Property & Construction: 7 Key Digital, Privacy & Information Security Risks That You Need To Act On Now!

Print Friendly, PDF & Email

By Alec Christie, Partner and James Wong, Associate

With heightened public and regulator scrutiny of the Property & Construction sectors, it’s more important than ever to ensure that you understand what the risks are and have the right measures in place to protect data.

1: Managing the personal information of employees, contractors and visitors

Whether you’re building or managing a residential or commercial space, you have legal obligations in respect of the personal information you collect and use. You likely collect data about employees, contractors, tenants and visitors. Failure to handle this data in accordance with the requirements of the Australian Privacy Principles under the Privacy Act (APPs) could see you facing fines of up to $2.1m (soon to be the greater of $10m, 3 times the benefit and 4% of the annual domestic group revenue), damages of around $10,000 per complainant and irreparable damage to your reputation.

Ensure you are aware of all data you collect, hold and/or share that could constitute personal information. That is, information that could reasonably identify an individual, including if mixed with other generally available information .

If you have a sign-in or registration process for site visitors, for example, you should ensure that this system and your specific uses of it comply with Australian privacy law. In particular, you can generally only collect personal information if it is related to your organisation’s functions and activities and you give notice of your privacy policy.

Also, contrary to the prevailing wisdom, the collection of employee personal information is not exempt from the APPs.

Where you collect sensitive information (e.g. a webcam photo of employees or a visitor’s face or health information) you must obtain consent to such collection and the proposed uses of that information.

The APPs include requirements relating to the storage, use and sharing of personal information, notification of all ‘eligible data breaches’ and a requirement that you delete or de-identify personal information when it is no longer required by law to be kept and no longer needed for the purpose(s) for which it was collected. How long are you keeping visitor registration information?

We recommend that you conduct an audit/review of your information holdings and processes to ensure that you are collecting, using and disclosing personal information in an open, transparent and compliant manner, that any consents you require are actually being obtained and your data breach response plan is appropriate.

2: Public Wi-Fi and e-marketing

If you offer public Wi-Fi for visitors to your property (even if provided by a third party on your behalf), you are likely to be collecting personal information through a ‘captive portal’.

Your collection of personal information (even via third party-provided Wi-Fi) should be subject to your clear and transparent privacy policy and appropriate terms and conditions. The content and format of these documents (and whether users must positively agree to them before accessing the service and opt-in if they want e-marketing) are critically important, especially if you wish to send marketing messages (e.g. email marketing) using the contact details collected. Also, the added benefit of compliance is that you (not the third party provider) ‘control’ the information and have it available for notified business purposes/analysis.

3: Are your contractors privacy and information security compliant?

You might have a number of contractors involved in services provision at your site or property (including, for example, provision of Wi-Fi). If just one lets you down on privacy or information security compliance you may be left picking up the pieces (and be liable for it).

The best line of defence against this is to ensure that all of your contractual arrangements have privacy and information security requirements built in. We can conduct a gap analysis of current contractual terms and help you to negotiate terms that sensibly and fairly allocate privacy and information security obligations across the supply chain. We can also help you propose contract terms that put you in good stead in relation to privacy and information security in new contracts.

Key terms to consider in all services agreements include business continuity, data breaches and incident response and catch-all privacy and information security compliance obligations.

4: Tracking, surveillance, fleet management and data analytics

If you engage in the surveillance of individuals (whether they are employees, contractors, customers or visitors to a property) and/or fleet vehicles you must ensure you comply with all relevant surveillance and privacy laws. It is necessary to notify those being surveilled (e.g. with a visible notice) that you are undertaking surveillance and provide them with or refer them to your privacy policy. For example, some retail properties use software connected to the provision of public Wi-Fi (e.g. base station logs) to track the movement of visitors to a property.

There are numerous privacy issues to consider. In particular, where such information is collected in tandem with technologies offered by social media platforms and/or where such data is used as part of a data analytics program. Also, surveillance data footage is personal information and can only be held as long as required for the notified purposes of collection. Once these purposes are fulfilled (and if not otherwise required to be kept by law) it must be deleted or de-identified. While surveillance (of all sorts) can be done in a privacy-compliant way, we have rarely seen such done well in practice without assistance. We recommend undertaking a privacy review (starting with data flow mapping) of all tracking, surveillance and analytics activities.

5: Do you need to comply with GDPR?

The EU General Data Protection Regulation (GDPR) introduced major new privacy, security and marketing obligations and individuals’ rights from 25 May 2018. It also has a much wider application outside of the EU and to non-EU companies than the previous EU privacy laws. Generally, the GDPR applies:

  • where you have an ‘establishment’ (whether physically or online) in the EU;
  • where you offer goods or services in the EU; and/or
  • where you monitor/track individuals in the EU.

In practice, this means that if you (as an Australian company) have a branch/sales office in the EU or otherwise target potential investors/buyers/tenants in the EU and collect information about individuals located in the EU (e.g. for these purposes or for enhancing your digital marketing strategy) the GDPR will likely apply to you. Failure to comply with the provisions of the GDPR, where applicable, may result in fines of up to the greater of €20m or 4% of annual global group turnover. However, before undertaking an expensive GDPR compliance uplift, we recommend first obtaining legal advice to ascertain if you are caught by GDPR and, if so, whether changes to any activities reduce or eliminate the impact of GDPR.

6: FIRB sharpens its focus on acquisitions of/investment in data-rich Australian assets

The Foreign Investment Review Board (FIRB) is directing greater regulatory scrutiny to proposals that involve foreign investors gaining access to the personal information of and data about Australian residents (e.g. visitors to shopping centres). This reflects heightened awareness that data protection is of critical importance to Australia’s national interest. This may adversely affect capital availability or potential buyers. However, this is likely to be less of an issue for those Australian businesses with a greater emphasis on robust data protection and better-practice privacy management controls in place.

7: Whistleblowing

2019 saw the introduction of a significantly expanded whistleblower protection regime covering the majority of larger businesses (all public companies and all private businesses with 50+ staff, $12.5m+ in group assets or group revenue of $25m+).
Staff who report on a broad range of conduct (including ‘misconduct’ and an ‘improper state of affairs’, whether or not the whistleblower reveals their identity and whether or not they act in ‘good faith’) must now be protected.

A compliant whistleblowing policy must be implemented by all larger business by 1 January 2020. This policy must include certain mandatory content. Failure to do so by 1 January 2020 is a criminal offence. You must also be prepared to respond to ‘emergency disclosures’ and ‘public interest disclosures’ (disclosures which can be forwarded to the media in certain circumstances) and ensure your processes are robust enough to comply with this significantly expanded regime. As time is running out to prepare and implement your whistleblowing policy, we are happy to discuss this with you now.

For further information, please do not hesitate to contact us.

Get the latest news insights and articles straight to your inbox, simply enter your details.

  • First Name
  • Last Name
  • Email

Digital Law

#RebootYourPrivacy for Privacy Awareness Week