Privacy is a legal issue but, perhaps more relevantly, privacy goes to the heart of the relationship between your business and its stakeholders. It’s about trust.

In the current COVID-19 pandemic landscape, businesses are being asked to collect more personal information from customers and staff than ever before.

Do you know if your business is managing all the personal information it collects in accordance with the law?

Now is the time to revisit the privacy basics to consider to ensure your business is meeting its legal obligations and its customers’ expectations. It’s also worth reviewing the Notifiable Data Breach scheme, taking note of recent lessons learned and understanding whether the COVID-19 pandemic has changed privacy obligations for businesses.

Revisiting privacy basics

The Privacy Act 1988 (Cth) (Privacy Act) is the key Australian law that governs privacy obligations for most businesses. It applies to ‘APP Entities’, which include:

  • Agencies – which largely refers to a Federal Government entity and/or office holder; and
  • Organisations – which includes an individual, body corporate, partnership, unincorporated association, or trust.

There is an exception for certain small businesses operating with an annual turnover under $3 million.

The Privacy Act sets out 13 Australian Privacy Principles (APPs) that must be followed by APP Entities. These include obligations such as:

  • Anonymity and pseudonymity – APP Entities must give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply (APP 2).
  • Notification of the collection of personal information – when and in what circumstances an APP Entity that collects personal information must notify an individual of certain matters (APP 5).

Further information on the APPs can be found here.

It is important to remember that, in addition to the Privacy Act, your business may also have privacy obligations arising under contract, common law principles of tort, the equitable duty of confidence and other legislation (both State and Federal).

Notifiable Data Breach Scheme

The Notifiable Data Breach (NDB) scheme was established in February 2018 under the Privacy Act and represented at that time a significant change to the legal privacy obligations imposed on Australian businesses.

In short, the NDB scheme requires ‘APP Entities’ to notify affected persons and the Office of the Australian Information Commissioner (OAIC) of ‘eligible data breaches’.

A data breach is an ‘eligible data breach’ if:

  • There is unauthorised access to, or unauthorised disclosure of, personal information;
  • A reasonable person would conclude it is likely to result in ‘serious harm’ to any of the individuals whose personal information was involved in the data breach; and
  • The APP Entity has not been able to prevent the likelihood of serious harm through remedial action.

The Privacy Act does not include a prescriptive definition of the term ‘serious harm’ but the OAIC’s Data Breach Guide[1] includes the following examples:

  • Financial fraud including unauthorised credit card transactions or credit fraud
  • Identity theft causing financial loss or emotional and psychological harm
  • Family violence
  • Physical harm or intimidation.

It is likely that the Courts will adopt a broad interpretation of ‘serious harm’. When your business is considering whether there has been a notifiable ‘eligible data breach’, it is best to err on the side of caution.

OAIC has produced a very helpful and comprehensive guide for businesses to follow if there has been, or there might have been, an eligible data breach. That guide can be found here.

NDB lessons learned

On 28 February 2020 the OAIC released its first statistical report on the NDB scheme covering the six months from July to December 2019. Some of the key findings from that report are[2]:

  • 537 breaches were notified (up from 460 in the previous six months)
  • Malicious or criminal attacks remain the leading cause of Notified Data Breaches (64% of all notifications) followed by human error (32% of all notifications)
  • The health sector is the highest reporting sector, followed by finance
  • Contact information remains the most common type of personal information involved in a notified data breach (77% of notifications).

To improve the management of personal information collected by businesses, these statistics show that businesses should focus on:

  • Preventing malicious attacks – most malicious attacks involve a ‘cyber incident’, such as phishing, malware and ransomware. While this may be seen to be largely out of your control, exploring and investing in appropriate software programs and IT systems can help to protect your business.
  • Reducing human error – while there will always be a human error component to breaches of privacy, these risks can often be better managed by providing education and training to staff
  • Managing contact information – ‘contact information’ can often be overlooked as a type of ‘personal information’ but the same protections that are afforded to financial details, identity information, health information, tax file numbers and other sensitive information should also be afforded to contact details.

The impact of the COVID-19 pandemic on privacy obligations

As a consequence of new work practices arising from the COVID 19 pandemic, your business may be:

  • Implementing remote working which expands the footprint for where personal information may be stored or located
  • Collecting additional personal information from employees and/or customers
  • Encouraging employees and customers to use the Federal Government’s COVID-Safe app.

Even in this new environment, it is important to note that the Privacy Act continues to apply in substantially the same manner.

The OAIC has developed some helpful guidelines to assist businesses at this time that can be found here.

Recommendations include:

  • Ensuring that all your staff are aware the APPs still apply – whether they are working remotely or in the office
  • Take a ‘need to know’ approach – that is, limit the collection, use and disclosure of information to what is reasonably necessary in the circumstances. Whether disclosure is necessary should be informed by advice from the Department of Health. For example, it may be necessary to tell staff that a colleague has tested positive to COVID-19, but it may not be necessary to reveal that colleague’s name.
  • Assess your business’ security protocols and ensure they extend to remote working.

Next steps

The NDB scheme and the various materials published by the OAIC can be used as a guide for your business in developing appropriate policies, strategies and practices to ensure you meet your legal requirements and your customers’ expectations when it comes to managing personal information. It is important to remember that your legal obligations in respect of privacy have not substantially changed due to the COVID-19 pandemic.

The above content is commentary rather than legal advice and was prepared on the basis of applicable legislation, government programs and initiatives that were in place as of the date of publication. Given the ongoing evolution of both the COVID-19 pandemic and frequent consequential changes to the various laws and programs within all Australian states and territories, readers should seek legal advice on the current situation as applicable to their specific circumstances before taking any action in relation to the above.

[1] Australian Government Office of the Australian Information Commissioner, Notifiable Data Breaches Report July –December 2019, dated 28 February 2020.

[2] Australian Government Office of the Australian Information Commissioner, Notifiable Data Breaches Report July –December 2019, dated 28 February 2020.