New privacy laws could leave business vulnerable

Changes to Australia’s privacy laws kicked in from March 2014 in what the Australian Information Commissioner, John McMillan, said were the biggest reforms to the privacy regime in 25 years.

The recently released Australian Privacy Principles guidelines publication, from the Office of the Australian Information Commissioner (OAIC), apply from March 12, 2014, and cover all government agencies and other entities covered by the Privacy Act.

The principles outlined include ensuring the transparent management of personal information, anonymity and pseudonymity, the collection of solicited and unsolicited personal information and more.

Although the Commissioner said that the new requirements coming into effect should represent only incremental changes to the incumbent regime, the risk partner at Ernst & Young (EY), Charlie Offer, said the OAIC had significantly underestimated the remedial work that may be required within many organisations.

“We see a large number of organisations where privacy compliance initiatives have been leapfrogged by the explosion in the collection of personal information and the proliferation of this data internally and to third parties,” he said.

The new Privacy Act will also now include new credit reporting provisions, with more comprehensive reporting mechanisms and the introduction of civil penalties for breaches of certain provisions.

Offer said EY estimates that many businesses will be caught short by the increased powers of the OAIC. “The Commissioner will have ACCC-like powers to launch investigations that will potentially result in fines of up to $1.7 million,” he said.

EY said that changes meant an investigation can be initiated without a complaint being received or even any suspicion of wrongdoing. Offer said this is in contrast with the present situation where a complaint must be filed and the resulting investigation is then limited to that complaint only.

One key requirement of the new regime is that compliance with the privacy principles needs to be able to be demonstrated. If a business cannot demonstrate how privacy compliance was achieved, then that entity will be in breach.

“The important point is that it will be much more efficient for the Commissioner to demand evidence of compliance than to spend time investigating and proving non-compliance,” Offer said.

EY said industries that handle large amounts of customer information are likely to come under the initial scrutiny of the OAIC. This would include financial services, telecommunications, marketing and providers of utilities.

Offer said it is also likely that medium and smaller sized enterprises may be more of a target than the bigger end of town. The latter generally had more resources to more fully cover compliance, but also to throw at legal activity, should this become a factor.

The best way to prepare for the new laws, said EY, is to become familiar with the guidelines and to prepare a response plan to a potential OAIC request, or indeed from any other party.

EY said the response plan should include:

• documented evidence that moves are underway to assess current practices around the use and handling of personal information, and a remedial approach should this be required
• that management demonstrates support for these initiatives (including departmental support, as appropriate), and

that front line staff have been informed of the above, with reminders of their obligations over security and privacy of information held by the business.

DISCLAIMER:All information provided in this publication is of a general nature only and is not personal financial or investment advice. It does not take into account your particular objectives and circumstances. No person should act on the basis of this information without first obtaining and following the advice of a suitably qualified professional advisor. To the fullest extent permitted by law, no person involved in producing, distributing or providing the information in this publication (including Taxpayers Australia Incorporated, each of its directors, councilors, employees and contractors and the editors or authors of the information) will be liable in any way for any loss or damage suffered by any person through the use of or access to this information. The Copyright is owned exclusively by Taxpayers Australia Inc (ABN 96 075 950 284).