Despite being 30 years old, organisations can still be confused about their obligations under the Privacy Act 1988 (Cth) (Privacy Act). Whether the Privacy Act even applies can be a minefield for sporting organisations such as sporting clubs, gyms, and governing bodies.
Unfortunately, ignorance of the law excuses no one, and fines for a breach of the Privacy Act now range up to $2.1 million.
The introduction of the Mandatory Data Breach Reporting regime to the Privacy Act on 22 February 2018 makes it more vital than ever to be aware of, and prepared to comply with, your privacy obligations. Particularly with the ever-increasing chance of being hacked.
If your organisation experiences a data breach involving personal information, you may need to report it to the individuals involved, and the Office of the Australian Information Commissioner (OAIC). Failure to do so may be a breach of the Privacy Act.
Does the Privacy Act even apply to us?
As a starting point, if your annual turnover is above $3 million the Privacy Act most likely applies. However, there are certain exceptions which mean some organisations that turn over less than this threshold are still bound by the Privacy Act.
For sporting organisations, the OAIC’s current advice is that they are covered by the Privacy Act if they provide a health service or hold health information.
The Privacy Act’s wide definition of “health service” and “health information” means that a sporting organisation is likely to be providing a health service if it:
- records, assesses, or treats people’s injuries;
- assists people to maintain or improve their level of fitness; or
- employs a health professional.
Information related to the above is probably also going to be viewed as health information.
Sporting organisations that provide such health services are directed by the OAIC to assume they are covered by the Privacy Act, and to ensure they take steps to comply with the Privacy Act including the Australian Privacy Principles.
If you are not sure if the Privacy Act applies to your sporting organisation, we recommend seeking legal advice.
What are your obligations under the Privacy Act?
This is not a question that can be easily answered in an article, as it will depend on what your organisation does. At a high level, under the Privacy Act organisations must:
- Report actual or suspected data breaches to affected individuals and the OAIC in certain situations.
- Comply with the Australian Privacy Principles as set out in Schedule 1 of the Privacy Act, which include obligations such as:
- when collecting personal information, notifying individuals of how it will be used and shared;
- only using personal information in ways that have been disclosed to individuals;
- restrictions on use of personal information for direct marketing;
- ensuring the security of personal information; and
- allowing individuals to access and correct the personal information you hold about them.
What special considerations are there for sporting organisations?
Smaller sporting organisations in particular face an increased risk of data breaches because they don’t have the same resources available to direct towards data security and staff training.
The lack of resources may also mean at some stage that sporting organisations as a group may be targeted by cyber criminals, much in the way that some small business sectors are currently being targeted. Especially if you store information that is attractive to cyber criminals, such as credit card numbers, copies of photo ID’s, or other financial or identity information.
Sporting organisations that work with children also potentially face greater reputational harm for a breach of children’s privacy. Losing the confidence of the parents because of a privacy breach could be fatal to your organisation.
What can we do?
The best advice we can give you is be aware and be prepared.
Make sure that you are aware of your obligations under the Privacy Act, if you provide some form of health service the Privacy Act probably applies to you.
The Tech & Media team at Griffin Legal can assist you:
- in understanding your privacy obligations;
- training your staff; and
- preparing privacy documents such as privacy policies, collection notices, and a Data Breach Response Plan to ensure you can quickly and easily comply with your mandatory data breach reporting requirements.
Contact our privacy experts today if you need assistance on 02 6198 3100 or clicking here.