As revelations of cybersecurity and privacy breaches at large financial and health sector companies continue to hit the headlines, boating industry businesses are reminded that they too have responsibilities under Australia’s privacy regime.  In this article Suzie Leask, Partner and Kurt Wicklund, Senior Associate from Hall & Wilcox give BIA members a reminder of their legal responsibilities and best practice when it comes to the handling of personal information.

What is personal information?

Australia’s privacy regime revolves around the handling of ‘personal information’.  Under the Privacy Act 1988 (Privacy Act), personal information is (in summary) information or an opinion about an identified individual, or an individual who is reasonably identifiable.

For boating industry businesses, this could include customer names, addresses, credit card details or bank account numbers.  It could also include less obvious information like email addresses (where a full name is provided) or even IP addresses (where linked to a specific individual).  The Privacy Act also allocates special treatment to ‘sensitive information’, which includes information about an individual’s racial or ethnic origin or their membership of a trade union or professional association.

The legislation specifically captures ‘employee records’ as a category of personal information, although there are specific rules in relation to those employee records.  Employee records include information about engagement, training, disciplining, resignation or termination of an employee, and health information of that employee.  It is worth noting that a private sector employer’s handling of employee records is exempt from the APPs, in certain circumstances.

Who and what is captured by the legislation?

The Privacy Act covers private organisations with an annual turnover of more than $3 million, and some other organisations.  Businesses that fall below the above threshold are typically exempted via what is referred to as the ‘small business exemption’, unless one of the exceptions applies (including where the entity deals with personal information for a benefit, or the entity is a credit reporting body).

If your business is captured by the legislation, you are required to comply with the 13 Australian Privacy Principles (APPs) set out in the Privacy Act.  The APPs set out in detail how you may collect, hold, secure and disclose personal information within your operations.  Many of these obligations relate to obtaining an individual’s consent for the use of their personal information for specific purposes only.  For this reason, an organisation’s privacy policy is a key document in obtaining that information and clearly expressing how your business manages personal information.  Direct marketing is specifically addressed in APP 7, which regulates how businesses to which the APPs apply may undertake direct marketing to customers to promote goods or services. This includes marketing through a variety of channels, with specific requirements for consent, compliance, opt out or unsubscribe functions and exceptions where there may be a reasonable expectation of use for direct marketing purposes.

Even if your business is not required to comply with the Privacy Act because it falls within the small business exemption, it is considered best industry practice for businesses to do so anyway and is increasingly a minimum customer expectation.  The federal Government is currently in the process of consulting on a range of proposed changes to the Privacy Act, including the removal of the small business exemption.  So it is likely that all businesses, regardless of their size, will soon be required to comply with the APPs and the Privacy Act more broadly.

What happens if you do not comply with the Privacy Act?

For a serious or repeated interference with privacy (s 13G of the Privacy Act), maximum penalties include $2.5 million (for a person other than a body corporate) and for a body corporate, an amount not exceeding the greater of:

$50 million; or
three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the contravention; or
if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention.

The above currently only applies to the most serious forms of interference.  However, the proposed Government reforms (if passed) will expand the number of provisions to which penalties apply, by introducing mid-tier and low-level civil penalty provisions for less serious contraventions of the APPs.  Boating industry businesses should be prepared to include Privacy Act obligations in their consideration of operational risks and their staff training programs in the near future.

Even absent any wrongdoing, our experience is that businesses can easily find themselves at the receiving end of a complaint made by customers or employees.  An investigation and complaints process with the OAIC can have a substantial cost impact, resulting in costly advisory fees and the diversion of important resources to resolution of the complaint.  Understanding your obligations and ensuring your internal processes and documents comply with the Privacy Act is the best way to minimize the impact of these complaints, to ensure that you and your staff can continue to concentrate on contributing to the success of your business.

Data breach response

Where the Privacy Act applies to your business, how you handle a data breach and when you are required to notify affected individuals and the regulator is also dictated by the legislation – known as the ‘Notifiable Data Breach’ regime.  Businesses should be aware of their responsibilities prior to the occurrence of an incident, as the legislation imposes specific timeframes on compliance with the relevant responsibilities under the regime, including the content for notifications of individuals and the regulator. It is critical to seek advice on any such notification obligations, while balancing (and preferably minimising) reputational risks from both a PR and legal perspective. 

The Government’s proposed reforms the Privacy Act, once implemented, are expected to shorten the time periods allowed for notification to the Office of the Australian Information Commissioner (OAIC) if the data breach comprises an ‘eligible data breach’ under the regime Notifiable Data Breach provisions.

What should your business do to protect itself?

There are a number of immediate steps that you can take to protect your business:

1. Review your privacy policy and current information handling practices to ensure they are compliant with applicable laws, best practice and customer expectations;
2. Review the security of your organisation’s systems with your internal or external IT providers;

Assess how your business would respond to a major data breach or cyber security incident, including engaging lawyers with expertise in cyber/privacy law to ensure your organisation has a robust incident response plan if it becomes the subject of a cyber attack;

4. Analyse and consider the types of personal information your business collects to ensure you are only collecting personal information necessary for your functions and activities and that the organisation has a data retention policy that involves the deletion or de-identification of data in accordance with regulatory obligations set out in the Privacy Act; and
5. Ensure staff are properly trained to prioritise cyber risk and privacy law compliance to reduce the risk of human error which is a common element in most cyber attacks.

Suzie Leask is a Partner at law firm Hall & Wilcox and specialises in corporate and commercial law. Suzie assists companies and their boards, directors, company secretaries, management, in-house legal teams and key business stakeholders with a variety of commercial transactions, and compliance with regulatory obligations, including the Privacy Act.

Kurt Wicklund is a commercial and projects lawyer and a Senior Associate at Hall & Wilcox. Kurt advises on corporate and commercial matters, both within Australia and internationally. He has a particular focus on regulatory advisory and business contracts.

This article is for educational purposes only as well as to give you general information and a general understanding of the law, but does not constitute legal advice. Readers understand and agree that there is no lawyer-client relationship solely on the basis of the material contained in this article. We recommend that legal advice is sought before relying on or acting in accordance with any of the areas covered in this article.