In March 2014, the Privacy Act 1998 was updated to include 13 new regulations known as the Australian Privacy Principles (APPs). These new principles, which govern the collection, holding, use and disclosure of “personal information” apply to all businesses that collect personal data and turn over more than $3 million per year.
In January 2014, Director of Capgemini Australia testing services Shane Lonergan stated that half of organisations in Australia were not aware of the upcoming legislative changes.
However, Lonergan singled out the finance as an industry that was taking great measures to be compliant.
A penalty of up to $1.7 is applicable to companies and agencies which are found of invading privacy by failing to comply with the new laws.
Under the act, personal information is defined as ‘“Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not.”
This definition can include as a person’s name, address, date of birth, bank account details, photos, work location or personal opinions.
Because many cloud accounting services rely at least somewhat on assets outside Australia, businesses need to pay particular attention to APP8, which deals with cross-border disclosure of personal information.
This section specifies that businesses disclosing personal information offshore must take reasonable steps to ensure that the receiver complies with the APPs. While this can be arranged through contact, an entity which sends information overseas will remain responsible for the recipient’s acts.
Companies are being encouraged to examine their cloud computing contracts in order to ensure that they comply with these principles.
APP11.1 states that an organisation must take reasonable steps to “protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure.”
Possible steps outlined by the The Office of Australian Information Commissioner (OAIC) include destroying or de-identifying information that is no longer needed and implementing strategies to manage areas such as data breaches and ICT security.
In late 2013, Moore Stephens hosted a Privacy Law seminar to discuss the new legislation and help organisations prepare for these changes. The seminar addressed emerging technologies such as cloud services as one of the primary areas of concern for businesses.