Law firm LegalVision surveyed 200 Australian SMEs to compile its SME and Online Business Insights Report 2016.
The report revealed that 68 per cent of respondents said they were not aware of the Australian Privacy Principles (APPs), which are official guidelines on how personal information should be maintained.
What are the main legal principles around privacy?
My Business breaks down the 13 APPs listed by the Office of the Australian Information Commissioner:
2. Anonymity and pseudonymity: For matters that don’t necessitate your customers identifying themselves, an option of anonymity or pseudonymity must be given.
3. Collection of solicited personal information: Collect only relevant information that is necessary for the continuation of the business. Any other information must be collected with the consent of the customer, and you must ensure that you collect all information legally.
4. Dealing with unsolicited personal information: Make plans to deal with the collection of unsolicited, unnecessary information.
5. Notification of the collection of personal information: When your business collects relevant information, inform the person you collected the information from.
6. Use or disclosure of personal information: Use or disclose the information that was collected exactly as specified at the point in time when the information was collected.
7. Direct marketing: The information obtained must not be used for direct marketing, such as sending advertisement emails or letters. The exception to this is where there is an option for the customer to opt out or the customer agrees to receive direct marketing.
8. Cross-border disclosure of personal information: If you plan to expand your business overseas, have a plan to protect personal information if you decide to disclose it overseas.
9. Adoption, use or disclosure of government-related identifiers: Businesses must not create any links to government identifiers or identities, unless authorisation to do so is given.
10. Quality of personal information: If required, make sure personal information is updated to be accurate.
11. Security of personal information: Ensure that wherever personal information is stored, such as a server containing digital records or a box containing letters, it is secured to the best of your ability.
12. Access to personal information: If requested by a customer, access to the information held about that customer must be given.
13. Correction of personal information: If requested by a customer, information held about that customer must be updated.
What happens if these rules are breached?
According to the Federal Register of Legislation website, if a breach of any of these 13 APPs is reported to the Information Commissioner, an investigation can take place, the result of which can lead to the evidence being presented to an appropriate government agency officer or a relevant government minister.
In addition to the legal ramifications of privacy breaches, LegalVision suggests that if personal information is not adequately protected, businesses can also suffer significant financial losses by way of bad publicity.
The SME and Online Business Insights Report 2016 drew similar conclusions to the results of an investigation in August that found that ALM, parent company of the dating website Ashley Madison that was hacked in July 2015, had a lack of risk management procedures, and highlighted the importance of having plans in place to manage personal information.
“Having documented security policies and procedures is a basic security safeguard, particularly for [a business] holding significant amounts of personal information,” the report said.
The Australian Information Commissioner Timothy Pilgrim said this example “offers important lessons to any businesses relying on personal information as part of their business model”.