CGW warns business over on privacy reform, one year on
BUSINESSES with annual turnover of more than $3 million, and those who offer payment terms of seven days or more, may be in the firing line if they are not compliant with new privacy laws.
That is the warning from lawyers Cooper Grace Ward, who have found that businesses non compliant with the Australian Privacy Principles could now face major penalties.
March 12 marked the first anniversary of the most significant changes to Australia’s privacy laws in over 25 years through amendments to the Privacy Act 1988 (Cth) – which included the introduction of a new set of Australian Privacy Principles (APPs) and credit information obligations that now regulate the handling of personal information and credit information by most businesses and government agencies.
The amendments also introduced significant penalties of up to $340,000 (for individuals) or $1.7 million (for corporations) for breaches of certain provisions of the APPs and the Privacy Act.
Cooper Grace Ward partner Charles Sweeney said the Australian Privacy Principles applied to businesses with an annual turnover of more than $3 million, while some key obligations for affected businesses include having an up-to-date privacy policy “that is easily accessible and contains information about a number of mandatory matters”.
Mr Sweeney said if a business’s current privacy policy refers to the ‘National Privacy Principles’ it is likely its has not been updated and is not APP compliant.
The policy should also ensure that the business notifies individuals of certain privacy and information handling matters before collecting their personal information; and only collects personal information for permitted reasons. Once collected, the business must deal with the personal information in accordance with the APPs.
The policy must ensure the business does not use personal information for direct marketing purposes, unless an exception is satisfied; and takes steps before disclosing information to overseas recipients to ensure they do not breach the APPs – and this includes outsourcing operations and cloud computing.
The 2014 amendments to the Privacy Act also imposed new obligations on most businesses that defer payment for goods or services on terms of seven days or more regardless of annual turnover.
“Some key obligations for affected businesses include ensuring that your business has an up-to-date policy on your handling of credit information and that the policy is easily accessible and contains information about a number of mandatory matters,” Mr Sweeney said. “And notifying individuals of certain credit information handling matters before collecting their credit information.”
Mr Sweeney said until last year, privacy compliance was seen by many businesses as a toothless tiger.
“However, given the significant penalties that are now on the cards for non-compliance, businesses should ensure that they are aware of their obligations under the Privacy Act and make positive steps towards complying with their obligations or face hefty penalties.”
ends