It may seem harmless that in the process of doing business you collect customer data to transact business or communicate with them. However, if that data is used without the user’s permission, or worse stolen, you may find yourself breaking the law. This guide will help you understand Privacy and Protecting Personal Data and what you should or must do.
Data protection is to secure data against unauthorised access. Data privacy is about authorised access — who has it and what you can do with it. Data protection is essentially a technical issue, whereas data privacy is a legal one.
WHY should I protect my customers’ personal data?
Apart from the fact that a customer will not be very happy with you, it is the law. You must comply with the Australian government Privacy Act 1988 if your annual turnover exceeds $3 million.
You are responsible for protecting your customers’ personal information from:
- unauthorised access
If your small business turns over less than $3 million you must comply with the act if you are a:
- private-sector health service provider
- business that sells or purchases personal information
- contractor providing services under a contract with the Australian Government
- credit provider/credit reporting body
- residential tenancy database operator
All other small business operators are exempt from the Act however protecting your customer’s data is good business practice.
WHAT types of information are considered private?
Any information that can identify a person and could include:
- telephone number
- date of birth
- medical records
- bank account details
- place of work
- information about their opinions
If you do have a breach of personal information you need to notify both the person it has affected and the Office of the Australian Information Commissioner (OAIC).
HOW do I protect customers personal information?
The following actions will assist with your compliance of the Privacy Act:
- Do not collect personal information you do not need
- Develop an internal policy to handle and process personal information
- Take ownership yourself or delegate to a senior member of staff
- Do not share this data with anyone else
- Sensitive information like race, religion, health etc can only be collected with individual consent
- Ensure unauthorised staff members do not have access
- Take reasonable steps to protect personal information from unauthorised access, modification, or disclosure and against misuse, interference, and loss
- Destroy or de-identify personal information when it is no longer needed
- Develop a plan for a data breach
If processing credit card transactions by EFTPOS or e-commerce store you should ensure your network/equipment is secure and encrypted. You should restrict who has access to that data and preferably do not store the card information. A security assessment of cardholder data can be done here.
If you plan to contact customers via direct marketing like an email, phone call or text, post, social media or web advertising you should enable a customer to opt-out (request not to be communicated with). If the Privacy Act covers your organisation (> $3m turnover) legally you are required to allow a customer to opt-out.
Be sure to read our guide on internet security.
Additional information on privacy and protecting personal data can be found here.
SUMMARY – Privacy and Protecting Personal Data
If your small business has a turnover less than $3 million it is unlikely you will have a legal requirement however for both your customer and your sake it is good practice. If possible don’t keep personal data like credit card details but if you do, ensure it is protected from theft or abuse. It is worth familiarising yourself with the intent of the Privacy Act and taking the necessary actions in your business.