There is less than a month to go before the Australian Privacy Act amendments come into effect on 12 March with serious fines for companies and individuals who breach the Act.
Under the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Australian Privacy Commissioner Timothy Pilgrim will be able to seek civil penalties of up to $340,000 for individuals and up to $1.7 million for companies in the case of a serious privacy breach.
Pilgrim has publicly stated that he will not be taking a “softly, softly” approach when it comes to privacy investigations.
Audits of Australian government agencies, tax file number recipients, credit reporting agencies and credit providers will be extended to include private sector companies.
These audits will determine if companies are handling personal information in accordance with the Australian Privacy Principles (APPs).
So what can companies do to stay on the right side of the Privacy Act and the APPs?
Hitachi Data Systems Asia Pacific CTO Adrian De Luca provided some tips during a Google Hangout discussion this week.
“The four-step process that we have identified is to conduct an audit of the information you currently have,” he said.
“After agreeing that the organisation needs to have a privacy practice, you need to understand the scope [of the data] you are dealing with.”
This is because APP 1 covers the open and transparent management of personal information.
According to De Luca, data analytics technology could assist with collating information held about individuals.
“Organisations have become bamboozled by the amount of information they find that is applicable to the Act. Using technology to automate these processes and identify key data when you may be subject to an audit is critical.”
- New data privacy laws: What you need to do to comply
- Final set of Australian Privacy Principles released for consultation
- Some Australian businesses unaware of Privacy Act changes: survey
Thirdly, he said that all organisations should invest in data privacy training so there is a culture of compliance amongst employees.
“It does not just come down to the risk manager but a lot of different staff who are dealing with data on a daily basis.” For example, this would cover staff that send out e-news or marketing material to customers.
Principle, APP 7, states that organisations may only use or disclose personal information for direct marketing purposes in particular circumstances.
Generally, this will be where the individual has a reasonable expectation that their information will be used for direct marketing or where the individual has consented to their information being used for this purpose.
In addition, organisations must give people a simple means to opt-out of receiving further communications.
Fourthly, De Luca suggested that companies appoint a member of staff who can act as part-time privacy officer.
“That doesn’t need to be a dedicated role but someone who is continuing to look at the Act and assess the impact of newer information that is being collected.”
Follow Hamish Barwick on Twitter: @HamishBarwick