Privacy Act changes: What your start-up must know

Start-ups are being warned to consider changes to the Privacy Act to avoid unwittingly exposing themselves to massive fines in the crucial set-up phase.

You could be forgiven for thinking “What changes?” in response to this. So, what does your business need to know when it comes to privacy?

The Federal Government says changes to the Privacy Act will better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

The bill was introduced in May and if enacted, the changes will represent the most significant developments in privacy reform since the Privacy Act was introduced in 1988.

Attorney-General Nicola Roxon says the new privacy laws give power back to consumers over how organisations use their personal information.

“In an online world, we are sharing our personal information more than ever before – whether that be paying our bills online, buying some footy tickets for the weekend, or connecting with friends and family through social media.”

“Both consumers and governments have a role to play to protect privacy. In introducing these changes, the Gillard government is doing its bit to protect the privacy of Australian families,” Roxon says.

Telstra avoids a fine

Luckily for Telstra, fines aren’t yet being imposed on businesses that breach the Privacy Act. In June this year, the telco was slapped on the wrist for uploading 734,000 customer’s details online in December 2011.

The Australian Privacy Commissioner, Timothy Pilgrim, says a database containing the details of customers with a range of Telstra services was made accessible via a link on the internet.

The database contained information such as customer names, phone numbers, order numbers and, in a very limited number of cases, dates of birth, driver’s licence and credit card numbers.

If Privacy Act reforms are introduced, Telstra could have incurred massive fines for this breach.

Pilgrim says the Privacy Act could soon give him the power to impose penalties or seek enforceable undertakings from organisations he has investigated under his own initiative.

In fact, the amendments could see fines as high as $1.1 million imposed on businesses.

“Privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations,” Pilgrim says.

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 is currently before Federal Parliament and is subject to review by the House Standing Committee on Social Policy and Legal Affairs, and the Senate Legal and Constitutional Affairs Legislation Committee.

Reports on the bill from these committees are due to be released in August and September this year.

A legal perspective

Legal experts agree that the changes to the Privacy Act would have major ramifications on Australian businesses.

Firstly, it would grant the Australian Information Commissioner new powers to pursue large fines for companies found to have engaged in serious or repeated breaches of an individual’s privacy, according to James Deady, senior associate in intellectual property and technology for Melbourne law firm Hall & Wilcox.

Direct marketers and firms that rely on offshore data storage, including cloud storage, should be especially conscious of the changes, Deady says.

“Companies that engage in direct marketing should be particularly cautious, as the bill contains significant restrictions on the use of personal information for direct marketing purposes.”

“As well as increasing penalties and investigative powers, the amendments will place a greater onus on companies to secure customer information, particularly if that information is transferred overseas.”

“For instance, if an Australian company sends customer data offshore to a third-party storage provider, and that provider on-sells the information, or it is hacked, under the new law, the Australian company could be liable for the privacy breach,” he says.