I’m a small-business owner – do I need to protect my customers’ personal information?
In recent years, some really scary cyber attacks have made headlines in Australia, because they have compromised people’s privacy. You’ve probably had to change your passwords as a result of one of them.
When I’m banking online, signing up for workshops, using social media and myriad other online activities, I expect that my personal details will be protected. Your customers, suppliers and the other people you deal with in your business have the same expectations.
In Australia, the Privacy Act 1988 (Cth) regulates what Australian organisations can do with “personal information”. Broadly speaking, personal information is the kind of information that can identify an individual person. That means information like names, email addresses, phone numbers and bank details.
So, if your business collects any of this information, which it almost certainly does, then you should be giving some thought to privacy and data security.
Does the Privacy Act apply to me?
If your annual turnover is more than $3 million, then you must comply with the Privacy Act.
If your turnover is less than $3 million but you sometimes deal with personal information in the course of your business, you may still be required to comply with the Act. The Office of the Australian Information Commissioner (OAIC for short) has a handy checklist that you can follow to work out if this applies to you.
If you don’t fall into one of these categories, if your business collects any personal information, you should consider “opting in” to compliance with the Privacy Act.
Even if you don’t formally opt in, protecting your clients’ information just makes good business sense.
Do privacy breaches really happen?
Yes. The OAIC dealt with 976 reportable data breaches in the 2021 financial year. Those are the more serious ones – there are plenty happening every single day that aren’t notifiable.
So what – should I care?
The Australian Cyber Security Centre gathers information about data breaches in Australia. ACSC reports that data breaches cost Australian businesses more than $33 billion in the 2021 financial year. Yes, you read that correctly, $33 billion!
Those are costs directly attributable to managing and remedying data breaches. The costs to your brand and reputation from loss of customer confidence can’t be measured.
Plus, if the Privacy Act applies to your business and you disclose personal information about someone you deal with, that person is entitled to complain to the OAIC. There are some hefty fines in the Privacy Act for serious or repeated breaches of privacy. With recent reforms to the Act, maximum penalties will be going up to $10 million.
What do I need to do to comply?
If the Privacy Act applies to your organisation, you must observe the Australian Privacy Principles (often called the APPs).
There are 13 APPS. Among other things, they govern:
- collection, use and disclosure of personal information; and
- rights of individuals to access and correct their personal information.
Do I need a privacy policy for my business?
The very first APP is about “open and transparent management of personal information”. It requires businesses to have a clearly expressed and up-to-date APP privacy policy.
What should my privacy policy say?
Your privacy policy should explain:
- who you are (i.e. your business name and ABN);
- what information you collect;
- how you collect and store information;
- how you’ll use and disclose information; and
- who your customers can talk to if they’re worried about the integrity and security of their information.
What is the difference between “private” and “confidential”?
The Privacy Act regulates the collection, storage and protection of personal information. Confidentiality relates to all information, whether personal or not. Typically, you will find confidentiality obligations in the contracts that you enter into with your clients and suppliers rather than in legislation. These are separate to your obligations to comply with the Privacy Act.