Privacy Laws Australia and Data Protection Policy for Employees
What is a Data Protection Policy?
A data protection policy is a policy put in place by a business to protect the security of its data and to safeguard data from corruption or loss. Employers run a substantial risk for non-compliance with the privacy laws, the unauthorised disclosure of confidential information and data breaches. Protecting the privacy of your customers is also about safeguarding customer relationships. A business must be aware of the privacy laws which govern how a business should record, store and dispose of data. You should ensure that your employees are aware of their responsibilities when it comes to protecting the information of customers held within the business.
Personal information’ means information about an individual whose identity is apparent or can reasonably be ascertained from that information. Personal information includes information such as an individual’s name, phone number, address and email address. It is important for a business to protect and respect the privacy of their customers and to ensure there are procedures in place to ensure that the data of customers is protected in accordance with the Privacy Act 1988 (Cth) (‘Privacy Act’).
Data can be in any many forms including the personal information of individuals, health information, sensitive information, confidential information, marketing and financial information, information which relates to customers (e.g. customer lists and details of their requirements), information contained in information technology systems, trade secrets, operating procedures information, passwords, codes and other similar information that provides access to computer systems.
Why is a Data Protection Policy Important?
A Data Protection Policy sets out the procedures and a description of how employees are expected to conduct themselves when handling the data of the business. It sets out the rules, value and culture of your business as to the standards and expectations of how your business respects the privacy of its customers. This is important in view of the potential harm a disclosure would have on identified individuals and the impact of that on the reputation of your business.
Your employees should understand the importance of protecting the information of customers and the responsibilities of the business under the Privacy Act which sets out the standards, rights and obligations for holding, using, accessing and correcting the personal information of individuals.
A business must adhere to the principles of the Privacy Act because its officers are accountable for these principles and must be able to show that the business is compliant. Everyone working for your business should be aware of the responsibility for ensuring data is collected, stored and handled in accordance with the applicable privacy laws.
Data Protection Law in Australia
The Privacy Act contains 13 Australian Privacy Principles referred to as the APPs that regulate the collection and use of personal information. Australia’s new data breach reporting laws, also known as the Notifiable Data Breaches Scheme, came into effect on 22 February 2018. It is applicable to any organisation that was already subject to the Privacy Act, Australian Government agencies, and health service providers among others.
What to do when theres a data breach under the Privacy Amendment (Notifiable Data Breaches) Act 2017
Under the Notifiable Data Breaches Scheme, unauthorised access to personal data is a breach, and if this may cause serious harm to an individual or individuals, it is referred to as an ‘eligible’ notifiable data breach. If this occurs, an organisation must notify the affected individuals who may be harmed by this breach within 30 days as well as the Australian Information Comissioner. The notification to affected individuals and the Commissioner must include:
- the identity and contact details of the organisation
- a description of the data breach
- the kinds of information concerned and;
- recommendations about the steps individuals should take in response to the data breach.
What should I have in my Data Protection Policy?
A comprehensive data policy will include a scope of data protection, method for the data protection, responsibilities of the staff that will be monitoring it and the legal requirements in relation to data protection. It should be clear and easy to understand and set out why the policy is needed within your business, so that your employees understand your expectations and establish consequences for not meeting those expectations. Your data protection policy should give your employees clear directions on:
- their responsibilities to ensure compliance in accordance with the privacy laws
- what data is protected
- how to keep data confidential and secure
- not to share personal information informally or with unauthorised people
- employee monitoring
- the proper use of passwords and other technological security measures to secure any data used
- established physical security measures
- not infecting the business computer system with viruses
- not taking personal data away from the premises of the business without authorisation
- how to deal with requests for access to data
- how to identify and deal with hacking, “phishing” attacks and scams
- data retention and also how to dispose of data securely
- how to deal with data breaches and a data breach response plan.
Take away points
- Be aware that data breaches are an increasingly common threat and risk to businesses worldwide
- Set in place procedures and policies to manage the storage and handling of data
- Identify your risks, consider how your business manages its data and protect against breach
- Be proactive and engage with and train your employees in all aspects of the obligations of the business under the Privacy Act
- Review and update the practices of your business concerning data security
- Follow best practices to avoid data breaches and put in place contingency plans for breaches and how to respond
Lara Alexandra, Legal Assistant and Trade Mark Administrator
We are a team of trade mark attorney and IP specialists based on Gold Coast and Sydney. If you have any questions about data protection policies for your employees, contact us on 1300 77 66 14
Disclaimer. The material in this post represents general information only and should not be taken to be legal advice.