Know your business data privacy obligations?
Key facts and risks to consider
Businesses will need to reassess how they handle personal data in response to the Federal Government’s intended changes to privacy laws amid rising cyber crime and data breach incidents. Company boards and directors face increased financial penalties if their business is found to have failed to adequately secure customer details – or not disposed of them once no longer needed.
The regulatory framework is likely to place more responsibility on businesses to prevent or remediate harm caused by the misuse of their customers’ personal information, and greater consequences for not securing it appropriately, The Sydney Morning Herald reports.
The ability for businesses to gather non-essential personal information is also likely to be curtailed, along with the period of time it can legitimately be retained without being anonymised.
Those people whose personal information has been collected have the right to know what information is being held and demand that it’s properly secured and protected against misuse. The Privacy Act 1988 requires businesses to disclose to the person concerned what type of personal information is being collected, the methodology involved and the purpose.
What are Australian business’s data privacy obligations under the Australian Privacy Act?
The Privacy Act contains Australian Privacy Principles governing standards, rights and obligations. These regulate the way businesses collect, store, provide access to, use and disclose personal information, and the right for customers to access personal information and correct errors.
All businesses with an annual turnover of more than $3 million must comply with the Privacy Act. Even some businesses with turnover less than $3 million must also comply depending on their business activities. Learn more about which businesses have responsibilities under the Privacy Act from the Office of the Australian Information Commissioner.
There are 13 key provisions in protecting personal data under the Privacy Act and these Australian Privacy Principles are as follows.
1. That personal information is managed in an open and transparent way according to an up to date privacy policy.
2. Businesses must give individuals the option of not identifying themselves or of using a pseudonym. Limited exceptions apply.
3. Covers the circumstances under which a business may solicit and collect data and includes more stringent controls on the collection of sensitive information.
4. Covers how businesses should manage unsolicited personal information.
5. Outlines when and under what circumstances a business that collects personal information must inform the person concerned.
6. Describes conditions applying to the use or disclosure of personal information that the business holds.
7. An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
8. Describes the steps a business must take to protect personal information that is destined to be disclosed overseas.
9. Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
10. Requires businesses to take reasonable steps to ensure the personal information it collects is accurate, up to date and complete.
11. Businesses are obliged by security of personal information to take reasonable steps to protect personal information from misuse, unauthorised access or disclosure. They are also required to destroy or anonymise personal information in certain circumstances.
12. Obligations when someone asks to access to personal information held about them, unless a specific exception applies.
13. Outlines businesses’ obligations in relation to correcting the personal information.
What data privacy regulations mean for business owner and executive risks
For the board of directors, managing data is a core governance issue that comes under a duty of care and diligence. Serious failure to comply with the Privacy Act may result in civil penalties of up to $2.1 million.
While directors and officers’ liability insurance may provide protection against the costs involved in a privacy breach due to a cyber attack, boards need to be able to clearly demonstrate a positive, executive-led risk management approach to avoid charges of failure of duty of care.
Such measures might include enhanced systems security, data management protocols and staff training, for example, as outlined in the Australian Cyber Security Centre’s (ACSC) Essential Eight protections, as well as an articulated cyber security and business continuity plans.
Insurance can help protect your business and management team
Businesses can consider risk and insurance options related to data privacy risks and cyber exposure with the expertise of a broker like Gallagher. There are a range of different insurance covers that come into play in this area of business risk for an organisation.
Business insurance for data privacy risks would likely include focus on cover provided by directors and officers’ (D&O) liability or management liability and/or their cyber insurance – these consider businesses that hold personal data to understand the extent of their risk exposures and offer various options for protection. Professional indemnity or investment management Insurance policies may also be called into play.
In some instances the costs associated with data breaches may be excluded from a D&O policy and instead covered under a cyber liability policy; and there are potential exclusions with D&O policy precluding cover for claims against senior executives involving privacy protection – complexities like these highlight the value of expertise from a professional risk and insurance advisor.
How Gallagher can help
Gallagher brokers can help advise on the risks and suitable options for insurance with expertise across the mix of D&O or management liability and cyber liability insurance considerations to protect your business. We also offer expertise, advice and resources for building business resilience to help withstand security breaches by mitigating their potential impacts.
