The Privacy Act has been updated and came into effect 1st December 2020. A lot has changed since the last update in 1993, including the use of the internet as a business tool and to store data. To find out the key changes and what your business should now be taking into consideration.
Privacy Act 2020 comes into effect 1 December 2020
The current privacy laws were last put in place in 1993. A lot has changed since, including the use of the internet as a business tool and to store data. So, the Privacy Act has been updated.
What key changes will there be?
- The revised Act will require businesses to report serious privacy breaches, where there is a risk of harm (such as leaked personal information published online or identity theft), to the privacy commissioner and to the individual/s concerned.
- The Act will enforce penalties of up to $10,000 for certain types of privacy breaches.
- Individuals affected by the breach may also appeal to the Human Rights Review Tribunal, which can award up to $350,000 per person.
What preparation should businesses consider?
- Consider what customer and employee information you collect, how it is stored, which role is responsible for its collection and use and how it is used.
- Check no personal information is collected that is unnecessary – the less you collect, potentially the lower the risk of a breach.
- Are you sufficiently controlling/limiting who has access to the data, including deleting access from those who no longer need it or have left?
- Do you use a secure password and two-factor authentication system (including for cloud-based data storage)?
- Has any information been copied and/or stored in a variety of places?
- Is data regularly and fully deleted when it is no longer required?
- What process do you have in place with any third-party providers to ensure they are following the right security protocols on your behalf. Does this get audited?
- Do you have a sufficiently trained go-to person and policy for managing privacy? Who else might need to know more or have training about privacy requirements?
- How do you know if there has been a breach? Are you monitoring your IT systems, performing regular checks/audits and are there reporting systems and a response plan (including communications) in place?
Don’t hesitate to let us know if we can assist you with any questions about this, to develop a policy and processes, or to provide some training for identified roles who have a responsibility for privacy management.