Data breaches are big news, but don’t forget the privacy basics
From February 2018 onward, the notifiable data breaches (NDB) regime introduced new obligations for Australian government agencies and private sector organisations that were already subject to the Privacy Act 1988 (Cth).
Following the commencement of the NDB regime, the OAIC directed its efforts to promoting awareness of the regime’s requirements and the common causes of data breaches, together with the improvement of data breach management practices. Overall, the OAIC focused on providing support to regulated entities to assist them to comply with their notification obligations.
Earlier this year, the OAIC indicated that it would transition to a new phase in its regulatory approach to the NDB regime, including by exercising its enforcement powers where necessary.
Data breaches have attracted strong interest from the media, which has meant that in many cases, organisations that have experienced a data breach have become the focus of high-profile news stories. This has led to raised awareness of privacy rights and issues amongst consumers.
However, the NDB regime is just one part of the privacy framework in Australia. The Australian Privacy Principles (APPs) tend to receive less attention – from the media, consumers and from regulated entities.
In discussing privacy issues with our clients, we often find that the NDB regime is front of mind, while focus on the requirements of the APPs may have faded over time.
For example, APP 7 deals with direct marketing, a strategy that many organisations use to some degree. (The concept of direct marketing includes traditional methods of contact such as mail and telephone, but can also extend to activities such as displaying targeted advertisements on a social media platform that an individual is logged into.)
Where APP 7 allows an organisation to use personal information for direct marketing purposes, the consumer must be provided with a means by which they may easily request not to receive any further direct marketing communications. All direct marketing must include a prominent statement that the consumer may make such a request, or otherwise draw the consumer’s attention to this fact.
In reviewing samples of direct marketing material, we have found a lack of awareness around the requirements of APP 7. The same can be said of the requirements of APP 10, which revolves around taking reasonable steps to ensure that personal information is accurate, up to date and complete. Here, there can be a tendency to retain all personal information, regardless of whether it meets these criteria. We have recommended clients take the following steps as set out in the OAIC’s guidance on APP 10:
- consistently noting on records when the personal information was collected and the point in time to which it relates;
- ensuring updated or new personal information is promptly added to relevant existing records; or
- reminding individuals to update their personal information (especially if there has been a lengthy period of time since the last contact).
One service we offer our clients to help get a handle on all of these issues is a privacy review. We scope each review according to the client’s instructions, but since the APPs have broad coverage across a regulated business, this makes them a good starting point.
Our privacy reviews typically consist of a day or half day of interviews with key staff, together with a document review. This type of exercise brings a fresh set of eyes to established practices, with the aim of highlighting potential risk areas.
Author: Zoe Higgins, Special Counsel