The newly-amended Privacy Act has come into force today (12 March) just as it has been reported that Telstra breached the privacy of 15,775 customers when their information became publicly available on the internet last year – through a simple Google Search.
Under the new Privacy Act businesses will have to be increasingly careful in how they handle and use private information and ensure they have appropriate cyber liability insurance. It seems it could not have come in soon enough. Telstra’s breach occurred between February 2012 and May 2013. It has been fined $10,200.
The amended Privacy Act incorporates the newly created Australian Privacy Principles, which provide privacy enhancements for the collection, handling and use of private information by businesses.
Brokers fear that some industries simply are not ready.
Robert Cooper, director of Cooper Professional Risks told Insurance Business: “I do not believe generally that most people are ready and that is because the guidelines seem to be being written on the run. There is a lot of people unsure about what they are supposed to do and if they should change anything at all. It varies from industry to industry.”
Cooper said the guidelines on the Act are not clear enough and people may feel they are too busy to thoroughly examine it.
He added: “I think many businesses are sitting back waiting for bits of information from their industry groups, what their friends may be telling them and what they may hear is a breach from someone else while in the meantime continuing on as before.”
If clients fail to heed the advice of brokers, the intermediaries could be left with dispute claims.
“We are advising our clients on an overall general basis to take out statutory liability either stand alone or in a management liability policy,” Cooper said. “The trouble is if the insurers believe our client has deliberately ignored making an effort to comply with the laws, we end up having a disputed claim. So the next few months will be interesting.”
Wotton + Kearney explain the main changes. They are:
•restricting the purpose and manner in which private information can be collected and used by a business, including the requirement that any private information collected must be reasonably necessary to the business’ functions or activities.
•unless exempted, any sensitive information must be obtained with the express consent of the individual
•taking reasonable steps to notify the relevant individual that their personal information is being collected, and to ensure the private information being collected is accurate and accessible by the relevant individual, and
•taking reasonable steps to protect any personal information held by the business.
These changes apply to businesses with an annual turnover of $3m or more, and to any prescribed businesses as defined under the Privacy Act, such as those providing health services.
Companies that lose data (through hacking etc.) could receive fines of up to up to $1.7m for businesses and $340,000 for any individuals.