As featured in the latest edition of Club Insight Magazine
Many clubs would be aware of the alleged major data breach currently under police investigation that affected several NSW club and pub patrons. Reports suggest that over one million personal records were leaked and published on a website, with the data coming from IT provider Outabox, which provides sign-in systems to hospitality venues. The information leaked includes personal details from membership records such as names, addresses, dates of birth, phone numbers, driver’s licences and signatures. It also included facial recognition data.
In our experience, most clubs are well aware of their privacy obligations and the need to protect the data of staff, members and other customers. But this is a timely reminder for clubs to be careful and do their due diligence when contracting third-party suppliers and to have a plan in place so they are ready to react if they are faced with a data breach.
Currently, the Privacy Act 1988 only requires businesses with a turnover of more than $3 million to comply with the 13 Australian Privacy Principles. There are some exceptions to this rule, for example businesses that provide services under a contract with the Australian government or that collect health data (which may apply to some sports clubs). Some smaller clubs are currently exempt from these privacy obligations. However, in late 2023 the Australian government responded to a review of the Privacy Act and agreed in principle to remove this exemption, subject to further industry consultation.
Regardless as to whether this exemption applies, it is best practice for clubs to take their privacy obligations seriously and have policies in place as though all privacy laws applied to their business. In today’s landscape, patrons place immense value on the security of their data across all environments. Therefore, the potential reputational repercussions of non-compliance with these obligations cannot be overstated.
A club’s privacy policy needs to address matters such as the kind of information it collects, how it collects and stores that information, the purposes for which the information may be used, how the information can be accessed and how someone can make a complaint about a suspected breach of privacy laws.
Clubs should ensure that they only collect necessary personal information, that the information is stored securely and that they delete information that is no longer required. It is important to regularly review how data is secured as technology and systems evolve, so clubs need to ensure that they or their service providers are regularly updating their systems.
Having a plan ready to respond to a data breach can help a club minimise the risk of harm from the information that has been leaked, reduce the impact on affected staff or members and reduce the costs or risk of reputational damage. Under the Privacy Act, there is a notifiable data breaches scheme that requires entities to notify both affected individuals and the Office of the Australia Information Commissioner if a data breach is likely to result in serious harm to an individual. The timeframe for response is currently 30 days and that is expected to be reduced to seven days under the proposed changes, with increased penalties for non-compliance. Clubs should be proactively thinking about putting response plans in place so they are able to respond in the allotted time.
Licensed clubs operate in a heavily regulated industry and have various compliance requirements relating to liquor, gaming, food safety, workplace safety, governance, anti-money laundering, etc. However, ensuring that privacy obligations are complied with is equally important as these more traditional requirements. Having suitable policies in place, and a plan ready for a possible data breach is becoming a critical business issue given the increase in data being collected – including with facial recognition technology – and the ever-increasing risk of a data leak.
Things for clubs to consider:
- Do you have a privacy policy (and data breach response plan) in place if your turnover is greater than $3 million.
- If your turnover is less than $3 million you should monitor for changes in relation to your obligation to comply.
- Is anyone, including contractors, collecting personal information for you?
- Do you have agreements that require those people to meet your privacy standards and to respond if they are in breach?
Should you have any queries or require any further information in relation to your club’s privacy policy, please contact me on (07) 3224 0353