On the 12th of March, a new set of privacy rules came into play that cover the use of sensitive data for consumers.
For business, you’ll need to sit up and take notice. You’ll need to be aware of new responsibilities and be prepared to communicate to your consumers, clients and contacts.
The laws regulate the handling and use of personal information by Australian government agencies and some private sector organisations. Replacing two acts; the Information Privacy Principles and the National Privacy Principles, the new act Australian Privacy Principles (APP) controls the way that information is accessed, used, stored and distributed by businesses and organisations.
The APP addresses;
- What information is collected
- How information must be protected
- What to do with unnecessary personal data
- How to handle sharing data with third parties and overseas entities
- When personal information is permitted to be used for direct marketing
Essentially, the privacy rights of the consumer have been increased. This has created a greater obligation for businesses and organisations to keep this information confidential.
Are you a business owner? Your obligations…
The following addresses key areas in which the new privacy rules could affect the way you handle your customer’s information. Some of the new regulations differ between businesses and organisations.
Don’t be caught out or it could be very costly –
– Use your website – you need to include information about how your customer’s sensitive data is being used. Outlining these two points – Why is the data needed? How will it be used? Tick these off after you have addressed them. You may like to create a new page solely dedicated to this or add it to an existing area of your site.
– Send the message– you must make sure the individual knows if their information may be shared with third parties or overseas entities. Use a carrier pigeon if you must!
– Aussie rules– if you do plan on engaging with overseas entities, you must be able to confidently say that the entity complies with Australian standards of privacy. If not, clearly outline the difference.
– Keep it relevant– everybody has sensitive information, including you! This means you should only request the most important and relevant sensitive information, hold on the additional extras.
– Clear the clutter – look over the information you currently hold on all individuals. If you don’t need it, destroy it.
– Use protection– ensure that the public cannot access this information and that it will be difficult for it to be subject to a security breach.
– Be indirect – no personal information can be used for direct marketing. The only exception to this is where the customer has been directly contacted and asked if their information may be used. Individuals must also be given the opportunity to opt out of direct mail.
– Access granted- individuals are allowed to access the information they have provided. Upon request, you must provide this information within 30 days if you’re a business. If you’re an organisation, you must provide this information within a reasonable time period.
– For business – the only exception to providing requested information from customers is if it breaches the “Freedom of Information act” or other government acts.
– For an organisation– access to personal information can be refused if it will put other individual’s private information at risk or cause prejudice towards the business.
– If you flat out refuse – if you do refuse an individual access to their information, you need to write to them explaining why it has been refused and how they can appeal the refusal.
– Birds-eye-view – providing customers with a restricted view of their information is a good way to go about things if you have refused their request for viewing.
– Be transparent– being transparent about your intentions relating to how you will use that data is essential. This needs to include how it will be used and what they can do to request access or changes to their personal information.
We advise that businesses and organisations make this a top priority. Breaches of the new act can incur civil fines of up to $1.7 million for companies and $340,000 for individuals. For further information on the act, click here.