Identify theft is becoming more prevalent as increasingly sophisticated fraudsters target businesses online. So what steps can you and your business take to ensure the information you receive from your clients or customers remains in safe hands?
Recent media reports have indicated that tax file numbers and bogus tax returns have been a focus for online fraudsters. Those reports indicate that more than 26,000 tax returns were delayed this year because they were suspected by the ATO to be the work of identity thieves. About 1,000 refunds have been cancelled. In addition, reports of online fraudsters harvesting the personal details of clients is increasing through online phishing scams.
No matter the size of your customer information database, it's important that you keep the personal information of your clients safe. In addition, many businesses have legal obligations to protect the private information of their clients.
The Privacy Act 1988 was amended in 2014 to reflect these increasing privacy risks. The Act creates a single set of Australian Privacy Principles (APPs) that apply to both Australian Government Agencies and the private sector. The APPs set out standards and obligations for collecting, handling, holding, accessing, using, disclosing and correcting personal information.
The type of privacy protected by the Act includes ‘information privacy’ – people’s personal or sensitive information. This includes, for example, personal information that identifies you or could reasonably identify you. Names, signatures, your address, your telephone number, medical records, bank account details, as well as commentary or an opinion about you can be covered.
Most Australian Government agencies and most businesses with an annual turnover more than $3 million will have responsibilities under the Act. If you're not covered directly, the APPs may still be relevant to you if you deal with government agencies on behalf of your clients to whom the APPs directly apply.
You're also required to take reasonable steps to protect personal information. This includes protecting the personal information of your clients from interference, misuse or loss. What constitutes taking ‘reasonable steps’ can vary depending on your business, but would likely require protocols to be in place to make sure that only authorised persons have access to personal or sensitive client information.
The reforms strengthen the functions and powers of the Australian Information Commissioner (the Regulator) to resolve complaints where privacy has been breached. The Regulator has the power to handle complaints, conduct investigations and make determinations on complaints. The Regulator can even apply to the courts for an order that an entity pay the Commonwealth a civil penalty in some cases.
If you have lost or misused personal information you may also be subject to civil claims through the courts in the event that your actions are found to be negligent. Losses could be recoverable against you in those circumstances.
Given the risks and the increasing sophistication of online fraudsters, the privacy of client information should be at front of mind for every business. This is a new and evolving area of the law that deserves your attention.