The laws relating to how businesses and individuals use and store personal information has changed. The National Privacy Principles (NPPs) are rules that govern the way personal information is collected, stored, disclosed and disposed of. It recognizes that individuals have a right to access information an organisation holds regarding them and correct it, if they believe the information is incorrect.
Personal information is information that allows an individual to be identified from that information. It includes names, addresses, financial information, marital status and billing details. It can also include photographs, surveys, opinions and complaints. You should only collect information that is necessary for you to complete your work and allow people to remain anonymous (if possible). For example, if you want to know the geographical area that your customers are coming from you could ask for their post code. As you don’t need anything further to establish this, you shouldn’t ask. An accountant preparing someone’s tax return needs far more information and it is appropriate that they collect tax file numbers, bank account details and the like.
If you pass personal information on, you must tell the person this. For example, if you pass the name and address of a client on to a debt collector tell them. If you are a travel agent and you pass information on to airlines and rail operators, tell them. Give people notice at the time you collect their information and seek their consent.
When you store information you should ensure that it is correct, complete and contemporary. It should also be safe. This usually means having secure passwords and lockable filing cabinets. Client names, addresses ect should not somewhere where non-staff can see. This may mean moving folders and files away from reception areas and meeting rooms or if that is not practical, “de-identifying” the files by removing full names for example. When you are finished with the information, it should be shredded or securely dumped- don’t throw client lists in a street bin!
Here are some common mistakes you might be making:
- Thinking the Privacy rules don’t apply to you. If you run a business that has an annual turn over of $3,000,000.00 or more, you need to comply. Businesses with a smaller turnover are exempt from the Act unless they: are a health service provider, trade in personal information (ie buy and sell mailing lists) operate a residential tenancy database, related to a larger business that does comply or provide services under a Commonwealth contract.
- Thinking Privacy doesn’t matter. It does. The Privacy Commissioner can also investigate any complaints made about your organisation and may order an apology or compensation. Clients who know their privacy is respected are happy clients. Happy clients are good for business.
- Using personal information for direct marketing without that person’s consent.
- Not allowing people to opt out of marketing. All emails, sms and posted materials must contain an option for people to opt out or unsubscribe.
- Not training your staff on how to handle personal information they collect or store. It can be helpful to make someone responsible for privacy compliance.
Coutts can help you review and update the way you collect or store personal information. We can help you develop a Privacy Plan and prepare a Privacy Statement that complies with the Act and fits your business.