Complying with Australian Privacy Laws
If you are a business owner who wants to comply with Australian Privacy laws then we have created this guide to provide you with some useful basic information on what is required of you and whether you need to comply with them. Please beware that we are not legal professionals and the below shall not constitute as legal advice.
Background – Privacy Laws in Australia: 1998 to 2022
Due to the increase of crime related to hacking and exploitation of personal information, countries around the globe have made stricter regulations to protect the private information of consumers. Since 1998 (The Privacy Act 1988), Australia had privacy laws in place. Since that years, Australia has had difficulties with implementing Privacy Laws, a problem that persists across many countries around the globe.
To enforce Privacy Laws and verify businesses understand keeping the customers information safe is a critical demand, Australia has adapted its Privacy Laws especially in the parts that have to do with enforcement, and now Australian businesses must fully comply with its requirements in order to avoid fines and/or sanctions.
Corporations can be fined up to A$2.2m if they make repeated non-compliance offenses (source).
What Your Business is Required To Do
In order to learn more about how your business should be following Australian Privacy Laws, consider starting here at Office of Australian Information Commissioner.
We did not want to modify it so we just took it “as-is” to show the 13 principles of Anti Privacy Law.
Open and transparent management of personal information
Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.
Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.
Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
One of the most stringent requirements is that every entity has an up-to-date policy that is accessible for all, showing how personal information is managed by the entity. Additionally, there are strict requirements to only gather personal information that is reasonably necessary for the scope of the entity’s business. This clause is targeted towards not allowing companies to sell personal information for a profit that is not even required within their business scope.
Does My Business Need to Comply With Privacy Laws
In order to learn what is required of you, it is wise to look over a checklist set out by the Australian government. Examples from the checklist are as follows:
“Does your business handle personal information?” If the answer is “No” to this question, then the Australian Privacy Laws do not apply to you. If the answer is “Yes,” then you must continue by answering “Whether your small business had an annual turnover of more than $3,000,000 AUD in any financial year since 2002? If the answer is “Yes,” then you must comply with the Australian Privacy Laws.”
There are a lot of stipulations like certain sectors that must comply with the Anti Privacy Law (in spite of not meeting the minimal threshold).
Criticism About Australia’s “Double Standards”
A new law passed Feb 2022 is forcing the arms of businesses to hand out customer information even if it’s protected by cryptography (source). This new law is showing double standards for Australia’s government forcing businesses to encrypt customer data but keep it “accessible” for law enforcement agencies.
How Consumers Can Improve Their Privacy Online
- Do not disclose personal information
- Do not use easy passwords based on names/dates/events in your life
- Do not provide too many information on public platforms such as social media
- Do not blindly accept cookies on websites, read privacy policies before you sign up with any service
- Use a VPN which is known to enhance cybersecurity online
Final Remarks on the Subject
There have been many scandals in the media in recent years on a global scale related to the personal information of consumers either being hacked into or exploited for profit by major companies. In an effort to stop such practices and encourage firms to invest in the proper cyber security protocols governments have made policies to protect consumer’s private information. Australia has been trying to define its Privacy Laws for some time, but now has an effective checklist for business owners to be able to read and verify that their business operations are complying.
Hopefully, these measures will have a positive effect on business practices to shift the unethical practice of not protecting consumer’s information not only in Australia, but in countries around the globe in future years. As hackers become more talented, it will be essential for both governments and companies to ensure that their data protection protocols are structured and ultimately, effective.