Grant Thornton Report into Organisations' Compliance with the Privacy Act (2022)
(Read the full report Here)
Privacy Act 2020 The introduction of the Privacy Act 2020 has strengthened requirements around the disclosure and protection of personal information, along with new implications for non-compliance. Most respondents (90%) are aware of the introduction of the new Privacy Act. However, well over a third haven’t updated their privacy policies to inform stakeholders how their data will be used by the organisation or reviewed their third-party contractual agreements with providers.
Breaching the Privacy Act can result in fines issued by the Privacy Commissioner or proceedings being commenced before the Human Rights Review Tribunal which has the power to award damages to individuals who experience harm as a result of a privacy breach. These outcomes will result in wasted time and resources for an NFP, not to mention the reputational damage that will inevitably follow. An even more alarming statistic emerged about the number of organisations in breach of the Act by not appointing a Privacy Officer (40%). Any organisation holding personal information and data about other people is required to have a suitable person in this role.
Privacy Officers prevent or resolve privacy issues before they become a reputational, legal or financial risk, so it’s a vital appointment for charities and for-profits alike. Your Privacy Officer needs to: • have comprehensive knowledge about the privacy principles in the Act • work to ensure the organisation complies with the Act • manage any complaints about potential privacy breaches • manage requests for access to personal information, or the correction of personal information. • act as the organisation’s liaison with the Privacy Commissioner
The survey also reveals the NFPs which have Privacy Officers in place have selected people from disparate parts of their organisations. The most common appointees are the CEO and the governance team. Perhaps more surprising was the wide range of other people appointed to the role, including corporate services, operations, office managers and receptionists. The best person for the role of Privacy Officer depends on the size of your organisation, the work it does, and what personal information it handles. In smaller organisations, the chief executive/general manager is normally responsible for all legal compliance, including privacy. Often an in-house complaints, human resources, or legal team will do privacy work as part of their duties. However, organisations that handle a large amount of personal information may need one or more employees dedicated to privacy matters.
Whoever takes on the duties of a Privacy Officer in an organisation, it’s important for everyone, at all levels of the organisation, to take their advice seriously. Over two thirds of survey participants said they have effective procedures in place to detect and report data breaches, however, nearly the same number of organisations said they have not provided any training to their team members about the Privacy Act changes. This is a concern. The Office of the Privacy Commissioner has a wide range of resources and training available to help organisations understand their obligations, ensure everyone knows why those procedures exist and how to apply them.
The Law Has Changed - (On 1 December 2020)
The Privacy Act 2020 introduces greater protections for individuals and some new obligations for businesses and organisations.
The changes include the requirement to report serious privacy breaches to the Privacy Commissioner and to affected people.
The Privacy Commissioner has new powers to help people access their own information and to require businesses and organisations to comply with the law.
There are increased fines for organisations that don’t comply, and there are new rules when sending personal information overseas.
You can find out more about the changes on our resources page.
Read translations:
Privacy Statement Generator - Get your privacy statement sorted. It takes five minutes.
Useful Guidelines for Social Service Providers
(Read the full report Here)
Privacy Act 2020 The introduction of the Privacy Act 2020 has strengthened requirements around the disclosure and protection of personal information, along with new implications for non-compliance. Most respondents (90%) are aware of the introduction of the new Privacy Act. However, well over a third haven’t updated their privacy policies to inform stakeholders how their data will be used by the organisation or reviewed their third-party contractual agreements with providers.
Breaching the Privacy Act can result in fines issued by the Privacy Commissioner or proceedings being commenced before the Human Rights Review Tribunal which has the power to award damages to individuals who experience harm as a result of a privacy breach. These outcomes will result in wasted time and resources for an NFP, not to mention the reputational damage that will inevitably follow. An even more alarming statistic emerged about the number of organisations in breach of the Act by not appointing a Privacy Officer (40%). Any organisation holding personal information and data about other people is required to have a suitable person in this role.
Privacy Officers prevent or resolve privacy issues before they become a reputational, legal or financial risk, so it’s a vital appointment for charities and for-profits alike. Your Privacy Officer needs to: • have comprehensive knowledge about the privacy principles in the Act • work to ensure the organisation complies with the Act • manage any complaints about potential privacy breaches • manage requests for access to personal information, or the correction of personal information. • act as the organisation’s liaison with the Privacy Commissioner
The survey also reveals the NFPs which have Privacy Officers in place have selected people from disparate parts of their organisations. The most common appointees are the CEO and the governance team. Perhaps more surprising was the wide range of other people appointed to the role, including corporate services, operations, office managers and receptionists. The best person for the role of Privacy Officer depends on the size of your organisation, the work it does, and what personal information it handles. In smaller organisations, the chief executive/general manager is normally responsible for all legal compliance, including privacy. Often an in-house complaints, human resources, or legal team will do privacy work as part of their duties. However, organisations that handle a large amount of personal information may need one or more employees dedicated to privacy matters.
Whoever takes on the duties of a Privacy Officer in an organisation, it’s important for everyone, at all levels of the organisation, to take their advice seriously. Over two thirds of survey participants said they have effective procedures in place to detect and report data breaches, however, nearly the same number of organisations said they have not provided any training to their team members about the Privacy Act changes. This is a concern. The Office of the Privacy Commissioner has a wide range of resources and training available to help organisations understand their obligations, ensure everyone knows why those procedures exist and how to apply them.
The Law Has Changed - (On 1 December 2020)
The Privacy Act 2020 introduces greater protections for individuals and some new obligations for businesses and organisations.
The changes include the requirement to report serious privacy breaches to the Privacy Commissioner and to affected people.
The Privacy Commissioner has new powers to help people access their own information and to require businesses and organisations to comply with the law.
There are increased fines for organisations that don’t comply, and there are new rules when sending personal information overseas.
You can find out more about the changes on our resources page.
Read translations:
Privacy Statement Generator - Get your privacy statement sorted. It takes five minutes.
Useful Guidelines for Social Service Providers