Wednesday, 12 March 2014

Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to: 
  • Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
  • Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
  • Assess the privacy performance of businesses.
Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:
  • trades in personal information
  • provides services under a Commonwealth contract
  • runs a residential tenancy database
  • is related to a larger business
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business External linkon the Office of the Australian Information Commissioner (OAIC) website.

How will the changes affect you?

The changes will affect how businesses can:
  • Handle and process personal information;
  • Use personal information for direct marketing;
  • Disclose personal information to people overseas.
Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.

How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

  • How do you provide this assurance?
  • Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?
You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:
  • What personal information is collected, where, when, why and by whom?
  • What controls do you have at the collection point?
  • Do you collect consent?
  • How do you record consent?
  • Do you understand the purpose(s) for which information is collected?
  • How is it kept relevant?
  • Where does the information go?
  • How is it stored?
  • How is it kept up to date?
  • What format is data stored? For how long?
  • What happens at ‘end-of life’?
If you’re not confident you can answer these questions, we are here to help!

CQR Services

CQR is able to help organisations through the following services:



Privacy Compliance Jumpstart

We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.

Privacy Impact Assessment (PIA)

We will conduct a series of interviews to understand how you currently use and protect personal information.

Provide recommendations on how you can improve your processes to ensure the personal information is:

·         Processed fairly

·         Kept accurate, complete and up to date

·         Kept secure

·         Made available to data subjects

Update to Privacy Policy

We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.

Third Party Audit

We will conduct an audit on how you manage third party relationships.

Information Security Gap Analysis

We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.

Privacy Audit

We will conduct an audit on your privacy practices covering:

·         Consent management

·         Subject access requests

·         How you use and protect personal data

·         Defined roles and responsibilities

·         Review of Privacy Policies, Procedures and Guidelines

·         Risk Management

No comments:

Post a Comment