In the digital age like today’s, the data breach is a very common occurrence. No matter how careful you are, you may not be able to completely avoid them. What you can do however is to protect yourself from them as much as you can; but more importantly, do everything in your power to adhere to the data privacy laws in Australia. This way, even if somehow the personal data stored by your company gets violated, your company stays shielded against legal distress, and therefore, undesired reputation damage.
What is data privacy law in Australia
The Privacy Act in Australia was introduced in 1988 to protect the privacy of individuals and to supervise how organizations in Australia with an annual turnover of more than $3 million handle personal information. The Privacy Act includes 13 Australian Privacy Principles, which apply to some private sector organisations, as well as most Australian Government agencies. Collectively, these are referred to as ‘APP entities’ which regulate:
- the collection, use and disclosure of personal information,
- the organisation or agency’s own control over its clients’ personal information and their accountability towards these,
- the integrity and correction of such personal information, and
- the rights of individuals to access their personal information.
The Australian Privacy Principles are principles-based law. Therefore, an organisation or agency has the liberty to decide how they will handle personal information and customize their practices in consideration to their clients’ requirements, and according to their own business models. They are also technology-neutral, allowing them to adapt to evolving technologies.
What do Australian startups need to know about data privacy laws
You do not need to talk to a business lawyer in Melbourne to understand that non-compliance to data privacy laws can attract serious consequences to you and to your business. So it is imperative that you know everything about them before you start your venture.
What is considered as “personal information”
According to the Australian Government, “personal information” refers to any information or opinion about an individual whose identity can be reasonably revealed with the information or opinion. Even if the information is not personal per se, but is linked to other information which will lead to the identification of the individual also falls under this category. This may, depending on the context, include a person’s name, date of birth, phone number, bank account details or commentary about a person, and, in the age of big data, may also include information like a person’s web browsing history or online purchases.
Organizations that privacy acts are applicable to
- an individual, including a sole trader (though generally, the Privacy Act doesn’t apply to an individual acting in a personal capacity),
- a body corporate,
- a partnership,
- any other unincorporated association, or
- a trust;
unless they are a small business operator (having an annual turnover of less than $3 million), registered political party, state or territory authority or a prescribed instrumentality of a state.
Particularly, start-ups that undertake the following activities will need to comply with the Privacy Act:
- collect Know Your Customer information to comply with theAnti-Money Laundering and Counter-Terrorism Financing Act 2006,
- participate in Australia’s credit reporting system (for example, providing a consumer credit report),
- provide health services (such as a product or service that tracks and holds health data), and/or
- trading in personal information.
Any small business lawyer in Melbourne will encourage you to have all the information about Data Privacy Laws from the beginning and create your policies accordingly, even if you are a start-up and are not covered under the law now. In future your business may expand beyond $3 million, which surely you aim for; or some of the following cases may happen as your business sees growth:
- You may simply be an app developer now and might not collect personal information as part of the initial version of your app, but in future you may have to build an updated version of the same app where you may be required to collect personal data, and then trade them.
- Your start-up might later be acquired by a larger organisation that passes the $3 million annual turnover threshold.
What you, as the boss, need to know about your company’s data privacy
Prevention is always better than cure; it will save you a lot of hassle as well as money in the long run in hiring business lawyers in Melbourne and dealing with long lawsuits. So instead of waiting for a data breach to occur or for someone to sue your company, you should learn how to protect yourself from them. Therefore, first you need to know how data flows in and out of your company so that you can keep track of each of them.
Know your own business first
Whichever stage of development your start-up is, you need to know the basics of what data your business uses and how it processes them so that you can start with a plan to protect the data:
- What product/service you work with
- Which countries you are operating in
- Your current and target audience
- Methods you use for marketing
Conducting a data audit
If you consult any business lawyer in Melbourne, they always suggest you understand which methods you need to oversee while collecting data which fall under the “personal data” category as defined by the Government, so that it becomes easy for you to audit them.
Check every possible inbound source-
- Emails and mail from customers, employees, and other businesses,
- Web forms,
- Server logs,
- Analytics logs,
- Third parties,
- Market research, and
Then learn what kind of personal data you have been collecting-
- Email addresses,
- Phone numbers,
- Shipping addresses,
- ID numbers,
- Login credentials,
- IP addresses,
- Website usage data (e.g. heatmaps),
- Internet activity,
- Location data, and
- Sensitive data about people’s:
- Biometrics (e.g. fingerprints, photos),
- Physical appearance,
- Political or philosophical beliefs or affiliation,
- Union membership, and
- Health data.
