News of data security breaches at major organisations that reveal thousands of individuals' personal information is not uncommon these days. Privacy impact assessments can be an important method of lowering the risk.
Inadequate security may be a breach of Australia's privacy laws, but the actions of customers and the media may create more havoc and opportunities for economic loss than government intervention, as recent cases involving Telstra, Vodafone and Google illustrate.
Many companies seem to consider the privacy laws have no teeth, but the commercial ramifications of media reports regarding breaches of customer privacy can be significant and do great damage to a company's reputation. For example, some reports suggested that Vodafone lost several hundred thousand customers as a result of its recent breach.
Prevention is always better than a disaster recovery cure. The ability to conduct a privacy impact assessment and establish a legal due diligence defence for the treatment of personal information may also uncover weaknesses in systems that can be remedied before any breaches occur.
The privacy laws regulate how businesses in Australia deal with personal information and they affect all organisations collecting it. Personal information is defined as being "information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion".
For businesses that operate in the credit reporting, credit provision or health space, are additional rules apply. For other organisations, whose annual turnover is in excess of $3 million, the main application of the law is the requirement to comply with a set of national principles.
The Office of the Privacy Commissioner has a guide to privacy impact assessments on its website, and your solicitor can help you in ensuring your business is in compliance with the law and not exposed to prosecution.