In the age of ‘Big Data’, will your business be compliant with the Privacy Act come 22 February 2018?

We’re all beginning to understand that data is critical to decision making and as the age of ‘Big Data’ draws closer, the ability to collect and store information on individuals is becoming increasingly important. Businesses seeking to capitalise on the value of this information may not realise that obtaining it comes with obligations to protect it, as well as restrictions on its use.  This is particularly relevant in the health sphere. Organisations that collect information relating to an individual’s health need to appreciate that this is classified as ‘sensitive information’ and its collection, use and storage is regulated by the Privacy Act 1988 (‘Privacy Act’).

Traditionally our health information has been held by doctors, dentists, specialists and (for those of us that frequent the gym) personal trainers.  The transition to electronic records by these providers has not been quick, and many offices still store this data physically. Those businesses now face challenges in securing physical and electronic documents in accordance with the Privacy Act.

At the same time the advent of technology and increasing popularity of wellness programs in companies means that organisations outside of the traditional spectrum of health information collectors may find themselves subject to stringent legislative requirements in relation to sensitive information, requiring them to implement a privacy policy specific to their business and opening them up to new obligations under the Privacy Act.

Privacy Policy and Privacy Statements

Traditional health providers that have collected sensitive information since the introduction of the Australian Privacy Principles (APPs) in the Privacy Act are likely to be familiar with the obligations surrounding the collection, access, storage and use of health information.  However, in our experience, businesses which have not traditionally collected health information may not be aware of the requirements under the APPs, and may not have a readily accessible and tailored privacy policy for their business.

As individuals become increasingly more conscious of the collection and use of their personal information, a Privacy Policy is an important tool by which a company can inform an individual of how their information will be collected, stored and used.  This notification is required at the time that the personal information is being collected so a contemporaneous Privacy Statement is often used in conjunction with a Privacy Policy and these documents are usually drafted broadly so that a business can meet the requirement to only use the information for the purpose for which it was collected.

Notifiable Data Breaches Scheme

Even if you’re complying with the Privacy Act in relation to the collection, storage and use of personal information, the introduction of the Notifiable Data Breaches scheme on 22 February 2018 will change the way in which all organisations governed by the Privacy Act handle personal information and implement data security.

From 22 February 2018, all businesses governed by the Privacy Act will be required to notify individuals where there has been an actual or suspected data breach that is likely to cause serious harm to the individual. The business may also be required to notify the Office of the Australian Information Commissioner (OIAC) of the data breach.

Having to publicly report a data breach is never a good look, and organisations are no doubt aware of the reputational impact this could have on their business. A Data Breach Policy could be the answer to mitigating this reputational risk.

Data Breach Policy

In assisting businesses, especially in the health sphere, to prepare their Data Breach Policies, we have identified that implementing a policy will:

  1. ensure compliance with the requirements under the Notifiable Data Breaches scheme in the Privacy Act;
  2. formalise internal processes to ensure that all suspected or actual data breaches are identified and appropriate action is taken to ensure that a similar breaches does not occur in the future;
  3. appropriately identify delegation and reporting channels to ensure that breaches are dealt with in a timely manner; and
  4. reduce the need to seek legal advice in relation to minor data breaches.

By addressing data breaches in a timely manner, the risk of an individual suffering serious harm from the data breach is reduced, and in turn the likelihood of serious reputational risk to the business in having to notify the public and OIAC mitigated.

If you’d like assistance in analysing how the Privacy Act and Australian Privacy Principles apply to your business or in understanding the impact of the Notifiable Data Breaches scheme to your business, please contact Rebecca Halkett or Gerry Cawson.