Will your business comply the new Australian Privacy Principles?

With 13 new Australian Privacy Principles set to change how businesses handle personal information from March 12, here Aaron Greenman explains how you can avoid a run in with the Office of the Australian Information Commissioner.

With 13 new Australian Privacy Principles set to change how businesses handle personal information from March 12, here Aaron Greenman explains how you can avoid a run in with the Office of the Australian Information Commissioner.

The new Australian Privacy Principles (APPs) will replace existing Information Privacy Principles and National Privacy Principles, with the aim of beefing up the privacy regulator’s enforcement powers with the Office of the Australian Information Commissioner able to levy penalties of up to $1.7 million and impose enforceable undertakings against non-compliant organisations. 

For the first time under Australian information privacy law, businesses have an express obligation to take positive steps to adopt practices and systems to protect personal data in accordance with the APPs. Businesses will be saddled with a raft of new responsibilities, including ensuring they have processes to deal with privacy complaints, making sure they are accountable for personal information disclosed to overseas parties, establishing security measures to prevent information breaches, and many more.

These wide-ranging changes will have a big impact on businesses that collect a lot of personal information such as online businesses, retailers, utilities, healthcare providers, communications companies and most businesses in the finance and insurance sectors.

The Privacy Commissioner has made it clear that he will not shy away from using his new powers and come March 12, companies should not expect a ‘softly, softly’ approach to enforcement. After all, the new rules have been in the public domain for some time and organisations have effectively had 15 months to prepare. 

In view of the regulator’s tough stance, business that have not already done so, need to take immediate steps to become APP-compliant. Follow the steps below to get ensure your business is APP-ready come March 12.

1.   Identify the classes of personal information collected and held. Examples include: contact details, employment history, educational qualifications, racial or ethnic origin, Tax File Numbers, health information.

2.   Identify how such information is collected, held, used and disclosed, and the purposes for which it is collected and used.

3.   Identify the scope of any cross-border disclosures, including, where possible, the countries where recipients are likely to be located.

4.   Review and update procedures and policies for managing the privacy risks at each stage of the lifecycle of this information, including at the time of collection, use, disclosure, storage and destruction.

5.   Implement security systems for protecting the information from misuse, interference, loss and unauthorised disclosure, such as IT systems, internal access controls and audit trails.

6.   Implement procedures for identifying and reporting privacy breaches and for receiving and addressing complaints.

7.   Implement access and correction procedures.

8.   Introduce procedures to give individuals the option of not identifying themselves or of using a pseudonym.

9.   Establish a process to conduct a privacy impact assessment for any new projects where personal information will be handled.

10. Establish governance mechanisms to ensure ongoing compliance with the APPs such as appointing designated privacy officers and regular reporting to the board and management.

Aaron Greenman is Director, IT Security & Privacy, at Protiviti 

Like My Business on Facebook now to get involved in the SME community discussion. Follow @mybusinessau on Twitter for breaking stories throughout the day.

 

promoted stories