Changes to the Privacy Act 1988 (Act) took effect from 12 March 2014. These changes saw the introduction of the Australian Privacy Principles to replace the National Privacy Principles, and amendments to the provisions relating to credit reporting. Perhaps more importantly, the changes resulted in enhanced powers for the Office of the Australian Information Commissioner (OAIC) which can now:
- conduct assessments of privacy compliance for some private sector organisations;
- accept enforceable undertakings; and
- seek civil penalties for serious or repeated breaches of privacy.
If you operate a business which has a turnover of $3 million or more*, you are required to comply with the Act and there is a risk that if you don't comply, the OAIC may seek a civil penalty against your business. We are yet to see what penalties the courts will impose - but event a small fine coupled with adverse publicity could be damaging to your business.
If you don't have a privacy policy, you will need one to comply with the Act – and if your policy has been gathering dust, it may need reviewing to make sure it is compliant following the amendments.
But, having a policy is not enough – you need to make sure your employees know how to handle personal information,** and if you gather sensitive information*** your staff may need specialised training.
We have prepared a short checklist to get you started on a review of your employees' practices in relation to personal information. If your review indicates your employees (and your business) may not be compliant with the Act, speak to us for assistance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
