Are you keeping your clients’ data safe? If not, what are the consequences?
In the past month, both Westpac and the Australian National University’s databases were reported as being breached. The ANU released a report on June 2019 which said their database had been illegally accessed in late 2018 and only detected a couple of weeks prior to the release of the report. Similarly, Westpac announced on June 2019 that their Pay ID feature had been hacked.
The internet is a huge part of everyday operations for many Australians – both individuals, businesses and organisations. People use the internet for a range of tasks and activities such as banking, shopping, booking flights and communicating with others. Australian Bureau of Statistics results show that 87% of Australians were internet users in 2016/2017. Additionally, just under 80% of those people use the internet for banking, almost 75% make purchases online and about 35% use the internet as a source of formal education.
Considering so much of our lives are conducted online, it is important that we consider how to keep our confidential information safe. This is particularly relevant for businesses who not only have their own personal information on their databases, but also that of their clients. For example, when ANU was hacked, the personal information of its staff and students spanning back 19 years was compromised.
If you are a business owner, you may want to read this article to make sure you’re covered in the unfortunate event of a data breach.
There are 13 National Privacy Principles (NPP’s) which regulate how businesses should handle private information. These can be found in Schedule 1 of the Privacy Act 1988 (Cth). Not all businesses are covered by the Privacy Act. If you are unsure whether it applies to you, it is best to check with a legal professional as to what businesses are covered.
The NPP’s cover the following issues:
- open and transparent management of personal information;
- anonymity and pseudonymity;
- collection of solicited personal information;
- dealing with unsolicited personal information;
- notification of the collection of personal information;
- use or disclosure of personal information;
- direct marketing;
- cross-border disclosure of personal information;
- adoption, use or disclosure of government related identifiers;
- quality of personal information;
- security of personal information;
- access to personal information; and
- correction of personal information.
Open and transparent management of personal information
Anonymity and pseudonymity
This principles requires that individuals must have the option of not identifying themselves, or of using a pseudonym.
Collection of solicited personal information
Under this principle, a business is only entitled to collect information that is ‘reasonably necessary’ to complete their functions. Entities also cannot collect sensitive information about individuals without the individual’s consent.
Dealing with unsolicited personal information
If an entity receives personal information about an individual which is unsolicited, they must either destroy the information or de-identify it, so long as it is lawful and reasonable to do so.
Notification of the collection of personal information
As soon as practicable after an entity collect a person’s personal information, they must inform that individual of:
- the entity’s identity and contact details;
- that the entity has the information (this applies if they received it from a person other than the individual);
- the purpose for which they have collected the information;
- any other body/person to which the entity usually discloses such information.
Please note that this list is not exclusive and there are other things that the entity it required to disclose. For assistance, please contact Lynn & Brown Lawyers.
Use or disclosure of personal information
This provision stipulates that if an entity collects personal information for a particular purpose, it cannot use that information for another purpose.
An entity cannot use the personal information it has collected for the purpose of direct marketing.
Cross-border disclosure of personal information
If an entity is going to disclose person information to a person/body who is overseas, the entity must first take all reasonable steps to ensure that the third person/body complies with Australian privacy laws.
Adoption, use or disclosure of government related identifiers
Entities cannot use government-related identifiers for individuals as their own identifier of the individual. This applies unless the adoption of a government-related identifier is required by law.
Quality of personal information
This principle makes it a requirement that entities take all reasonable steps to ensure that the information they have collected about individuals is up-to-date and accurate.
Security of personal information
Entities are required to take all reasonable steps to ensure any personal information they hold is safe from misuse, interference, loss and unauthorised access, disclosure and modification. From the recent examples of Westpac and ANU, we know that data breaches are still possible, even if an entity has taken all reasonable steps to protect the personal information they hold. As of 2018, it is now mandatory for entities to notify the Office of the Australian Information Commissioner and all affected individuals if they suspect they have been the subject of a data breach.
Access to personal information
If an individual asks for personal information that the entity holds in relation to them, the entity must provide it, subject to some exceptions.
Correction of personal information
If an entity suspects that the personal information they hold is inaccurate or out-of-date, or if an individual asks them to update the information, they must update it. If the entity has disclosed that information to another person/body in the past, they must notify that person/body of the update.
About the authors:
This article has been co-authored by Chelsea McNeill and Steven Brown at Lynn & Brown Lawyers. Chelsea is in her fourth year of studying Law at Murdoch University. Steven is a Perth lawyer and director, and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.