Privacy and data protection are at the forefront of everyone’s minds, particularly in light of the recent data breaches of Optus and Medibank. The impact of a data breach can be far reaching, from the consumer to the business and in some circumstances, the employees involved.
Whilst privacy and data protection are important in all industries, this article will focus on the automotive industry. Why the automotive industry? Dealerships in particular require the exchange of personal information in almost all aspects of the business. From sales and providing finance to servicing and trading in vehicles, personal information is required to be collected from almost all customers a dealership engages with.
Gone are the days where it’s encouraged practice to use your personal devices in the workplace for taking photos of drivers licences and other important documents. Feel like you’re reading that for the first time? We’ve outlined why below.
Obligations under the Privacy Act
The Privacy Act 1988 (Cth) generally applies to all businesses that have an annual turnover of $3,000,000 or more from all income sources. This means that there are certain obligations that a business must comply with, such as being familiar with the 13 Australian Privacy Principles which outline how businesses must collect, use, store, disclose and destruct personal information.
Businesses must know:
• the difference between personal information, sensitive information and government identifiers;
• when sensitive information must be destroyed;
• how to handle requests or complaints in relation to the way the business holds personal information; and
• when it can and can’t share the personal information the business holds about its customers.
The Australian Privacy Principles
As we mentioned above, businesses must be familiar with the 13 Australian Privacy Principles. Under the APP’s a business must ensure that it:
- takes reasonable steps to implement practices, procedures and systems to comply with the Australian Privacy Principles;
- gives their customers the right to not identify themselves or to use a pseudonym, unless being identifiable is impractical or lawfully required;
- only collects personal information that is reasonably necessary for the business’ functions or activities, and if collecting sensitive information, obtains the individual’s consent;
- ensures that unsolicited information is appropriately handled and immediately deidentified or destroyed, if required;
- takes reasonable steps to notify an individual at the time of collecting personal information of their identity, contact details and why the information is being collected;
- only uses or discloses personal information for the purpose in which it is collected, or for a secondary purpose if an exemption to do so applies;
- does not use or disclose personal information for direct marketing purposes, unless the information has been collected directly from an individual, and that individual would reasonably expect their personal information to be used for marketing purposes;
- takes reasonable steps to ensure any overseas recipient of personal information does not breach the Australian Privacy Principles when handling that information;
- only uses or discloses government related identifiers (e.g. drivers licences or passport numbers) in limited circumstances;
- takes reasonable steps to ensure that the personal information it collects is accurate, up to date and complete;
- takes reasonable steps to ensure that the personal information it holds is protected from misuse, interference, loss, unauthorised access, modification or disclosure. Once the information is no longer needed, the business must then destroy or de-identify personal information subject to any other document retention requirements;
- generally complies with any request by an individual to access their own information, if the business can verify the individual’s identity; and
- take reasonable steps to correct an individual’s personal information to ensure that it is accurate, up to date, complete, relevant and not misleading for the purpose of which the information was collected.
Privacy laws are tightening
We have already seen an increase in the penalties applicable to a business where a data breach has occurred, with the fine for a serious or repeated interference with privacy now equal to or greater of $50,000,000 or three times the value of the benefit obtained.
Looking ahead to the near future, as we’ve outlined in our recent article, the Attorney General released it’s highly anticipated review of the Privacy Act earlier this year. The report contained 116 proposals aimed at strengthening personal information protections by providing individuals with more control over their personal information and aligning closer with state-based privacy laws.
A data breach is where personal information is access or disclosed without authorisation, or where the information is lost.
Data breaches are appearing more frequently in the news of late. Notably, we have seen the likes of Optus and Medibank in the news as a result of hacking by a third party. However, it is important to remember that data breaches don’t just result from hacking. Some common every-day examples of potential data breaches include:
• losing or having your mobile phone stolen, and it happens to have personal information of others on it;
• having a third party access personal information on one of your personal devices;
• sending an email to the wrong recipient; or
• leaving your computer unattended while you take a bathroom break.
When a data breach occurs, there are obligations on the business to investigate the breach and determine whether notification needs to be made to the Office of the Australian Information Commissioner or the individual whose personal information is lost, disclosed or accessed.
So, thinking back to why you shouldn’t use your personal mobile for work purposes such as taking photos of drivers licences or other documents? Take time to consider what might happen if a third party accessed your phone without your knowledge.
Our top tips for automotive businesses:
• ensure you have privacy and data retention policies in place and that they are up to date;
• ensure you have privacy officers in the business;
• ensure you have a data breach response plan; and
• ensure your staff are aware of and trained on all of your privacy-related policies and procedures.
Our top tips for employees:
• keep privacy front of mind in all things that you do. If ever in doubt, think about how you might want your own personal information handled by a business;
• familiarise yourself with the company’s privacy-related policies and procedures;
• be sure not to collect personal information on any personal devices; and
• be aware of the types of personal information you are collecting, and whether those types of information need to be handled differently.
If you or your business would like further advice, assistance with conducting a privacy review, staff training on privacy or preparing privacy-related policies, get in touch with our Commercial Team.