There are real benefits from having a well-oiled CRM (Customer Relationship Management) system that collects personal information from customers and prospects. But these benefits come at a cost – the risks. These include:
• The information is hacked and used in identity theft and fraud. You could be held liable for losses suffered if you cannot show you took reasonable steps to protect the personal information;
• The information is used by a disgruntled employee for stalking, debt collection, or sending inappropriate emails that can ruin your reputation;
• The inadvertent release of personal information by not properly complying with a subpoena or other legal notice. These type of circumstances have led to an award of damages by the Australian Privacy Commissioner against a registered club that included a member’s personal details and gaming information in answer to a subpoena issued by the member’s ex-wife in family law proceedings, (‘D’ and Wentworthville Leagues Club [2011] AICmr 9);
• Comparing notes, including personal information with a colleague from another businesses about a complaining customer or client, (like a black list). The colleague tells other people in the industry. The customer cannot secure supply and suffers an economic loss. You could be liable.
• IT devices sold or given away with personal information still on them;
• In addition to an award of damages against you for a breach of privacy as determined by the Australian Privacy Commissioner you also risk the Commissioner applying to the Courts for civil penalty orders to be made against you for serious or repeated privacy breaches.
Managing the privacy risk
You need to take care if you collect any information that identifies an individual or allows their identity to be readily worked out.
This includes their name, address, email address, financial information, marital status, birthdays or billing details. If you have a mailing list having more than company information, you are at risk.
The Privacy Act exempts employment records used for employment purposes in your business.
If employee information is the only personal information your business holds and it is only used for employment purposes the Privacy Act will not apply. You still have a duty of care to your employees and former employees to keep their personal information confidential.
There are specific provisions in the Privacy Act which will help you identify whether the Privacy Act applies to you. These include if you have a turnover of greater than $3 million per year, a health service provider, or you are a Commonwealth contract service provider. Even if the Privacy Act does not apply to you still carry a risk.
Tips to reduce the privacy risk:
• Only collect the information you really need;
• Keep the information in a secure location with restricted authorised access only;
• Tell people you are collecting information about them and the purpose of the information;
• Only use the information for the purpose advised to the person;
• They must have the opportunity to opt out;
• Ensure the destruction of any information is secure. Use a document destruction service and ensure that any old IT devices that are disposed of or given to staff for their personal use are cleaned of all personal information. This usually involves formatting the hard drive of those devices;
• Have someone responsible for privacy;
• Train staff about privacy;
• Have a privacy complaint handling process;
• Be familiar with the 13 Australian Privacy Principles which now form part of the Privacy Act.
• Make sure you have a relevant and practical Privacy Policy published, especially on your website.
• If you’re selling a business or advising a seller where the information being sold includes personal information then you will need to obtain the consent from each person whose information is to be transferred.
You can obtain more information including the Australian Privacy Principles from the website of Office of the Australian Information Commissioner - www.oaic.gov.au
