Data Privacy – It’s time to act
What is the Australian data privacy act?
The Privacy Act 1988 was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations that handle personal information.
The Privacy Act includes 13 Australian Privacy Principles (APPs), which apply to some private sector organisations, as well as most Australian Government agencies. Such organisations and agencies are collectively known as 'APP entities'. The Privacy Act also regulates the privacy component of the consumer credit reporting system, tax file numbers, and health and medical research.
The Australian Privacy Principles (or APPs) are the cornerstone of the privacy protection framework in the Privacy Act 1988. They apply to any organisation or agency the Privacy Act covers.
Penalties for non-compliance
In response to the high profile data breaches (Optus, Medibank and others) that significantly affected a large number of Australian citizens in 2022 , the Australian Parliament has passed key privacy reforms under the Privacy Legislation Amendment Bill 2022. Financial penalties for repeat or serious offenders is now the greater of A$ 50 million, three times the benefit of a contravention, or (where the benefit cannot be determined) 30% of domestic turnover.
Latest reform changes and what it means to you
The financial penalty updates from the November 2022 review are now in force but reform changes are still under review and will likely come into force later in 2023. This means that every organisation will need to review its existing privacy policy, collection notices and privacy consents.
Small Businesses and exemptions
The small business exemption will be phased out until removed entirely. The employee records exemption will be narrowed, with an increased obligation on employers to notify staff and the OAIC of data breaches affecting employee personal information.
Broader definition of personal information
The definition of personal information is under review and likely to be expanded to include information that "relates" to individuals such as IP addresses, location data and more. Also under review is any inferred or generated information will be deemed to have been 'collected' within the meaning of the act. When this comes into affect organisations will need to assess this usage and how best to manage compliance in the context of this expanded definition.
Enhanced OAIC powers
Following the last 9 months of high profile data breaches, the Australian Government now plans to appoint a dedicated privacy commissioner. This will bolster the OAIC structure to its original form of 3 commissioners, including one for freedom of information.
It is also likely that the OAIC will obtain further powers so that together with the Federal court, Federal Circuit and Family Court of Australia civil penalties can be delivered with impact to those that contravene the act. The threshold for a "serious" privacy breach is also lowered and it will no longer be required that a breach be a "repeated" interference.
What you need to do
Start getting your house in order now! Even if you have started to identify your sensitive data or think you have this is a continuous process, data is dynamic and is everywhere. Automation is key here for efficiencies and to remove any errors caused by the human element.
Detect and Correlate your risks
These are some of the things you should be thinking about when it comes to detecting and correlating data risks across your organisation.
Data Security Life Cycle Management - A six step process
Some practical steps that you can be doing now to improve your overall data security and data privacy management to drive down risk.
How Mobius Security can help
If you are struggling to understand where you start or need help with mapping your data, updating your policies, then please get in touch with our team who will be able to help wherever you are on your journey.
Call us on 1300 28 11 14 or email us at [email protected]