On 12 March 2014 the manner in which businesses across Australia can legally deal with their customers’ personal information, like taking a customer’s details when responding to a quote enquiry, has dramatically changed.
The reforms to the Privacy Act 1988 (Cth) (‘Privacy Act’) significantly impact even the most basic practices in your business.
If your business fails to comply with these changes, you may face penalties of up to $1.7 million.
What are the changes?
The reforms introduced thirteen Australian Privacy Principles (‘APPs’) which cover the management, use, quality, access and correction of personal information. The APPs replace the former National Privacy Principles.
Each and every day, you will no doubt have contact with a customers’ personal information such as their name, phone number, residential address and email address. The reforms now impose greater restrictions on when and how you may collect, use disclose and store this information.
If your terms of payment are more than seven (7) days, you may also be caught by the revised credit reporting provisions. These provisions impose extra requirements on how you must deal with your customers’ account information.
In addition, if you provide credit card facilities, you will need to comply with the Payment Card Industry Data Security Standard. This is another ‘can of worms,’ so to speak, in relation to which we shall provide an update shortly.
How will the changes affect my business?
The reforms which are likely to apply to your business are as follows:
- Your business is also required to take proactive steps to implement practices and procedures to appropriately manage personal information you collect. This involves training your staff on the terms of the privacy and credit information management policies and establishing internal procedures to manage privacy risks. For example when you collect personal information from a customer (such as when taking their details over the phone), your staff are required to advise them of certain matters, including why you are collecting their information, whether the collection is required or authorized by law and where they can access your privacy and credit information management policies.
- You are only permitted to collect information from a customer that is reasonably necessary for you to provide them with your services. For example, you may not require a person’s date of birth to carry out work for them. Asking for this information may therefore constitute a breach of the Privacy Act. In contrast, it may be necessary to collect the person’s email address to provide them with a quote and this collection will therefore be permitted.
- Once you have collected personal information from an individual, you may only use the information for the purpose for which it was collected. For example, the information you have collected from a customer to provide them with a written quote may only be used to do that, unless you have the customer’s consent.
- Direct marketing is prohibited unless you satisfy an exception.
- Another significant change relates to disclosing information to overseas recipients. If, through cloud software, email backing up or any other means, you will disclose personal information to an overseas entity, you are required to make sure the overseas recipient, such as the cloud backup, does not breach the Privacy Principles. If the overseas entity does breach the Principles, your business may be responsible for their breach.
Please contact us on 1800 922 609.