Do you need an all-in-one online payment solution?sign up
Australia’s privacy legislation has been overhauled to bring it up to speed with today’s data-rich business environment. The changes of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 are incorporated within the Privacy Act 1988. This includes a revised set of privacy principles called the Australian Privacy Principles (APPs). The 13 APPs are new and cover the breadth of the data life cycle, including the use and disclosure of personal information for multi-channel marketing.
Businesses are required to comply with the new legislation, and while it might appear to be complex, there are some simple steps businesses can take to ensure they are operating within the law.
Daad Soufi, Director – Legal and Regulatory Affairs at the Association for Data-driven Marketing & Advertising (ADMA), explains about the changes and how you can ensure you are complying.
Organisations collect data in very sophisticated ways. The technology has moved faster than the laws, which were developed some 20 years ago. The legislation is being changed to ensure the law and the ways organisations are using data are more aligned.
It is aimed at giving individuals more control over personal information that organisations collect about them and how that data can be used.
- Specify the personal information you are collecting
- Explain the purposes of collection
- Provide people with access to the data you have about them
- Allow people to request to correct their personal information
- Explain how an individual can make a complaint
- State the countries that any data is sent to.
You need to let people know you are collecting data, why you are collecting it, how you plan to use it and where they can go to opt out.
The Spam Act and the Privacy Act are separate pieces of legislation but have some overlap.
The Privacy Act deals with collecting personal, sensitive information, and the Spam Act oversees specific marketing channels – like email marketing.
Before an organisation can use an email address, which is bound by the requirements of the Spam Act, it needs to make sure it collected the information in accordance with the privacy legislation.
Businesses need to put a risk management process in place and check off these 10 points:
1. Conduct a data audit, so you know what databases you have and where the data comes from.
2. Ring-fence personal data, so it can’t be cross-referenced with other databases you may hold.
4. Inform customers of the changes.
5. Draft your notification statement and work out when it is going to be used.
6. Draft opt-out statements.
7. Develop a preference centre, where people can manage their opt-outs.
8. Determine if your data goes overseas.
9. Document your privacy practices and training.
10. Articulate your data breach response plan.
Under the new Australian law, if an organisation collects data and sends it overseas, it is still responsible for the data, and the consumer protection offered by the privacy legislation still attaches to the data.
There are two ways that businesses use social media: they can engage with consumers within the platform or they can lift data from the platform.
If you are operating within a social media platform itself, that engagement is subject to the privacy terms and conditions of that particular platform.
If you lift the data from that platform to use for another type of activity, that would be deemed to be a third-party use of data. You would need to let individuals know where you got the data from and how they can unsubscribe.
The privacy legislation only affects cookies on websites where the cookies are used in a way that identifies an individual. In many cases, it will depend on the types of cookies that are being used. Where the cookies are used to identify an individual, the data set would be personal information and would be subject to the privacy legislation.