Small businesses that hastily stick a privacy statement on their website and think that they’ve covered themselves legally should think again.
Businesses not up to speed with their obligations could cop fines of up between $340,000 and $1.7 million for breaching the new Privacy Amendment Act. It’s a change you need to be across.
The Privacy Commissioner will also have the power to conduct performance assessments of private sector organisations to determine if they’re handling personal information in accordance with the new rules. The changes come into play in March next year.
Privacy is a major issue that many in business don’t take seriously. This is despite the fact that the professional reputation of a business can be severely damaged if confidential information falls into the wrong hands.
A recent survey of commercial rubbish bins in Sydney found that 11% contained personal information readily accessible to people walking past, including identity thieves.
Of the more than 80 businesses surveyed, bank branches, lawyers and doctors’ offices had thrown confidential information in the rubbish.
The investigation, commissioned by the National Association for Information Destruction-ANZ, took place in January and February this year. A licensed private investigator casually examined the contents of publicly accessible rubbish bins used by businesses with an established responsibility to protect client data.
Among the dozen or so of the most concerning finds was a report listing an account holder’s information, including name, address, social security number, credit card number, account balances and credit limits.
The investigator also found detailed documents about a legal settlement outside a real estate office.
Melbourne privacy lawyer Kent Davey says businesses need to start preparing to the changes to the Act now, with new requirements potentially onerous for a business.
Davey has been advising clients on all aspects of privacy law for two decades and says businesses thinking that a privacy statement protects them should think again. Employees will require training to ensure the company privacy statement is being followed and better systems will need to be implemented by businesses, Davey says.
Training around privacy requirements will also be paramount; with figures from Trend Micro revealing that up to 80% of all data loss is caused by human error, either sending out confidential or sensitive information to the wrong people or in an unsecured way.
Davey says: “Businesses will also need to look at what personal information they’re collecting. You can’t just keep personal information on customers for the sake of it. If you don’t need it to run your business, you shouldn’t be collecting or storing it.”
“Credit card details and a customer’s personal preferences need to be stored safely if required, or destroyed if no longer needed.”
Adam Biviano, senior manager, strategic products of security vendor Trend Micro, agrees that businesses need to question if they really need to collect all the information they collect.
Licensed clubs that scan a driver’s license are a good example. Biviano says: “While there are time savings associated with this approach, are they actually painting a target on their heads for someone to want to steal that information?”
Davey says that businesses need to assess various aspects of company security including the adequacy of firewalls, virus protection, and software encryption and computer passwords, locks and the use of company computers off-site, he says.
“Where I see many in business fall down is around destroying information they no longer require. The quality of your data also needs to be checked regularly.”
And while cloud computing has been a revolution for SMEs, there is also the potential for privacy leaks.
Joel Camissar is the practice head of data protection for computer security vendor McAfee.
People working in businesses that are responsible for managing customer’s personal information (mostly IT managers) reported in a recent McAfee survey that employees save data to file share in the cloud such as Dropbox or YouSendIt.
“These cloud-based services lead to a higher change of a data breach since they can’t be access from the employee’s personal computing devices,” he says.
Document shredding will be increasingly important under the changes.
Story continues on page 2. Please click below.
