Cyber, Data and Privacy Law

Cyber generally refers to the cyberspace which is a term that encompasses the entirety of the digital world, including digital technology and software such as computers, websites and the “Internet of Things”. Meanwhile, data is the information that may be obtained within this cyberspace, including personal and sensitive information. It is this personal data that is protected by the current Australian Privacy regime. The right to privacy is particularly enforced in Australian law, with the OAIC considering privacy to be a “fundamental human right”, referring to the right that all humans have to control who can see or use their information and data.

Yes! There are two types of privacy policies that your business needs for both internal and external use.

Any website operating on an Australian domain requires an online privacy policy in accordance with the Privacy Act 1988 (Cth). This policy should outline how a web-users information may be collected, stored, used, disclosed and deleted. Depending on the type of data collected (e.g. banking details via online check-outs), the method of collection and industry-specific requirements, such as AHPRA privacy collection regulations.

In the event that your business employs staff or engages contractors, you must have an internal privacy policy that addresses how employee information is collected, stored, used and disclosed. This obligation is mirrored in the Fair Work Act 2009 (Cth) with respect to ensuring that employee personnel records are up-to-date and securely stored for a certain period of time.

Cyber, data and privacy law are complex and dynamic practice areas. We can assist you with curating an online presence that reflects your creative and authentic brand without exposing your business to risk of liability arising from invasion of privacy, data breaches and intellectual property infringements.

Yes, in Australia there are a number of legal documents that you will need to create and embed within your website. Whilst these requirements vary from website to website, they include documents like a privacy policy, terms and conditions, email disclaimers and cookie policies.

Your website may also be subject to industry-specific security obligations that imposes an additional source of regulations requiring compliance. For example, Optus were subject to a variety of legislation that extended beyond the purview of the Privacy Act, including the Security of Critical Infrastructure Act 2018 (Cth) to implement cyber-security infrastructure that protects sensitive data, as well as the Telecommunications Sector Security Reforms.

Yes! Your website terms and conditions should not be a copy and paste exercise. Terms and conditions of a website act as an electronic contract that legally binds the users of a website to the provisions that govern the use and access of that website.

Your brand, ethos, product and service offering is vastly different from the website that may be inclined to “copy”. Introducing bespoke website terms and conditions that are tailored directly to your business and website will ensure that the provisions reflect your business model in a legally compliant manner, whilst minimising risk of exposure to claims.

Yes, it is legal to monitor your employee’s computer usage and performance on computer issued devices. However, it is essential that the employee is acknowledges and actively consents to the company’s surveillance procedures.

Chamberlains Law Firm can prepare bespoke “Computer Usage” policies to ensure that businesses can monitor an employee’s browser history, online activity, download patterns and performance to manage their productivity in the workplace.

The Australian Privacy Principles continue to operate internally. Therefore, it is important that a business has a “Computer Usage” and “Privacy Policy” to ensure that employees can be performance and/or disciplinary managed in accordance with those policies, and that the employer is aware of the parameters to collecting, using and disclosing that data during their employment tenure.

The Privacy Act 1988 (Cth) treats public and private employees differently. Public sector employees are able to access their employee record and any personal information kept about them at any time.

However, employees in the private sector do not have a specific right to access their employee record, as the handling of employee records in the private sector is exempt from the Privacy Act 1988 (Cth). The legislative requirements of the Privacy Act 1988 (Cth) will only become binding if an employer is not using the information in the employee record for the employment relationship, such as sharing documents online.

Personal information is any piece of data or information that may be used to identify a person including a name, IP address, phone number or date of birth. In isolation, these details may not disclose the identity of an individual. However, a collection of personal information may personally identify an individual.

Meanwhile, sensitive data is a ‘step further’ than personal data which requires more sophisticated protection. Sensitive data includes a person’s beliefs, health records, financial information, or classified records such as criminal history. Sensitive information generally includes biometric and personally identifiable data.

Often, businesses with websites that allows users to ‘check-out’ to purchase goods collect sensitive financial information and transmit that information to third party financial institutions. In the event that your business collects bank details to facilitate transactions, it is crucial that you indemnify your business from any loss or claims that may arise in the event that any third party that receives that information (i.e. financial institution) discloses that data. Your website terms of use and contract for services should address this.

A data breach is when personal or sensitive information is accessed and disclosed to another party without the authorisation of a party involved. This could occur on a large scale, such as the Optus and Medibank data hacks, or a much smaller scale, such as a stolen or lost USB, or an email sent to the wrong person.

The OAIC is the Federal Government’s independent national independent regulator for privacy and freedom of information. Therefore, they are the governing body that handle any privacy complaints and data breaches. The OAIC has the authority to order compensation for financial or non-financial loss in order to remedy any breaches of the Privacy Act 1988 (Cth).

Should you receive a complaint from OAIC, you should consult our team. We have the knowledge and resources to handle complaints in this jurisdiction and defend complaints to avoid the imposition of severe financial penalties or further judicial action. Here at Chamberlains Law Firm, you can book in for a free 15-minute consultation with one of our highly skilled lawyers and they will be able to guide you through the next steps of your complaint.

Amidst the changes to Australian privacy laws following the Optus and Medibank data breaches, the powers of the OAIC have increased, including gaining the ability to request all information about a data breach and impose regulatory action (including financial penalties) depending on its findings.

You sure can, and it will not be cheap! Following the Optus and Medibank data breaches, the Australian Federal Parliament introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. This increased the maximum penalty to whichever is the greater of:

• $50 million;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period

Therefore, it is essential to seek legal advice and ensure that your website and cyber activities are compliant with Australian legislation to avoid these substantial fines.

Workplace Health and Safety laws, regulations and codes of practice were modelled by SafeWork Australia in 2011 for other states and territories to adopt. The underlying principle of the model WHS Act is that, so far as is reasonably practicable, duty holders provide workers with the highest level of health and safety.

This means that a person conducting and undertaking a business, as the duty holder, is required to do whatever is reasonably able to be done at the time to ensure the health and safety of their workers. Employers have notification requirements for notifiable incidents. Notifiable incidents are ones that involve death, serious injury or serious illness to a worker or a dangerous incident that exposes workers to a serious risk.

Under WHS Laws, a person conducting or undertaking a business must report a notifiable incident to WorkSafe by the fastest possible means and keep a record of all notifiable incidents for at least five years. Failure to notify SafeWork of the occurrence of a notifiable incident, keep a record of a notifiable incident or preserve an incident site until an inspector arrives carries large penalties.

Businesses also have to have workers compensation from an insurer to ensure that compensation can be paid to an employee injured at work. If an employee is injured at work, the employer needs to notify the insurance company and complete all relevant documentation.