Organisations should take steps now to address the sweeping changes which will be made in the coming months when the Federal Government implements major reforms to the Privacy Act.
With the Government suffering embarrassment as a result of its perceived lack of action and failure to hold organisations accountable in the wake of high-profile breaches by large corporates such as Optus and Medibank, it is no coincidence that Privacy reform has been elevated to the top of its agenda for 2023.
The clean-up commenced in late 2022 when the Government passed amendments to the Privacy Act, including an increase of the Privacy Commissioners’ powers of investigation, and the ability to disclose its findings for actual and suspected data breaches. To gain the market’s attention, penalties were also increased (from $3 million) to $50 million for serious/repeat infringements.
Some of the steps organisations should be taking include:
- Addressing data retention practices
A critical assessment should be made on data retention (and deletion) practices, with consideration given to whether data is retained for longer than required.
This was a cause of concern for Optus and Medibank where data of former customers (some deceased) was unnecessarily retained and subsequently accessed by hackers. Deletion of data is currently required under the Privacy Act but not generally given proper attention. However, the Government has indicated this will be a key area of focus.
- Identifying the source of information
The changes are likely to require organisations to disclose the source of information collected when an individual requests those details.
Organisations should start recording that detail now, particularly for any new information collected, to avoid having to identify the source at a later time.
- Undertaking a technical review
- Addressing children’s data
The rights of vulnerable groups such as children and the disadvantaged will be considerably expanded. As many organisations have no mechanism to identify those groups, despite under 18’s accounting for one-third of the digital economy, many will need to take steps to address the new requirements and will be better placed to start early.
- Reviewing collection of consents
Greater clarity will be required when obtaining consent to use an individual’s personal information. Accordingly, organisations should review their collection notices and consents now, otherwise organisations may need to obtain additional/new consent when the changes are implemented.
Many Australians also now have a different view concerning the handling of their personal information as a result of being affected by one or more of the recent high-profile breaches. For those reasons, privacy should now be front of mind for Boards, senior management, and persons in charge of organisations in addressing governance, compliance, and/or risk management.
With many customers/clients also looking more closely at an organisation’s data security, there is now a significant advantage for those who implement greater safeguards and have a higher level of compliance.
It is clear that the Government requires a substantial shift in the attitude to privacy compliance. That is apparent through the extent of some of the proposed changes which include:
- Removal of small business exemptions
Until now, entities that have a turnover of less than $3 million have been exempt from complying with the Privacy Act, with limited exceptions. However, all organisations (which collect personal information) will now be required to comply, regardless of turnover.
There is expected to be a lead-in period and assistance for small businesses before the changes are implemented, but all organisations in Australia which hold personal information will be required to meet privacy standards.
That means many organisations which have not previously had to comply with the Privacy Act will now need to assess the information they collect, store, manage, and disclose as well as meet the additional requirements which are soon to be implemented.
- Diluting employee records exemption
There is a strong push to have the exemption removed altogether to bring Australia more in line with international privacy requirements, particularly those applied in Europe under the GDPR.
Far greater transparency will be required regarding the handling of all staff personal information.
This is also a greatly misunderstood area as many businesses consider that they have a complete exemption from privacy compliance in relation to the handling of staff records/information when that is not the case. The Government has flagged this will be another key focus area.
- Reporting Data Breaches
All serious data breaches will have to be reported to the Privacy Commissioner within 72 hours – significantly reduced from the current 28-day reporting timeframe.
Due to the reduced timeframe, all organisations should be establishing a data breach plan, rather than having to address matters on the run.
- Marketing, targeting, and data trading
There will be extensive changes to marketing requirements, which are split into categories relating to direct marketing, targeting and trading. Targeting and trading are new concepts:
- Targeting applies to de-identified information, such as using unidentified internet history to tailor content.
- Individuals will have the right to opt out of direct marketing and targeted advertising.
- Data trading in personal information must only be undertaken with consent.
- Obtaining and clarifying consents
Consent will need to be voluntary, informed, current, specific, and unambiguous. Organisations should be reviewing their collection practices when obtaining consent, including revising collection notices which will be required to outline new information.
- New requirements will apply for children and vulnerable individuals
In relation to children, those will include:
- a prohibition on direct marketing (and targeting) of children
- all trading of the personal information of children is to be prohibited.
Individuals will be given a right to sue and claim damages for breach/interference with privacy.
- The use of AI
The message could not be more clear that the Government expects a significant shift in the way that many organisations address privacy compliance and a firm understanding that paying lip service to privacy obligations will no longer be tolerated.
Some pre-planning and action now is prudent from a risk and governance perspective and will reduce the workload down the line when the changes are implemented.