Your Obligations for Customers’ Personal Information
As a business, you may have obligations under the Privacy Act regarding how you handle your customers’ and employees’ information.
Here’s your guide to understanding your obligations on managing a customer’s personal information.
Which businesses have responsibilities under the Privacy Act?
The Office of the Australian Information Commissioner (OAIC) details which type of businesses the act covers. It refers to ‘organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions’.
Even if you are a small business with an annual turnover of $3m you may still have obligations under the Privacy act, such as if you:
Even if you are a small business with an annual turnover of $3m you may still have obligations under the Privacy act, such as if you:
- Buy or sell personal information
- Are a contracted service provider for an Australian Government contract
- Are a private health service provider including traditional or complementary health, gym, weight-loss clinic, child-care centre, and private education
- Are a residential tenancy database operator
- Are a credit provider or credit reporting body
- Are a business accredited under the Consumer Data Right System
- Are a business that has opted into the Privacy Act
- Are a business related to one covered by the Privacy Act
- Are a business prescribed by the Privacy Regulation 2013.
What constitutes personal information?
Under the Privacy Act, personal information can be relatively broad and depend on whether a person can be identified or reasonably identified in a scenario. The act does not apply to the personal data of people who have died.
The OAIC says personal information can include:
- Someone’s name, address, phone number, date of birth, or signature
- Photographs
- Employee record information
- Internet protocol address
- Voice print and facial recognition biometrics
- Geographical location information from a mobile device.
The Federal Attorney-General’s department has been reviewing the Privacy Act 1988. It’s looking to broaden the definition of personal information to include identifiers, location data, online identifiers, and other technical details typically used in digital advertising programs. Fines and enforcement powers are also expected to increase, with the maximum penalty to hit $10 million.
Check this official website for updates on the review. You might also be interested in this government website about digital identity for business owners.
How to protect customer PI
If you’re a business to which the Privacy Act applies, here’s how to protect your customers’ information, according to the OAIC. (It’s also good practice to follow even if the act doesn’t apply to you).
- Review your company’s internal privacy policies, processes, and procedures (including responding to a breach) to ensure they’re fit for purpose and the data is held securely
- Assign a senior manager to have overall accountability for how your business handles privacy. They’ll need to deal with access and correction requests and inquiries about your practice
- Build privacy considerations into project planning, mainly if it involves new or changed personal information handling practices (here’s a guide to doing a privacy impact assessment)
- Collect only the personal information you need now, not for later. Legally it would help if you let people interact anonymously with your business in most cases
- Use and disclose personal information (internally or externally) only for the primary purpose under which it was given unless the individual has consented otherwise, if reasonable to do otherwise or legal to do so
- Get savvy about disclosing personal information overseas – recipients of the data must comply with the Australian Privacy Principles.
If the personal information your business holds is breached – accessed, lost, or disclosed without authorisation – you’ll need to report those (if eligible) to the Privacy Commissioner and affected individuals. Find out more about notifiable data breaches here.
Have the right insurance in place
Depending on your business activities and risks the following insurance cover may be appropriate:
- Cyber liability
- Management liability
- Legal expenses
We can customise insurance options that suit your unique business.