Updated: Feb 10, 2019
An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf. New provisions will take effect on the 22nd February 2018.
In February, 2017, the Australian Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
Does the Privacy Act apply to my organisation? Australian Government agencies and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions. Some small business operators (organisations with a turnover of $3 million or less) are covered by the Privacy Act including:private sector health service providers. Organisations providing a health service include:traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionalcomplementary therapists, such as naturopaths and chiropractorgyms and weight loss clinicchild care centres, private schools and private tertiary educational institutions.businesses that sell or purchase personal informationcredit reporting bodies. More information about responsibilities under the Privacy Act can be found here.