The Privacy Act changes will give the Information Commissioner the ability to:
- Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
- Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
- Assess the privacy performance of businesses.
The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.
The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:
- trades in personal information
- provides services under a Commonwealth contract
- runs a residential tenancy database
- is related to a larger business
- is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.
If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business on the Office of the Australian Information Commissioner (OAIC) website. http://www.oaic.gov.au
How will the changes affect you?
The changes will affect how businesses can:
- Handle and process personal information;
- Use personal information for direct marketing;
- Disclose personal information to people overseas.
A point to note
Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!
NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.
Private sector company’s should be aware of requirements if they provide services to a NSW government agency.
Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.
How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”.
- How do you provide this assurance?
- Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?
So how well do you know your information processes? What personal information do you collect and do you understand its lifecycle within your organisation? Are you able to answer the following:
- What personal information is collected, where, when, why and by whom?
- What controls do you have at the collection point?
- Do you collect consent?
- How do you record consent?
- Do you understand the purpose(s) for which information is collected?
- How is it kept relevant?
- Where does the information go?
- How is it stored?
- How is it kept up to date?
- What format is data stored? For how long?
- What happens at ‘end-of life’?
CQR is able to help organisations through the following services:
Privacy Compliance Jumpstart
Privacy Impact Assessment (PIA)
We will conduct a series of interviews to understand how you currently use and protect personal information.
Provide recommendations on how you can improve your processes to ensure the personal information is:
· Processed fairly
· Kept accurate, complete and up to date
· Kept secure
· Made available to data subjects
Third Party Audit
We will conduct an audit on how you manage third party relationships.
Information Security Gap Analysis
We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.
We will conduct an audit on your privacy practices covering:
· Consent management
· Subject access requests
· How you use and protect personal data
· Defined roles and responsibilities
· Review of Privacy Policies, Procedures and Guidelines
· Risk Management