Under the Privacy Act, requirements dictate how you should handle your clientsâ personal information. And there are a number of things to be done. Michael Leahy advises Callum Fitzpatrick on how you can stay on the right side of the law.
Contractors with an annual group business turnover of more than $3 million must comply with privacy law.
Most importantly, privacy law requires these installers to treat their customerâs personal information as confidential.
Michael Leahy, an accredited specialist in business law with extensive AV industry experience, says that privacy law requires these installers to carry out the following procedures:
⢠Prepare a privacy policy and publish it to customers â for example, on their website;
⢠Establish a privacy policy and an access procedure for personal information;
⢠Provide a privacy notice to new individual customers, when signing them up for installation work; and,
⢠Appoint a privacy officer as a point of contact for any customers wishing to access their personal information.
Businesses must comply with the National Privacy Principles, some of which are summarised below.
A business can collect customerâs personal information only if it is necessary for one of the installerâs functions or activities and only from the individual concerned, where it is reasonable and practicable to do so.
The installer can only use personal information for the purpose for which it was collected. However, an installer may use personal information for a related purpose, if that would be within the reasonable expectations of the individual. So if your group is looking to âcross-sellâ an unrelated product to your customers, your privacy policy needs to say so. For example, if youâve installed a security system for a customer, you canât pass that customerâs details to another company in your group, which sells flat screen televisions or hi-fi systems, to assist them to market those products to your customer, unless your privacy policy states that you may do this.
Michael adds that it pays to have a privacy policy statement which works sensibly for your whole business, so that another company in your group can market to your customers.
âWhat an installer mustnât do is sell a customer list to a separate company (outside the group) purely for marketing to installerâs customers. Privacy law is very much against âtraffickingâ in customer lists,â he says.
âAn installer must take reasonable steps to protect the information from misuse and loss and from unauthorised access, modification or disclosure. This may mean checking to ensure that your in-house computer and document systems are secure from hacking and theft. Computers should be password protected and documents kept locked away when not being accessed.â
An installer must destroy or permanently de-identify customerâs personal information, if it is no longer needed. Obviously a customerâs personal information can be retained by installer for as long as customer is still likely to need the installer for service calls, warranty issues, regular maintenance or even replacement products. A six year period is the minimum period for which most customer information should be stored, as a customer could make a claim on an installer for breach of contract or negligence within six years after an installation.
The privacy officer will handle any customer requests for access to their personal information and any complaints about breaches of privacy law.
Michael has noticed that most medium size companies appoint as their privacy officer the person who handles credit or internal administrative issues within the office. These people are usually well versed in the practicalities of privacy law, as you need to be, when handling credit issues, when considerable money is at stake. The last thing you want to do is ruin your chances of getting your money back, by wrongly disclosing details of an overdue account to someone else, when customer hasnât given you permission to do so.
Another interesting issue in recent times is how source codes are dealt with when undertaking security installations.
âWhen installing security technology, many installers donât provide the customer with the source codes that are necessary to make any modifications in the future. This is a serious breach of privacy law when the customer is an individual,â Michael says.
âIf a home owner doesnât have those codes they can effectively be locked out of their own house and be unable to access a system that opens the front door, turns on the lights and activates the air conditioning. Not only that, but if you are ever going to sell your house, you need to have the codes to pass onto the new buyer.â
Michael believes the problem is not only that installers are not supplying the codes, itâs that they are not informing the customer that they exist in the first place.
âSometimes the installer wants to make sure that any future business isnât undertaken by untrained professionals or doesnât become overly expensive for the client. However, most of the time they withhold the information to guarantee themselves repeat business.â
Michael advises that the correct approach is for the installer to inform the client the codes will be supplied when the installation bill has been paid in full.
âThe real issue arises when the installer refuses to supply the codes or doesnât them they exist and then the customer finds out further down the track.â
As this privacy law has only been in place since 2000, the consequences for a breach are still not particularly severe, however Michael says this could be set to change in the future.
âA complaint is usually lodged with the privacy commissioner and under current Australian Law, the commissioner has power to lodge a claim with the offending party for any financial loss that the customer has suffered. This can be a real problem when the installer is collecting overdue debts, so care needs to be taken in credit collection practices.â
He adds that there have been proposals to bring in a legal tort (a wrongful act that results in injury to a personâs property or reputation, which entitles the injured party to compensation) which will allow a customer to sue an installer for a breach of a privacy law.
The information in this article is general information only and is not legal advice.
For legal advice on these matters, you may contact Michael Leahy, email leahylaw@bigpond.net.au mobile 0416203205 â his liability is limited by a scheme under professional standards legislation.
For privacy generally you may contact the Office of the Australian Information Commissioner (OAIC) at www.privacy.gov.au.
