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.