It’s been over six months since COVID-19 disrupted the day-to-day operations of businesses in Australia. As we near the end of 2020, many businesses have now fast-tracked digitalisation across their business models and activities, pivoted to new goods and service offerings, moved business operations and interactions online, distributed their workforce, and implemented COVID-tracing capabilities. While the nation rushed to adapt to the demands of a global pandemic on a technological level however, maintaining compliance with corresponding or newly enlivened privacy obligations fell by the wayside for many Australian businesses. This article sets out three privacy law ‘must haves’ Australian business should have covered before Christmas.
1. PRIVACY POLICY, PRIVACY COLLECTION STATEMENT AND DESIGNATED PRIVACY OFFICER
Businesses who have moved from dealing anonymously with people in a physical setting to dealing with them via digital or online methods of service delivery which collect personal information in online databases may not be aware their privacy obligations may have changed. Businesses who collect personal information and have an annual turnover of more than $3 million (in any financial year since the 01/02 financial year) or meet particular criteria under the Privacy Act 1988 (Cth) (Privacy Act), are required to comply with the Privacy Act, including by having a compliant privacy policy and privacy collection statement which should be accessible via their website or app.
Our recommendation: Assess whether you are now collecting personal information from customers or end users and meet the criteria of requiring a privacy policy and privacy collection statement under the Privacy Act. If you do, ensure you have these documents drafted professionally and make them available on your website or app. While it may be tempting to simply cut and paste these documents from another business’s website, it is important that these documents are drafted specifically to reflect how your business is handling personal information. If you publish a policy that is not accurate for your business, you risk engaging in misleading and deceptive conduct, as well as breaching your obligations under the Privacy Act. For e-commerce platforms, we recommend including a link to the documents prior to purchase, with a check box for customers to tick stating they have read and understand your privacy policy.
While private businesses are not required to have a designated privacy officer, appointing someone responsible for privacy compliance, staff training, handling privacy queries, and responding to data breaches is recommended as best practice to show your business is committed to privacy compliance.
2. COMPLIANT COVID TRACING COLLECTION PROCESSES
Certain businesses are now required to collect contact information from staff and customers as part of the Australian Government’s COVID-19 tracing initiative. Businesses need to be aware that, if the Privacy Act applies, collecting more information than is necessary, or using it for other purposes, or failing to protect information adequately, may lead to breaches of privacy obligations and consequentially financial penalties.
Our recommendation: You should only collect personal information which is required to be collected for tracing purposes. In Queensland, for example, this is a person’s name, phone number, email address, and date and time of their visit. You must provide people with a compliant privacy collection statement prior to collecting the information, and once you have collected the information, it must be securely stored, with access restricted to only those staff who need to see it. When collecting information, ensure people’s information cannot be reviewed by other customers such as by leaving an unmonitored sign-in form or tablet at the front of your store or premises. Best practice for collection of personal information via a hard copy form is to have customers complete individual blank template sheets and hand them to your staff for secure storage. For collection via tablet, have the screen automatically clear after each customer has submitted the required information. Once the personal information is no longer necessary as prescribed by law, the personal information must be deleted. You should not use the information collected for any other purpose, such as adding people to your marketing list. The information should only be provided to relevant health authorities who conduct contact tracing, and only if they request it.
3. DATA BREACH RESPONSE PLAN
Businesses with digital records, online operations, and employees working remotely are at greater risk of data breaches. It is important to be able to promptly contain, assess, and respond to any data breaches to help mitigate the risk of harm to individuals and to comply with the mandatory data breach notification scheme under the Privacy Act. A data breach response plan is an important tool in this regard.
A data breach response plan covers what constitutes a notifiable data breach, processes to follow in containing, assessing and responding to a data breach, the roles and responsibility of staff and external resources when a breach occurs, as well as templates for the notification process. Businesses who do not have adequate staff training and policies around privacy obligations (including a data breach response plan) may have difficulty showing they are compliant with their obligations under the Privacy Act to implement practices, procedures and systems to ensure compliance and enable responses to inquiries and complaints.
Our recommendation: If your business is now collecting data, particularly personal information, we recommend developing a data breach response plan and implementing this within your organisation along with robust staff training, to ensure you can manage cybersecurity threats in a constructive way.