Preparing for upcoming changes to the Privacy Act
15 August 2024
Against a backdrop of public data breaches, ongoing cyber attacks, the rapid adoption of Artificial Intelligence, and broader consumer privacy concerns, the Australian Government initiated a review of the Privacy Act (1988), which resulted in the Privacy Act Review Report 2022 (Privacy Act Review Report) containing 116 proposals for change. The Government Response to the Privacy Act Review Report was subsequently published on 28 September 2023 (the Government Response) detailing the Government’s position on the proposals and possible legislative changes.
.
What can organisations do to prepare for the likely changes?
The Government Response provides us with a broad outline of changes that we can expect in the short to medium term. While many details remain unknown, we can expect that organisations will be required to comply with a set of baseline privacy outcomes aligned with relevant outcomes of the Government’s 2023–2030 Australian Cyber Security Strategy.
To prepare for the expected changes, the first step is to understand what personal information is collected, why it is collected, where and how it is stored within your organisation. This is often best achieved through an approach that combines stakeholder engagement and technological solutions – running a series of workshops with process and system owners, and cross-checking findings using a specialist data discovery tool configured to scan information systems for private and sensitive data. Once an accurate and tested data asset register is compiled, your organisation can set about answering questions such as:
Are we currently meeting proposed requirements relating to consent for collection, use and disclosure of personal information, and is the information we collect used for the primary purpose we are collecting it?
Do we have appropriate governance and technological controls to protect the information, or respond in the case of a data breach?
Have we adequately assessed how third parties are used in the collection, storage and processing of personal information?
Can business processes and systems support proposed changes enabling individuals to have more insight into their personal information, and control over that data such as the right to erasure?
What implications are there should a severe or repeated breach of personal information occur?
.
Collection, use and disclosure of personal information
Best practice is to appoint a senior employee responsible for enabling privacy compliance. Your organisation should ensure the collection or use of personal information is voluntary, informed, current, specific and unambiguous, with the ability for individuals to withdraw consent at any time. The proposed requirements will ensure that collection, use and disclosure of personal information is fair and reasonable in the circumstances; that privacy policies are clearly written and understood by the consenting individual; and clearly set out any personal information that is used in automated decisions that may have a legal or significant effect on an individual’s rights. Any trading of personal information will require explicit consent from the individual. Upon request, your organisation must be able to correct or delete information, correct any personal information that has been published, remove it from online search engine indexes, and permit individuals to opt-out of their personal information being used or disclosed for direct marketing purposes.
Organisations will need to assess their ability to comply with basic requests, and whether requests to de-identify or erase information are supported by their current technology solutions.
.
Governance and technical controls protecting personal information
Irrespective of size or industry sector, the proposed changes will require every organisation to establish data retention policies, clearly setting out minimum and maximum data retention periods. These must consider the type, sensitivity and purpose of the information being retained, organisational needs and any other legal obligations the organisation may have. Operating procedures will need to be updated to comply with data retention policies, and systems may need to be modified to support new operating requirements. Activities with high privacy risks will require a Privacy Impact Assessment to be completed prior.
Reasonable steps must be taken to implement systems to enable an organisation to respond to a data breach, such as an Incident Response Plan with supporting practices, third parties and technologies. The response will need to include processes such as notifying the OAIC within 72 hours of becoming aware of the breach (currently within 30 days), notifying individuals as soon as practicable, and setting out the steps taken or to be taken in response to a data breach, including steps to reduce adverse impacts on the individuals affected. Current exclusions relating to personal information of current and former employees will be removed.
.
Use of and disclosure of personal information to third parties
Personal information is often collected, stored and/or processed by third parties as part of regular business processes. The proposed reforms have considered recent supply chain data breaches and seek to ensure clear distinction of responsibilities regarding the use of third parties. Where a third party is used to collect personal information, the proposed changes will require your organisation to take reasonable steps to ensure that the information was collected lawfully. For example, purchasing personal information for marketing purposes from a third party. Where a third party used to store or process data is in a country without similar privacy laws to Australia, the organisation will be required to ensure appropriate contractual clauses are in place governing the disclosure and protection of personal information. It will also be required to inform individuals of the types of personal information that may be disclosed to those third parties.
.
Implications in the case of a severe or repeated data breach
The OAIC and ASIC have the authority to pursue organisations that breach the Privacy Act and Corporations Act and are working collaboratively to accelerate data and privacy breach responses. The proposed changes to the Privacy Act will seek to introduce a statutory tort for serious, intentional invasions of privacy, providing recourse for individuals to seek compensation and the Federal and Family Courts to make additional orders after a civil penalty has been established. This will include a requirement to identify, mitigate and redress actual or foreseeable losses suffered by an individual.
Our team of cyber, technology and data specialists are helping organisations of all sizes to prepare for changes to the Privacy Act through data discovery and governance projects. Working with internal and external stakeholders and using advanced technology to identify personal information being stored by organisations, we can map out business requirements and supporting systems, design, and implement appropriate processes and solutions including recommendations for uplift, to enable compliance.