Data Protection Law Review: Small businesses may need to comply with new regulations on the use and storage of customer data
Millions of small businesses may need to comply with privacy regulations about the use and storage of customer data, while political parties are likely to retain their exemptions, but with stricter regulations.
These are suggestions from the Attorney General’s Office review of the Privacy Act, which will be released on Thursday. The federal government still has to decide on the implementation of the recommendations.
The laws protect the privacy of individuals and govern how government agencies and organizations with annual sales of more than $3 million handle personal information.
As the digital world progressed, Attorney General Mark Dreyfus asked his department to study how to revise the privacy law following last year’s massive data breaches by Optus and Medibank.
The 375-page report proposes removing the small business exemption from the law, but only after consultation and once the government is confident small businesses will be able to comply.
Meanwhile, it suggests that small businesses using facial recognition technologies would have to comply with privacy laws in relation to the biometric information collected.
Political parties are still exempt, but it is encouraged that individuals are given the opportunity to opt-out of having their personal information used or disclosed for direct marketing and to request that they no longer receive targeted advertising.
“Political exemption should be subject to the requirement that political authorities take reasonable steps to protect personal data retained for the purpose of the exemption from misuse, interference and loss, and from unauthorized access, alteration or disclosure,” it says the report.
“(You must) take reasonable steps to destroy or de-identify the Personal Information stored therein once the Personal Information is no longer required.”
It is common for political parties to collect personal information to use for election campaign purposes, particularly when a voter is raising a sensitive issue at a polling station, such as an incident of domestic violence or a medical issue that requires the assistance of their MP.
This was observed in the state last year when voter comments and likes on Facebook, Twitter and Instagram were secretly recorded by WA Labor to profile them for targeted messages.
The same was done with dummy polls, questionnaires, and petitions that entered voters’ cell phone numbers, addresses, political affiliations, occupation, ethnicity, and religion into a sophisticated national database called Campaign Central.
WA’s Corruption and Crime Commission opened an investigation into alleged abuse of election official funding.
The main objective of the report is to give Australians better control over their personal information, which came to light after the Optus and Medibank breaches.
Since then, companies that expose customers’ personal information to hackers have been ordered to pay either $50 million, three times the value of a benefit derived from the misuse of information, or 30 percent of a company’s adjusted sales for the period in question, depending on the case , which of the three is larger.
“Strong privacy laws are essential to Australians’ confidence in the digital economy and the digital services provided by governments and industry,” Mr Dreyfus said.
“However, data protection law has not kept pace with changes in the digital world…Australians are right to expect more protection, transparency and control over their personal data and with the publication of this report the process of delivering on those expectations is beginning. ”
