It’s been more than 18 months since the Privacy Act 2020 came into force. Now is the time to make sure that your business is complying with its obligations under the new legislation.
Whether it’s customer details or staff files, it’s likely your business keeps some private information on file. Breaches or careless handling of private information may cause your customers to lose confidence in you or your brand, and your reputation may be damaged.
Who does the act apply to?
The purpose of the Privacy Act 2020 is to make sure personal information is kept safe and secure. Any person or business that collects, uses and stores personal information has obligations under the act.
You must:
• Only collect the information needed for business purposes, such as name and contact details.
• Tell people how, when and why you are collecting their information. This includes using cookies on your website.
• Tell people what will happen if they don’t give you their personal information.
• Keep personal information safe.
• Only use the information if you are reasonably sure it’s accurate and up to date.
• Let people see their information and correct any mistakes.
You must not:
• Ask for more information than needed.
• Let personal information be leaked, hacked or found in any other way.
• Keep information longer than you need it – or are legally required to keep it.
• Pass on someone’s details without their permission.
• Send personal information overseas without checking if it will be protected.
If you breach any of these obligations, even accidentally, a customer or an employee may make a complaint under the act.
Storage & disposal of information
You should follow the same protocols as you do to protect all your business systems and data. This means keeping any private information stored online safe from breaches or hackers. It also means doing whatever you reasonably can to protect any paper files or documents.
How you safeguard personal information depends on the sorts of information you collect. The Privacy Act requires you to protect information in ways that are reasonable, given the circumstances. The more sensitive the information, the more measures you will need to take to protect it.
Make sure you hold and use personal information safely and securely and dispose of it securely when you have finished with it. Security includes having good policies and training your staff to handle information properly. Give some thought to how you can ensure that your records are kept secure, for example:
• Do you need a locked cabinet for physical documents?
• Who has access to it?
• What kind of password protection or encryption for electronic documents or equipment should you use?
• Can you see who has accessed confidential electronic files, and when they did it?
• If you have an e-commerce website, are payments secure?
• Is the software holding or processing the information up to date to protect it against vulnerabilities?
Privacy officers
All businesses, regardless of size, must by law appoint a privacy officer. You don’t need to hire a new staff member because it can become part of an existing employee’s role. A privacy officer should be the person most familiar with how personal information should be handled. This might be a manager or the person dealing with human resources or customer information. If something goes wrong, the privacy officer can help sort out complaints quickly, thoroughly and without unnecessary expense.
The duties of a privacy officer include:
• Developing good policies for handling personal information that suit your business’s needs;
• Handling queries or complaints about privacy from customers or employees;
• Alerting you to any risks to personal information such as cyber attacks;
• Liaising with the Office of the Privacy Commissioner (“the OPC”) if necessary.
Privacy breaches
A privacy breach is where there has been an unauthorised or accidental access to personal information or disclosure, alteration, loss, or destruction of personal information. It can also include a situation where a business or organisation is stopped from accessing information, either temporarily or permanently.
Discuss with your staff what to do if there’s a serious privacy breach by talking through potential scenarios so that they know what steps to take. You must report serious breaches to the OPC by phone, e-mail or by using its online tool NotifyUs. If a business or organisation has a privacy breach that has caused serious harm to someone, or is likely to do so, the OPC must be notified as soon as possible, and the business or organisation should also notify those affected.