Now it is time to understand your purpose for collecting and/or storing these data:
- Maintaining lists:
- Customer lists,
- Mailing lists,
- Marketing lists,
- Invoicing lists, and/or
- Payroll lists;
- Sending email:
- Marketing email,
- Transactional email, and/or
- Internal communications;
- Behavioural monitoring:
- Targeting ads,
- Website analytics,
- Conversion optimization, and/or
- A/B testing;
- Providing core services,
- Improving website/app functionality,
- Maintaining security,
- Recruitment and selection,
- Shipping products, and/or
- Taking payments.
Further, you need to know where your company stores the data:
- Hard drives,
- USD devices,
- Cloud storages,
- Filing cabinets,
- Desk drawers,
- In-trays and out-trays, and/or
- Mail rooms.
Finally, learn about the outbound recipients of the “personal data” from your company:
- Marketing companies
- Behavioural advertising companies,
- Direct email marketing companies,
- Conversion optimization companies, and
- Web servers;
- SaaS (software as a service) providers:
- Email hosts,
- Analytics companies,
- Cloud storage companies,
- Database companies, and
- Online word processing tools;
- Payroll or accounting companies,
- Payment processors,
- Government agencies, and
- Other customers.
If you keep track of your data flow in such an organized manner, you can control and supervise each of them in order to protect your company from any data breach, as well as be prepared if you are ever in a legal issue.
What do you need to do to comply with the Data Privacy Law
Now that you are clear about how to keep track of your data, you need to know how to keep yourself complied to the Privacy Act so you stay out of trouble. No matter how complicated the whole procedure sounds, it really is not that big of a jo. There are a few things you need to do early in the outset of your business, and you will be all set.
Be transparent from the beginning
The Australian government considers privacy to be simply transparency, and not “secrecy”. So all you have to do is to ensure telling your customers, at every reasonable opportunity you get, your method of processing their personal data and keeping them safe.
Establish your users’ rights over their personal data:
- The Privacy Law calls for you to give your customers rights to access one’s personal data upon request. However, this does not apply if disclosure of the information will pose a serious threat to health and safety, or would affect the privacy of others.
- They can rightfully request to rectify any error in the recorded data as well.
- The law also demands a customer’s rights to deletion of such data – in other words, rights to be forgotten; unless the information is in a Commonwealth record or your company is required to retain that information by law.
The Privacy Law necessitates you to get consent from your customers in all the cases where they might not expect their personal data to be used in a way that has a remote possibility of a breach. For instance, for activities like using cookies for advertising or tracking purposes, sending direct marketing communications to a third party, processing sensitive personal data – you might always be legally binding to ask for consent.
It is very important that you do not assume a consent, ever. Consent should be given to you with affirmative action, in a specific and unambiguous way; and freely – not under duress. Also, there should be clear information about what the particular consent request means for the customer’s personal data. Moreover, consent should be as easy to withdraw as it was to give. Learn about rules and regulations about consent from expert small business lawyers in Melbourne, whenever in doubt.
Store minimum data
The Privacy Act requires you to collect only the data that is necessary, and always mention the purpose of the collection clearly. It mandates you to destroy any data collected outside of that purpose as well as data that no longer serves the purpose. As stated earlier, this does not apply to information on a Commonwealth record or legally required to be retained.
Beware of cross-border disclosure
If your business demands you to share data with a foreign entity, it is your responsibility to take reasonable steps to ensure that this foreign entity complies with the privacy laws; unless they are bound by similar laws in their own country, or the information itself is pursuant to a treaty obligation.
Secure your data
As long as you hold any personal information, the privacy law obligates you to take reasonable steps to protect it from misuse, interference, loss or unauthorized access, modification, or disclosure.
What happens if you don’t comply with data privacy laws in Australia
The Australian government takes non-compliance of data privacy laws very seriously. There are significant potential penalties that can be imposed for non-compliance, including seeking a civil penalty of up to $2.1 million for serious or repeated breaches. Also, all the regulatory actions are made public; so your company’s reputation may be permanently damaged if you face an issue like this.
If you have just started your business, and still a small start-up, your priorities may not include data privacy act compliances yet; you may be more interested in getting more investors and increasing profits. However, if you have gone through this article carefully, you will know how serious an issue this is, and if you get caught with non-compliance at any point in the future, you may lose years of hard work as well as all the money you would ever earn from your business. Planning ahead always keeps you ahead of others and data privacy act compliance is no different. You will undeniably need guidance in order to keep yourself safe, at the same time, pull yourself out of trouble quickly. So it is essential that you be in touch with experienced and certified professionalbusiness lawyers in Melbourne from early in the business.