Commercial Law: Are you keeping your clients’ safe?

Are you keeping your clients’ data safe? If not, what are the consequences?

In the past month, both Westpac and the Australian National University’s databases were reported as being breached. The ANU released a report on June 2019 which said their database had been illegally accessed in late 2018 and only detected a couple of weeks prior to the release of the report. Similarly, Westpac announced on June 2019 that their Pay ID feature had been hacked.

The internet is a huge part of everyday operations for many Australians – both individuals, businesses and organisations. People use the internet for a range of tasks and activities such as banking, shopping, booking flights and communicating with others. Australian Bureau of Statistics results show that 87% of Australians were internet users in 2016/2017. Additionally, just under 80% of those people use the internet for banking, almost 75% make purchases online and about 35% use the internet as a source of formal education.

Considering so much of our lives are conducted online, it is important that we consider how to keep our confidential information safe. This is particularly relevant for businesses who not only have their own personal information on their databases, but also that of their clients. For example, when ANU was hacked, the personal information of its staff and students spanning back 19 years was compromised.

If you are a business owner, you may want to read this article to make sure you’re covered in the unfortunate event of a data breach.

There are 13 National Privacy Principles (NPP’s) which regulate how businesses should handle private information. These can be found in Schedule 1 of the Privacy Act 1988 (Cth). Not all businesses are covered by the Privacy Act. If you are unsure whether it applies to you, it is best to check with a legal professional as to what businesses are covered.

The NPP’s cover the following issues:

• open and transparent management of personal information;
• anonymity and pseudonymity;
• collection of solicited personal information;
• dealing with unsolicited personal information;
• notification of the collection of personal information;
• use or disclosure of personal information;
• direct marketing;
• cross-border disclosure of personal information;
• adoption, use or disclosure of government related identifiers;
• quality of personal information;
• security of personal information;
• access to personal information; and
• correction of personal information.

1. Open and transparent management of personal information
   

   Businesses must have a clear and up-to-date policy relating to the management of personal information that it holds. Businesses must also have a procedure which enables them to deal with enquiries or complaints about their compliance with the Australian Privacy Principles. The Privacy Act lists a number of things that must be included in an entity’s privacy policy, including but not limited to the kinds of personal information it collects, the purposes for which it holds the information and how an individual may access that information. If you do not have a privacy policy or haven’t reviewed it for a while, the team at Lynn & Brown Lawyers can help you create a new policy or amend an existing one to make sure your business complies with the law.

2. Anonymity and pseudonymity
   

   This principles requires that individuals must have the option of not identifying themselves, or of using a pseudonym.

    

3. Collection of solicited personal information
   

   Under this principle, a business is only entitled to collect information that is ‘reasonably necessary’ to complete their functions. Entities also cannot collect sensitive information about individuals without the individual’s consent.

4. Dealing with unsolicited personal information
   

   If an entity receives personal information about an individual which is unsolicited, they must either destroy the information or de-identify it, so long as it is lawful and reasonable to do so.

5. Notification of the collection of personal information
   

   As soon as practicable after an entity collect a person’s personal information, they must inform that individual of:

• the entity’s identity and contact details;
• that the entity has the information (this applies if they received it from a person other than the individual);
• the purpose for which they have collected the information;
• any other body/person to which the entity usually discloses such information.

Please note that this list is not exclusive and there are other things that the entity it required to disclose. For assistance, please contact Lynn & Brown Lawyers.

6. Use or disclosure of personal information
   

   This provision stipulates that if an entity collects personal information for a particular purpose, it cannot use that information for another purpose.

7. Direct marketing
   

   An entity cannot use the personal information it has collected for the purpose of direct marketing.

8. Cross-border disclosure of personal information
   

   If an entity is going to disclose person information to a person/body who is overseas, the entity must first take all reasonable steps to ensure that the third person/body complies with Australian privacy laws.

9. Adoption, use or disclosure of government related identifiers
   

   Entities cannot use government-related identifiers for individuals as their own identifier of the individual. This applies unless the adoption of a government-related identifier is required by law.

10. Quality of personal information
    

    This principle makes it a requirement that entities take all reasonable steps to ensure that the information they have collected about individuals is up-to-date and accurate.

11. Security of personal information
    

    Entities are required to take all reasonable steps to ensure any personal information they hold is safe from misuse, interference, loss and unauthorised access, disclosure and modification. From the recent examples of Westpac and ANU, we know that data breaches are still possible, even if an entity has taken all reasonable steps to protect the personal information they hold. As of 2018, it is now mandatory for entities to notify the Office of the Australian Information Commissioner and all affected individuals if they suspect they have been the subject of a data breach.

12. Access to personal information
    

    If an individual asks for personal information that the entity holds in relation to them, the entity must provide it, subject to some exceptions.

13. Correction of personal information
    

    If an entity suspects that the personal information they hold is inaccurate or out-of-date, or if an individual asks them to update the information, they must update it. If the entity has disclosed that information to another person/body in the past, they must notify that person/body of the update.

The principles described above are just a brief outline of what is required of businesses in regards to collecting and holding personal information. If you are unsure about whether your business is covered by the Privacy Act, whether it has an up-to-date and valid privacy policy or whether it complies with the abovementioned principles, do not hesitate to contact Lynn & Brown Lawyers for expert assistance.

About the authors:

This article has been co-authored by Chelsea McNeill and Steven Brown at Lynn & Brown Lawyers.  Chelsea is in her fourth year of studying Law at Murdoch University.  Steven is a Perth lawyer and director, and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.