Viewing entries tagged

Tougher penalties for privacy breaches

The Government has recently announced its intention to reform Australia’s privacy law regime and increase the penalties applicable to entities that breach their obligations under the Privacy Act.

The proposal involves bolstering the resources and powers of the Office of the Australian Information Commissioner (OAIC), and many commentators are expecting this may herald a more aggressive stance from the OAIC as it monitors compliance of entities subject to the Privacy Act.

The amendments that are proposed include:

• an increase to the maximum penalty for serious and repeated breaches to the highest of: $10 million; three times the value of any benefit obtained through the misuse of the personal information; or 10% of the entity’s annual domestic turnover;

• new power for the OAIC to issue infringement notices relating to minor breaches with fines of up to $63,000 for companies and $12,600 for individuals;

• new power for the OAIC to publicise specific breaches and notifying individuals who are affected;

• an obligation for social media and online platform companies to ceases using or disclosing the personal information of individuals upon their request; and

• certain additional rules to protect the personal information of children and other vulnerable groups.

The amendments are scheduled for consultation in the second half of this year. If passed, the tougher penalties together with OAIC’s new power to publicise specific breaches may significantly increase the financial and reputational risks of failing to comply with your privacy obligations.

The Government’s announcement serves as an important reminder for all entities subject to the Privacy Act to ensure appropriate information-handling measures, systems and processes are in place.

At Motus Legal, we have assisted many of our clients in complying with their privacy obligations. Get in touch with us if we can help you too.

Quick refresher on privacy and "small businesses"

The Australian Privacy Principles (APPs) contain many obligations and requirements as to how "APP Entities" collect, hold, use and disclose personal information.   An APP Entity is any organisation (whether a sole trader, company, partnership or trust) that is not a "Small Business Operator" - that is, any organisation that does not have less than $3 million annual turnover.
However, even if your organisation is a "Small Business Operator" with annual turnover of less than $3 million, do not assume the APPs don't apply to you.  There are a number of exceptions to the Small Business Operator rule, which may require your organisation to comply with the APPs.
For example, if your organisation has less than $3 million annual turnover but provides health services and holds "health information" about an individual (other than in an employee record), then your organisation must comply with the APPs.  "Health information" includes any personal information about:
•    the health or disability of an individual at any time (whether physical or mental);
•    a health service provided to or requested by an individual; or
•    other information collected to provide, or in providing, a health service.
"Health information" is interpreted broadly.  For example, the records of fitness clubs relating to individuals will fall within this exception, and therefore such fitness clubs must comply with the APPs regardless of whether it was a Small Business Operator with less than $3 million annual turnover.
Another example where your organisation may be required to comply with the APPs (regardless of whether it has less than $3 million annual turnover) is where your organisation discloses personal information about individuals to receive a benefit or advantage, or to provide a service.  This also applies to organisations that provide a benefit, service or advantage to collect personal information about individual from anyone else.  Organisations caught by this include those that sell lists of personal information to another entity so that the other entity can use it for direct marketing.
However, a Small Business Operator will not be required to comply with the APPs for trading in personal information if the Small Business Operator does so with the consent of the individuals concerned.  Whether satisfactory consent has been obtained from the relevant individuals for this to apply then becomes critical to get right.
As you can see, whether your business is bound by the APPs is not simply a matter of whether or not your organisation exceeds an annual turnover of $3 million.  At Motus Legal, we have advised many of our clients on privacy matters and compliance with the APPs, including specifically in the health sector.
Get in touch with us at Motus Legal to find out how the Australian Privacy Principles apply to your business.