If you are doing business in Australia, then you will need to study up on the Federal Privacy Act 1988 and its underlying principles.
Not only does Australia have strict federal guidelines under The Federal Privacy Act 1988 and Australian Privacy Principles, but each territory has its own patchwork of data protection laws in place as well. If your business is working in the confines of a specific Australian territory then it makes sense to research the different rules for that territory as well. For the uninitiated data security officer, this can be very confusing, so let’s break it down.
Federal Privacy Act 1988 and the Australian Privacy Principles
Essentially, the Privacy Act 1988 is an Australian federal law that regulates how personal information is handled. Australia considers any data or opinion of an individual that can be traced back to that individual as personal information. A few examples of personally identifiable information (PII) in Australia are email, a signature, or phone number.
There are a total of 13 privacy principles under the Federal Privacy Act 1988 with the sole purpose of making sure businesses are transparent about how they handle and process personal data. If you have already prepared for the GDPR, much of GDPR compliance will apply in Australia. There are a few caveats, but the idea is the same. Citizens have the right to know what a company is doing with their data.
For the sake of this article, we will not go into each principle in detail. If you want to dive deeper, check out all the policies and thirteen principles in more detail at the Office of the Australian Information Commissioner’s (OAIC) website.
In a nutshell, the principles clearly state that businesses need to be transparent with how and why they collect data and must respect a person's anonymity, and a person must consent to the collection of personal or sensitive data and a business should only collect this data under reasonable circumstances. Reasonable circumstances will be if a business needs to have personal information on file to provide a service requested by that respective person. Use common sense here and don’t collect more personal data than you need and make sure that data that is collected is protected.
Sensitive Information vs. Personal Information
It’s important to point out though that there is a difference between sensitive information and personal information.
Personal information is data that directly identifies a person. As stated above, this could be a phone number, address, full name, or even bank account details.
A few examples of sensitive information would be data on race, ethnicity, political leanings, sexual orientation, and criminal history. Biometrics and genetical data fall under this category as well. Sensitive information (or data) has more stringent safeguards under Australia’s Federal Privacy Act 1988 because this type of data can leave an individual more exposed to discrimination.
For more information on the differences and how they are protected under the thirteen Australian Privacy Principles, take a look at Principles 3.1 – 3.7.
Data Breaches
Ok, so you’ve covered all your bases when it comes to processing and storing personal data. But data breaches still happen. What do you do if your business is a victim of a data breach?
Under Part IIIC of Australia’s Privacy Act 1988, Australia uses the Notifiable Data Breaches (NDB) scheme. This scheme requires that a business notify affected individuals and the Office of the Australian Information Commissioner (OAIC) of a discovered breach. If a business is not sure a specific data breach requires notification, then they have a right to conduct an assessment before doing so. You find more information about what OAIC requires for data breaches in this guide. The main idea around the NDB scheme is to hold businesses accountable if they don’t do everything in their power to prevent a breach or try to remedy one when a breach occurs.
Much like the GDPR, a business needs a data breach response plan in order to respond in the unfortunate event of a data breach quickly. And make sure to document everything! If there isn’t a paper trail, you may not be able to avoid fines if you can’t prove that your business took all necessary precautions. All private sector and non-profit with an annual turnover of more than $3 million, healthcare providers, and some small companies must adequately protect personal and sensitive data.
Conclusion
At the end of the day, if you are doing business in Australia that requires the harnessing of personal and sensitive data, the more you know, the better you can prepare your business. Make sure you review as much as possible on the OAIC’s website. And if you aren’t confident or not able to adequately protect data on your own, you should hire outside help. There are plenty of resources from consultants to legal experts who can help you each step of the way and mitigate risk.