During Privacy Awareness week 2019 Australian businesses are reminded they are entrusted with certain responsibilities pursuant to the Privacy Act 1988 (Cth) (Privacy Act). In particular the way they collect, store and disclose the personal information of their customers.
Privacy compliance for Australian businesses is an ever-increasing corporate governance priority. The last couple of years have seen a number of changes in both the local and global arena, with the introduction of the Notifiable Data Breach Scheme, the implementation of the EU General Data Protection Regulation (GDPR) and the on again off again implementation of My Health Record.
My Health Record
Clearly the My Health Record implementation has been controversial and data protection has been a key consideration for the government. Nonetheless this should be a trigger for those businesses operating in the health service industry to review privacy compliance. Most health service entities will likely need to make amendments to their privacy policies as, at the very least, they will need to advise customers of the changes to how they share data including their practice of uploading information to a customer’s My Health Record.
Reminder to Australian businesses
We remind business owners, all Australian entities are required to comply with the Australian Privacy Principles (APPs) unless they meet the small business exemption. However, even if they do meet that exemption there are exceptions. The two most common we see are entities which have contracts with the Commonwealth Government and businesses in the health services industries. Both of which cannot rely on the small business exemption.
Even those businesses who are exempt from complying with the APP’s are reminded they may have contractual obligations to comply with, obligations under the GDPR (if they hold personal information of EU citizens and residents) and may also need to provide information about data handling to meet their customer’s expectations.
Cyber-attacks and data breaches
This year we have seen quarterly reports from the Office of the Australian Information Commissioner (OAIC) about data breach notifications. Sixty percent of these breaches resulted from malicious or criminal attacks on entities. Often overlooked by clients recovering from a cyber-attack is that attack may have resulted in an obligation to report a breach to the OAIC. Our lawyers have dealt with a number of matters where clients wish to seek damages against their IT service providers following a cyber security event without realising that event may have given rise to a notifiable data breach.
Further information on Australian privacy compliance
Dundas Lawyers assists its clients with a range of privacy related services including:
- conducting privacy audits;
- drafting privacy policies;
- drafting and advising on sufficiency of data breach response plans;
- assessing whether notification is required following a data breaches; and
- advice following a data breach.