Skip to content

  • Home
  • COVID-19 Guide
  • COVID-19 AV library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Insight / Privacy ‘must haves’ in a digitalised and data-heavy post-COVID economy
Insight 6 December 2020

Privacy ‘must haves’ in a digitalised and data-heavy post-COVID economy

It’s been over six months since COVID-19 disrupted the day-to-day operations of businesses in Australia.  As we near the end of 2020, many businesses have now fast-tracked digitalisation across their business models and activities, pivoted to new goods and service offerings, moved business operations and interactions online, distributed their workforce, and implemented COVID-tracing capabilities.  While the nation rushed to adapt to the demands of a global pandemic on a technological level however, maintaining compliance with corresponding or newly enlivened privacy obligations fell by the wayside for many Australian businesses. This article sets out three privacy law ‘must haves’ Australian business should have covered before Christmas.


1. PRIVACY POLICY, PRIVACY COLLECTION STATEMENT AND DESIGNATED PRIVACY OFFICER

Businesses who have moved from dealing anonymously with people in a physical setting to dealing with them via digital or online methods of service delivery which collect personal information in online databases may not be aware their privacy obligations may have changed.  Businesses who collect personal information and have an annual turnover of more than $3 million (in any financial year since the 01/02 financial year) or meet particular criteria under the Privacy Act 1988 (Cth) (Privacy Act), are required to comply with the Privacy Act, including by having a compliant privacy policy and privacy collection statement which should be accessible via their website or app.

Our recommendation: Assess whether you are now collecting personal information from customers or end users and meet the criteria of requiring a privacy policy and privacy collection statement under the Privacy Act.  If you do, ensure you have these documents drafted professionally and make them available on your website or app.  While it may be tempting to simply cut and paste these documents from another business’s website, it is important that these documents are drafted specifically to reflect how your business is handling personal information.  If you publish a policy that is not accurate for your business, you risk engaging in misleading and deceptive conduct, as well as breaching your obligations under the Privacy Act.  For e-commerce platforms, we recommend including a link to the documents prior to purchase, with a check box for customers to tick stating they have read and understand your privacy policy.

While private businesses are not required to have a designated privacy officer, appointing someone responsible for privacy compliance, staff training, handling privacy queries, and responding to data breaches is recommended as best practice to show your business is committed to privacy compliance.


2. COMPLIANT COVID TRACING COLLECTION PROCESSES

Certain businesses are now required to collect contact information from staff and customers as part of the Australian Government’s COVID-19 tracing initiative.  Businesses need to be aware that, if the Privacy Act applies, collecting more information than is necessary, or using it for other purposes, or failing to protect information adequately, may lead to breaches of privacy obligations and consequentially financial penalties.

Our recommendation: You should only collect personal information which is required to be collected for tracing purposes.  In Queensland, for example, this is a person’s name, phone number, email address, and date and time of their visit.  You must provide people with a compliant privacy collection statement prior to collecting the information, and once you have collected the information, it must be securely stored, with access restricted to only those staff who need to see it.  When collecting information, ensure people’s information cannot be reviewed by other customers such as by leaving an unmonitored sign-in form or tablet at the front of your store or premises.  Best practice for collection of personal information via a hard copy form is to have customers complete individual blank template sheets and hand them to your staff for secure storage.  For collection via tablet, have the screen automatically clear after each customer has submitted the required information.  Once the personal information is no longer necessary as prescribed by law, the personal information must be deleted.  You should not use the information collected for any other purpose, such as adding people to your marketing list.  The information should only be provided to relevant health authorities who conduct contact tracing, and only if they request it.


3. DATA BREACH RESPONSE PLAN

Businesses with digital records, online operations, and employees working remotely are at greater risk of data breaches.  It is important to be able to promptly contain, assess, and respond to any data breaches to help mitigate the risk of harm to individuals and to comply with the mandatory data breach notification scheme under the Privacy Act.  A data breach response plan is an important tool in this regard.

A data breach response plan covers what constitutes a notifiable data breach, processes to follow in containing, assessing and responding to a data breach, the roles and responsibility of staff and external resources when a breach occurs, as well as templates for the notification process.  Businesses who do not have adequate staff training and policies around privacy obligations (including a data breach response plan) may have difficulty showing they are compliant with their obligations under the Privacy Act to implement practices, procedures and systems to ensure compliance and enable responses to inquiries and complaints.

Our recommendation: If your business is now collecting data, particularly personal information, we recommend developing a data breach response plan and implementing this within your organisation along with robust staff training, to ensure you can manage cybersecurity threats in a constructive way.

Special thanks to Jennifer Ashlan, Lawyer and Lornagh Lomax, Lawyer for their assistance in putting this article together.


This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Matthew McMillan

    Partner
  • Jake Grant

    Special Counsel

In other news

Queensland’s new project trust regime to commence on 1 March 2021

15 February 2021BIF Act Amendment Series, Insight

McCullough Robertson strengthens its National Construction and Infrastructure team with key Partner hire in Brisbane

27 January 2021News

New Industrial Relations Laws – What it means for you

22 December 2020Insight

Payment Times Reporting Scheme

21 December 2020Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        follow us

        CLIENT LOGIN

        newcastle

        Level 2, 16 Telford Street
        Newcastle NSW 2300
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3699
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            © McCullough Robertson. ABN 42 721 345 951 Site map Disclaimer Privacy Policy Credit Reporting Policy

            X