However, following the most significant reform of the Act in over a decade, our familiarity and comfort with the present regime is about to end.
The potential stakes for failing to respond are high: a breach could cost an individual up to $340,000 and an organisation up to $1.7 million in civil penalties (without any consideration to collateral damage, for example the effect on a business’s reputation and its clients’ trust in it). The reforms also see the Privacy Commissioner being given some teeth, and he intends to use them. In his own words, there will be no ‘softly softly’ approach.
Although there are a number of changes, for example in relation to the use of personal information for direct marketing, the change that is going to trigger the most widespread need for a review of current privacy policies and practices is in respect to when personal information is sent overseas.
And personal information is increasingly finding its way offshore with businesses embracing the use of cloud technologies and outsourcing services to offshore providers.
With fraud and identity theft on the increase, it is no surprise that the changes aim to ensure that those who send personal information offshore are held more accountable. Indeed, where the APPS are not complied with, a party will be held liable for any breach irrespective that the breach is by the offshore entity.
What to do
The substantive effect of the new laws may require a significant internal review of privacy policies, practices and procedures. In some situations, this will extend to a review of agreements and relationships with third party providers.
It is appropriate to begin the process now in order to have sufficient time prior to the laws coming into operation in March 2014.