Media Release | 19 February 2014

Businesses dragging feet on privacy deadline, open to risks

Businesses which fail to prepare for the 12 March ‘go live’ date for the significant reforms to the Federal Privacy Act, including the introduction of the new Australian Privacy Principles (APPs), risk prosecution and a severe penalty regime. Yet many companies aren’t prepared for the changes, according to Hall & Wilcox partner, Alison Baker.

“Failure to comply with the new Privacy Act puts business at serious reputational, legal and financial risk.

“It’s a big change from the previous regime, which was much softer on privacy breaches.”

She said the Australian Information Commissioner had the power to prosecute, with financial penalties of up to $1.7 million for corporations.

“The risks of running afoul of the Privacy Act have increased threefold: there is the reputational risk of enduring a public prosecution; the legal risk of fighting a charge; and possible financial penalties.”

Ms Baker said every business needed a privacy policy to satisfy compliance with the new principles; those with an existing policy will need it amended.

Businesses most at risk include those which engage in direct marketing and those outsourcing to overseas suppliers, with the need to comply with strict requirements under the APPs.

Potential problem areas include ensuring third-party supplier contracts address the new principles and place contractual obligations for privacy compliance on third party suppliers. “Businesses engaging with overseas suppliers need to ensure they have good contracts in place. If they already have a relationship agreement, they should look to enter into data transfer deeds with their overseas suppliers.

“All processes around collecting and storing personal information, as well as access, correction and complaint handling processes, need to be reviewed. This includes destroying or de-identifying personal information when it is no longer needed.”

Key features of the amended Privacy Act are:

The Australian Information Commissioner will be given increased powers to enforce privacy laws.
The 10 National Privacy Principles applicable to the private sector will be replaced with 13 Australian Privacy Principles (which will also apply to the Commonwealth public sector), which will create additional obligations on organisations.
Organisations will need to comply with increased legal obligations regarding overseas disclosure of personal information and direct marketing.
A new and significant penalty scheme will apply to organisations for breaches of the Act (up to $1.7M for corporations).