Privacy Week wrap up – What have we learnt?

As Privacy Awareness Week 2020 draws to a close we reflect on what businesses can do to ‘Reboot your privacy’ as well as some current hot topics in the Australian privacy space:

1. Small Businesses and Privacy: Generally, businesses do not need to comply with the Privacy Act until their annual turnover reaches $3 million. However, some businesses, including those that provide a health service must comply regardless of their size. Where compliance is not mandatory, a properly implemented privacy policy is a helpful tool to guide your use of personal information that your business holds (including by carrying out direct marketing).
2. Security Obligations: Businesses must ensure that the personal information they collect is secure and that it is collected in the appropriate manner. They must adapt their information and data security measures to ensure reasonable steps remain in place to keep the personal information they hold secure.
3. Working from Home (WFH) and Privacy: Remote work arrangements bring flexibility to workplaces and are proving necessary in combatting the spread of COVID-19. With this flexibility, comes the potential for organisations to lose some control over the personal information held by their business, and increased risk of data breaches, fraud and cybersecurity issues. The implementation of robust policies and ongoing communication with staff is essential during these times.Our three key tips to reduce the risk of a privacy breach in the context of WFH are:
   1. Develop remote working policies to reinforce the privacy and confidentiality requirements of employees while working from home.
   2. Review your Privacy Policy to ensure it addresses the specific practices of your business.
   3. Train employees in implementing the company’s Privacy Policy and remote working policy to ensure they are consistently enforced.
4. Optus Representative Complaint: The introduction of the Notifiable Data Breaches (NDB) scheme in 2018 has exposed the prevalence of data breaches that may have otherwise gone unnoticed. Eligible breaches must now be notified to both affected individuals and the Office of the Australian Information Commissioner. Making recent news is a representative complaint – similar to a class action – being brought against Optus on behalf of a group of individuals affected by an alleged breach in 2019. It will be interesting to see the outcome of this complaint, as it is the first of its kind.
5. COVIDSafe: The Federal Government’s launch of the COVIDSafe app has been the subject of much discussion amid concern around privacy and security issues. The app was launched in a bid to manage and control the spread of COVID-19 when the isolation restrictions are eased. If a COVIDSafe user tests positive for COVID-19, the data from the app, such as their contact information and their exposure to other COVIDSafe user IDs, will be uploaded into the Commonwealth’s National COVIDSafe Data Store. As of 6 May 2020 there have been 5.1 million downloads of the app.To support the COVIDSafe app, the Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (Bill) was released and is intended to be introduced in Parliament next week. The Bill deals with:
   1. non-permitted collection, use or disclosure relating to COVIDSafe app data;
   2. uploading relating to COVIDSafe app data without consent;
   3. retaining or disclosing uploaded data outside Australia;
   4. decrypting encrypted COVIDSafe app data; and
   5. requiring participation in relation to COVIDSafe.

We will provide further updates once the Bill has progressed through Parliament.

We understand the pressures organisations are facing and are here to help you navigate and adapt in this difficult time. We can provide practical advice to help your business comply with its privacy obligations, without further worry and disruption to your business.

Talk to our Privacy and Data Protection team to properly understand your obligations.