Businesses are becoming increasingly prone to cyber crimes and therefore, the need for ensuring adequate protection through cyber insurance is gaining a great deal of importance.
After the federal Privacy Act came into effect on March 12, 2014, businesses are realising that it is more important than ever before to have cyber insurance as the amendments to the Act provide strict stipulations in regards to the collection and use of information about clients.
The Privacy Commissioner has been given additional powers to enforce the Act and collect penalties to the tune of $340,000 and $1.7 million for individuals and organisations respectively, who do not comply with the regulations.
All Australian businesses that have an annual turnover of over $3 million and private health service providers, irrespective of their annual turnover, are regulated under the new legislation. The amendment to the Privacy Act combines National Privacy Principles (applicable to private businesses) and the Information Privacy Principles (applicable to government organisations) to form the Australian Privacy Principles (APP).
My Annual Turnover is Less than $3 million – Do I have to Comply with the Privacy Principles?
In general, small businesses are not required to comply with the new legislation, if the annual turnover is less than or equal to $3 million unless they:
- Provide health services,
- Trade in personal information (for example, buying or selling mailing lists),
- Provide services as a Commonwealth contractor,
- Work as a reporting entity under Anti-Money Laundering/Counter-Terrorism Financing Act 2006, or
- Operate a residential tenancy database or credit reporting body.
You can complete the privacy checklist or seek advice from your lawyer or industry association to find out if you are covered under the Privacy Act. If your business is covered, then you are required to abide by the APP. To complete the checklist, please visit the Office of the Australian Information Commissioner for further information.
Most commonly, small businesses that trade in personal information of individuals are covered under the Act. Small businesses that collect/disclose the personal information of an individual to other businesses for a benefit is said to trade in personal information. The benefit can be financial, a subsidy or a concession for example.
Your business will not be considered to be trading in personal information if you obtain the consent of all of the concerned individuals or if the collection of information is authorised by law. Compliance with the Act does not mean that you cannot collect personal information, but you must follow the guidelines related to the handling of such information.
I Have Determined My Business Must Adhere to the Privacy Principles – How Do I Ensure I Am Compliant?
If you have determined that your business must comply with the Privacy Principles, here are some key tips to get started:
- Review and identify where and how your business deals with personal information.
- Establish/revise systems and procedures, and train your staff so that they can handle personal information in compliance with the new changes.
- When collecting personal information, ensure you gain the consent of the individual and let them know the name of your organisation, contact details, why you are collecting their information and to whom you will disclose their information.
- Finally, specify as to how you are going to store personal information and ensure its security.
If you find that your business is not legally required to comply with the Privacy Act, that is definitely no reason to become complacent when it comes to the security of your business’ data. It is still imperative that your business develops and implements a set of internal policies for the handling and storage of sensitive information.
The threat of a cyber attack occurring is the same for all businesses and without any security or risk management strategies in place, you leave your business wide open to an attack. If your business were subject to a cyber attack and sensitive information is obtained, you are still liable regardless of whether you fall under the Privacy Act or not, resulting in both damages to your business’ reputation and finances.
This again reiterates the importance of stringent security measures and the requirement for a comprehensive cyber insurance policy to ensure your business is adequately prepared.
Allocating a small amount of your time to complete the Privacy Checklist for Small Business could be one of the most important things you do for your own business.
Simply assuming the Privacy Act does not apply to you as your annual turnover is less than $3 million could be a costly mistake if you a found to be non-compliant.
With the increasingly large impact technology is having on the way we conduct business, it is essential to ensure your business has the correct internal policies in place to meet the requirements set out in the Privacy Act, while also reviewing other risk management strategies that could protect your business from cyber threats.