Changes to Australia's Privacy Laws will come into effect on March 12 next year, and many businesses don't even know about them.
If your business has an annual turnover of more than $3 million or yours is a smaller organisations that deals with "sensitive information" you will need to update your privacy policies and ensure you have in place well-documented procedures and systems detailing how you collect, use, share and store personal information.
Your business must record and be able to track every piece of personal information from the time of collection, whether it is just simply an individual's name or something more sensitive such as an individual's health or financial records.
The existing National Privacy Princples (NPPs) will be replaced by 13 new Australian Privacy Principles (APPs) that that apply to businesses and the Information Privacy Principles (IPPs) that apply to government agencies.
Most of these principles will replace the existing ones. But there will be some entirely new principles, which will require organisations to be more proactive in how they handle and protect personal information.
Responsibilities of organisations under the new Privacy Laws include:
Not using personal information for a secondary purpose (such as direct marketing), unless an individual has consented.
Destroying or de-identifying any unsolicited personal information that is received.
Placing a prominent statement on their websites allowing individuals to opt-out from direct marketing.
Outlining whether information will be disclosed to overseas recipients and the nature of that disclosure.
Taking steps to ensure any overseas recipients of personal information (such as an overseas-based cloud computing provider that could be storing files with personal information) do not breach the 13 APPs.
Being liable for any privacy breaches by overseas recipients of personal information, unless the individual consents to their personal information being sent to an overseas entity and not being protected by Australian law.
Under the new Privacy Laws the Privacy Commissioner will have enhanced powers to carry out "performance assessments" on organisations whether or not they have had a privacy breach.
The Commissioner Timothy Pilgrim, will be able to seek civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies and has already put business on notice that
"I will not be taking a softly softly approach."