Changes to privacy laws and what it means for your business
Recent data breaches have sparked action by the Australian Government to review and implement changes surrounding the handling, use, and management of personal data. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (‘the Bill’) aims to increase penalties for privacy breaches and to provide new powers to the relevant authorities.
Does the Privacy Act 1988 (Cth) apply to your business?
The Privacy Act applies to businesses with an annual turnover of more than $3 million, as well as some other specified businesses. Your annual turnover includes all income from all sources, such as the sale of goods and/or services, lease or hiring income, rental income, interest and other operating income.
Even if your business has an annual turnover of $3 million or less, your business may still need to comply with the Privacy Act if you are a:
- health service provider, including gyms, weight loss clinics, and child care centres;
- trade in personal information;
- contractor providing services under a contract with the Commonwealth;
- credit reporting body;
- operator of a residential tenancy database;
- business that conducts Protection Action Ballots;
- business that has opted in to be covered by the Act
Obligations under the Privacy Act
If the Privacy Act applies to your business, you must comply with the Australian Privacy Principles (‘APP’) on how to handle, use and manage personal information. ‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether or not the opinion is true, and regardless of whether the information or opinion is recorded.
The Bill does not propose to make any changes to the APP, however, your business should ensure it complies with these principles. We have discussed some below.
Security of personal information
Under the APP, your business must take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification, or disclosure. What is considered ‘reasonable steps’ depends on the circumstances, such as the nature of your entity, the amount and sensitivity of the personal information held, and the potential consequences for an individual if the data was breached.
Changes to the Notifiable Data Breaches scheme
If the Privacy Act applies to your business, you must comply with the Notifiable Data Breaches scheme (‘NDB scheme’), which deals with notification requirements in the event of data breaches. A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure.
Under the NDB scheme, when a data breach is likely to result in serious harm to the affected individuals, your business must take reasonable steps to notify affected individuals and the
Changes to the kind of information to be reported
Under the current NDB scheme, you must prepare a statement for the Office of the Australian Information Commissioner (‘OAIC’) out the ‘kind or kinds of information concerned’ in the data breach. The Bill proposes to amend the content of the statement to include the ‘particular kind or kinds or kinds of information concerned’. This means that instead of reporting that ‘contact information’ was involved in a data breach, you would specify the kind of contact information involved, such as the phone number of email address.
The CCIWA Commercial Law Team can advise you on how to meet your obligations under the privacy laws or how the Bill may impact your business. Please contact the CCIWA Commercial Law Team at BusinessLawWA@cciwa.com or call (08) 9365 7560 to discuss further.