Co-authored by Olivia Camilleri

Appropriately handling consumers' personal information (information or an opinion that can identify or reasonably identify an individual) and keeping it safe is critical for businesses in this digital age.

With the release of the Privacy Act Review Report, data protection and privacy must be at the forefront of business' minds.

Ahead of reforms to Australia's privacy and data protection framework, it's timely to reinforce how organisations can protect consumers' personal information and mitigate privacy risks. This article will review the legal requirements outlined in the Privacy Act 1988 (Privacy Act). We will discuss why protecting consumers' personal information is important and provide our top tips on how to protect personal information.

The Privacy Act

The Privacy Act protects consumers' rights to privacy by regulating how Australian organisations protect personal information. Under section 20Q of the Privacy Act, a reporting organisation must protect personal information from misuse, interferences, loss, unauthorised access, modification, or disclosure. A reporting entity/body is an organisation with an annual turnover that exceeds $3 million. Reporting entities/bodies must comply with the Privacy Act.

Section 6D of the Privacy Act exempts small businesses with an annual turnover under $3 million to comply, provided they obtain consent from individuals to collect and disclose their personal information. However, there are exceptions. Some organisations meeting the definition of a "small business" may have to comply with the Privacy Act under section 6D (4) if they:

  • Provide a health service to an individual;
  • Disclose or sell personal information as part of their business;
  • Are a contracted service provider for a Commonwealth contract; or
  • Are a credit reporting body.

The 13 Principles

Schedule 1 of the Privacy Act outlines the Australian Privacy Principles (APP). The APP provide a framework for businesses to adequately comply with the Privacy Act and are comprised of the following:

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information.

It's crucial that businesses that meet the mandatory requirements under the Privacy Act apply these principles and guidelines.

Reporting breaches of personal data

Under section 26WK of the Privacy Act, a business must comply with the Notifiable Data Breaches scheme when it knows that a breach of personal information has occurred. This scheme ensures that all breaches of personal information are reported to the individual affected as well as to the Office of the Australian Information Commissioner (OAIC).

Why is it important to protect personal information?

Protecting personal information is critical in ensuring consumers rights and confidentiality are protected, and in upholding a positive perception of your organisation's reliability. Recent data breaches in major companies emphasise the importance of developing a robust system of protection of personal information and the impact a lack of consumer confidence can have on a business. This impact was demonstrated by the 2022 Optus cyber attacks. The attacks resulted in the personal information of approximately 10 million customers being compromised. Similar instances occurred with Medibank and Woolworths which both experienced data breaches resulting in the disclosure of customers' personal information.

Due to the digital nature of data breaches, individuals compromising consumers' personal information are protected by a layer of anonymity. This restricts finding and prosecuting cyber criminals. In turn, it's highly probable that cyber criminals will continue to target businesses, emphasising the need for businesses to comply with the Privacy Act and establish strong procedures to adequately protect personal information.

Top five tips to protect personal information

1. Limit the quantity of personal information your organisation accumulates

Only collect personal information that is necessary for your purposes. If the information is necessary, businesses should seek this information directly from the party involved. Securely delete, destroy and de-identify what you don't need.

2. Secure your personal information

Make sure the personal information your business collects is subject to strict security. Take steps to protect it from any loss, misuse, modification, unauthorised access or disclosure.

3. Establish robust processes and procedures surrounding the protection of personal information

Establish, implement and regularly review your business' processes, practices and policies when it comes to personal information. Don't forget to train your team!

4. Limit access to personal information

Limit access to personal information. It should only be on a need-to-know basis.

5. Create a Privacy Policy

If your business is covered by the Privacy Act, ensure you have a compliant privacy policy. A strong privacy policy shows transparency in privacy protection, establishes trust, credibility and corporate responsibility. The OAIC outlines what an organisation or agency's privacy policy must disclose to consumers including:

  • The name and contact details of the organisation/agency
  • The type of personal information they collect and store
  • How personal information is collected and where it is stored
  • Their reasons for collecting personal information
  • How personal information will be used and disclosed
  • How consumers can access their personal information and correct/amend their information
  • How consumers can lodge a complaint if they feel their information has been mishandled and how their complaint will be dealt with by the organisation
  • If the organisation is likely to disclose consumer information internationally, it must state the countries they will likely disclose information to (if practical).

Businesses should treat the above as a checklist to ensure their privacy policy is adequately detailed and informs consumers.

Four key takeaways:

  1. The Privacy Act holds businesses accountable to ensure personal information is protected.
  2. Cyber criminals have successfully obtained large quantities of personal information by breaching major corporations' databases and will likely attempt to continue to do so.
  3. Successful data breaches hinder consumers' confidence in organisations.
  4. Businesses should seek to implement robust procedures and policies to adequately comply with the Privacy Act and protect personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.