From 12March a new set of privacy principles regarding the handling of personal information came into effect. These are the Australian Privacy Principles. The big changes relate to how businesses handle, use, and store personal information and engage in direct marketing. These are the largest reforms to privacy law in more than 10 years. If your business is affected, you need to comply or face the legal consequences.
Do privacy laws apply to my business?
Your business will be affected by the changes to the privacy laws if you handle personal information and you generate more than $3 million in annual turnover or generate less than $3 million but you fit under a second set of criteria. Of this second set of criteria, the one which is most likely to affect small businesses is “trading in personal information”.
Does your business trade in personal information?
Many small businesses trade in personal information. This is information that identifies, or could reasonably identify, an individual. This includes names, addresses, dates of birth and bank account details.
Trading in personal information includes collecting or providing personal information to a third party for a benefit, service or advantage. Are you collecting personal information then providing it to a business to manage your direct marketing? Are you using customer data to cross-sell products from a partner business? If so you may be trading in personal information.
What are the key reforms?
The other big change is that there are fines for breaching the news laws for serious or repeated breaches of the Privacy Act. Companies face fines of up to $1.7 million, sole traders and entities that are not companies face fines of up to $340,000. So these fines are a strong incentive to comply with privacy laws.
How do I comply?
How do the changes affect direct marketing?
You can use personal information for direct marketing if your business collected it, you disclose that you may use it for direct marketing and you provide a way for people to unsubscribe.
What if the personal information was provided to you by a third party? You can use it for direct marketing if the individual consented to that use, and you provide a way for people to unsubscribe. The third party who collected the information needs to obtain consent.
What rights does an individual have?
These are clear and obvious. You need to give individuals the right to access their personal information and correct out of date or incorrect information. You need a process to deal with complaints about your compliance with the Australian Privacy Principles. If you send direct marketing material, you need to give each individual a way to opt-out.
To wrap up
Ursula Hogben is the co-founder and legal practice director of LegalVision ILP, an online business legal services provider. This information is a summary and general overview. It is not intended to be comprehensive and it is not legal advice.