Australian organisations are showing varying levels of preparedness when it comes to data privacy, with Maddocks partner Sonia Sharma saying they need to get ahead of legislative change because the conversation has already moved from the “Parliament to the pub.”
Sharma said organisations should act now to pursue foundational privacy best practices in line with Office of the Australian Information Commissioner guidance. The first priority should be to map organisational data and manage the significant risks presented by third-party providers.
Jump to:
Privacy Act reform to empower individuals and regulators
The Response to the Privacy Act Review report, released in 2023, saw the Australian federal government agree to 38 of 116 proposals, agree “in-principle” with 68 and “note” 10. Described as a timid response by some after four years of consultation, it signalled both broad support for change, while also flagging a further period of consideration and consultation.
A number of possible changes when the Australian government legislates reform in 2024 include the potential expansion of the regime to smaller businesses with a turnover of less than AU $3 million (US $1.9 million). Law firm Corrs Chambers Westgarth said organisations could expect to be dealing with more “empowered individuals and regulators” in the future.
More data rights for individuals
In a client advisory, Corrs said “individuals will likely have a menu of new rights with respect to the collection and handling of their personal information, including rights of explanation, correction and erasure, as well as claims they may make where their personal information is mishandled.” The firm explained that this would include “a direct right of action for privacy-related damages as well as a statutory tort for serious invasions of privacy.”
SEE: Explore our explainer on how data governance affects data security and privacy.
Corrs noted the likely imposition of more obligations relating to collecting personal information. These include proposals to impose a positive standard of fairness and reasonableness on all collections of personal information and a requirement that Privacy Impact Assessments be undertaken for high-risk activities like facial recognition, both of which were “agreed in principle” by the Australian government.
Individuals will also soon have the right to request meaningful information on how significant automated decisions about them are made, while privacy policies will need to set out what information is used for automated decision-making. This could mean that the rise of artificial intelligence-derived decision making is paired with more stringent legal obligations.
Enhanced regulatory powers
The OAIC will have its powers to regulate bad data behaviour boosted as part of the Privacy Act reforms. This includes an agreed proposal to implement a tiered infringement scheme, which would see the introduction of low-tier and mid-tier civil penalty provisions.
Corrs said that, in general, the changes would soon herald a more prolific and uniform enforcement approach taken by an empowered OAIC and a larger regulatory “attack surface” for companies processing personal information of Australians.
Organisations urged to act ahead of Privacy Act reforms
Australian organisations exhibit “a really big range in cyber and privacy maturity,” Maddocks’ Sharma said. While some are “well advanced” in privacy and data security practices, others are yet to put in place basic measures required to comply with future Privacy Act reforms.
“I have seen organisations who do not have a data breach response plan, who do not have a document retention policy and who are not conducting Privacy Impact Assessments,” Sharma said. “All are mandated or expected to come into play as part of Privacy Act reforms.”
Following a series of large data breaches affecting millions of Australians, including insurer Medibank, financial services firm Latitude Financial and telco Optus, Sharma said community expectations have now changed, and organisations can no longer afford to wait for the law to catch up.
SEE: Australian organisations are encouraged to implement an assume-breach approach to combat ransomware.
“While waiting for these reforms to materialise, the conversation has moved from the Parliament to the pub; your grandma knows about privacy,” Sharma said. “Things like having a data breach response plan that is tested and shared to reduce response time frames need to be done now.”
Regulators to pursue boards and executives
Australian regulators have directly warned Australian boards and executives they could be the subject of legal proceedings if they take a reckless approach to cyber security and data privacy preparedness, which results in more Australians having their data privacy compromised.
Joseph Longo, chair of the Australian Security and Investments Commission, said at an Australian Financial Review Cyber Summit in 2023 that cyber resilience “has got to be a top priority” for all boards in Australia now, and ASIC would be ready if an incident happened.
“If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses,” Longo told the AFR. “I can assure you that in the right case ASIC will commence proceedings if we have reason to believe those steps were not taken.”
Mapping organisational data should be number one priority
IT leaders within organisations should focus on creating a clear map of the data an organisation holds as a first priority. Maddocks’ Sharma said this would be a necessary first step to prepare for any practical changes that do come as a result of the Privacy Act reforms. As an example, Sharma singled out the potential shift towards a more voluntary and specific approach to individual consent, and the creation of clear retention periods for the destruction of data.
SEE: Check out this data governance checklist from TechRepublic Premium.
“If you do not have a clear map of what data you actually collect and hold now, how are you going to be prepared for those recommendations?” Sharma said. “If you don’t know what consent you are obtaining, what systems those consents are stored on, what data you are holding in all IT environments — whether that is on premise or in the cloud — and what periods you currently set for that, it will be difficult to be ready for these reforms.”
Sharma said that, with issues like data over retention a big issue for many organisations suffering breaches, this meant there was still “a lot of work to be done” for some.
Organisations responsible for third-party providers
Third-party providers represent a “significant risk,” with many breaches involving third party vendors. Just one example is Latitude Financial, the biggest breach in Australia’s history, which saw threat actors gain access through a third-party supplier.
However, organisations are responsible for this data. Sharma said they need to be pursuing a security or privacy by design approach before they engage a third party, which would include doing Privacy Impact Assessments and conducting a detailed review of security practices.
“You have to have tight technical controls around understanding how they process data, is it encrypted, where they are storing it, which third parties they are using, how they are monitoring for breaches — you need to understand this in detail before engaging a third party provider,” said Sharma.
According to Sharma, the requirement for Privacy Impact Assessments for serious projects was a likely inclusion in the coming Privacy Act changes.
“That is something I would recommend people should be doing now, and that is consistent with OAIC guidance,” Sharma said.