Blog Post

Privacy Act 2020

Sep 23, 2020
Privacy Act 2020

On 1st December 2020 a new Privacy Act will take effect. The current act is from 1993 and was written back when the World Wide Web was still in its infancy. As our businesses and data have become digital the new act looks to reflect this. 

One of the changes to the law is mandatory breach reporting. Both the privacy commissioner and the impacted individuals must be notified in the event of serious privacy breach where there is a risk of harm. Leaked personal information published online or identity theft would class as a risk of harm. The penalties in the new act can be $10,000 and individuals affected may appeal to the Human Rights Review Tribunal. The tribunal can award up to $350,000 to each affected person. 

To help your business to start planning for the changes there are five questions you should be asking. 

Are you aware of the information you store on customers? 
This is a good place to start when trying to figure out what information your business collects. Remember, it’s not just customer data, you must protect employee data also. 

If you have information which isn’t relevant (maybe date of birth or phone number) then don’t ask for it. If you don’t have this information, it can’t be used in the event of a breach or leak. 

Where is your information stored? 
Do your different teams store information in different applications and locations? If you know where the data is stored it is easier to protect it using passwords and multi-factor authentication. It is also useful to delete any personal data if it’s no longer needed. 

If your data is stored with a third party, it is important to ask for evidence of regular penetration testing or a security audit report. If these can’t be provided an independent security check would be helpful. 

Who has access to the data? 
A quick google will find multiple articles related to internal data breaches. Only give data permissions to relevant people within your organisation. The information the payroll team requires access to may be different to what an engineer requires. 

Who in your organisation is responsible for privacy and are they equipped to manage the new act? 
It is important to have a central person who is trained on the new laws. This person can develop policies and processes which are relevant to your organisation. 

Share by: