When Private Conversations should be made Public

Organisations should take steps now to address the sweeping changes which will be made in the coming months when the Federal Government implements major reforms to the Privacy Act.

With the Government suffering embarrassment as a result of its perceived lack of action and failure to hold organisations accountable in the wake of high-profile breaches by large corporates such as Optus and Medibank, it is no coincidence that Privacy reform has been elevated to the top of its agenda for 2023.

The clean-up commenced in late 2022 when the Government passed amendments to the Privacy Act, including an increase of the Privacy Commissioners’ powers of investigation, and the ability to disclose its findings for actual and suspected data breaches. To gain the market’s attention, penalties were also increased (from $3 million) to $50 million for serious/repeat infringements.

Some of the steps organisations should be taking include:

1. Addressing data retention practices

A critical assessment should be made on data retention (and deletion) practices, with consideration given to whether data is retained for longer than required.
This was a cause of concern for Optus and Medibank where data of former customers (some deceased) was unnecessarily retained and subsequently accessed by hackers. Deletion of data is currently required under the Privacy Act but not generally given proper attention. However, the Government has indicated this will be a key area of focus.

2. Identifying the source of information

The changes are likely to require organisations to disclose the source of information collected when an individual requests those details.

Organisations should start recording that detail now, particularly for any new information collected, to avoid having to identify the source at a later time.

3. Undertaking a technical review

As the definition of personal information will be expanded to include internet ID and browsing history (to tailor user experience) organisations should be working with their technical providers to ensure that the collection of that web browser information complies with the Act and their privacy policy.

4. Addressing children’s data

The rights of vulnerable groups such as children and the disadvantaged will be considerably expanded. As many organisations have no mechanism to identify those groups, despite under 18’s accounting for one-third of the digital economy, many will need to take steps to address the new requirements and will be better placed to start early.

5. Reviewing collection of consents

Greater clarity will be required when obtaining consent to use an individual’s personal information. Accordingly, organisations should review their collection notices and consents now, otherwise organisations may need to obtain additional/new consent when the changes are implemented.

Many Australians also now have a different view concerning the handling of their personal information as a result of being affected by one or more of the recent high-profile breaches.  For those reasons, privacy should now be front of mind for Boards, senior management, and persons in charge of organisations in addressing governance, compliance, and/or risk management. 

With many customers/clients also looking more closely at an organisation’s data security, there is now a significant advantage for those who implement greater safeguards and have a higher level of compliance.

It is clear that the Government requires a substantial shift in the attitude to privacy compliance. That is apparent through the extent of some of the proposed changes which include:

1. Removal of small business exemptions

Until now, entities that have a turnover of less than $3 million have been exempt from complying with the Privacy Act, with limited exceptions. However, all organisations (which collect personal information) will now be required to comply, regardless of turnover.

There is expected to be a lead-in period and assistance for small businesses before the changes are implemented, but all organisations in Australia which hold personal information will be required to meet privacy standards.

That means many organisations which have not previously had to comply with the Privacy Act will now need to assess the information they collect, store, manage, and disclose as well as meet the additional requirements which are soon to be implemented.

2. Diluting employee records exemption

There is a strong push to have the exemption removed altogether to bring Australia more in line with international privacy requirements, particularly those applied in Europe under the GDPR.

Far greater transparency will be required regarding the handling of all staff personal information.

This is also a greatly misunderstood area as many businesses consider that they have a complete exemption from privacy compliance in relation to the handling of staff records/information when that is not the case. The Government has flagged this will be another key focus area.

3. Reporting Data Breaches

All serious data breaches will have to be reported to the Privacy Commissioner within 72 hours – significantly reduced from the current 28-day reporting timeframe.

Due to the reduced timeframe, all organisations should be establishing a data breach plan, rather than having to address matters on the run.

4. Marketing, targeting, and data trading

There will be extensive changes to marketing requirements, which are split into categories relating to direct marketing, targeting and trading. Targeting and trading are new concepts:

• Targeting applies to de-identified information, such as using unidentified internet history to tailor content.
• Individuals will have the right to opt out of direct marketing and targeted advertising.
• Data trading in personal information must only be undertaken with consent.

5. Obtaining and clarifying consents

Consent will need to be voluntary, informed, current, specific, and unambiguous. Organisations should be reviewing their collection practices when obtaining consent, including revising collection notices which will be required to outline new information.

6. New requirements will apply for children and vulnerable individuals

In relation to children, those will include:

• a prohibition on direct marketing (and targeting) of children
• all trading of the personal information of children is to be prohibited.

7. Remedies

Individuals will be given a right to sue and claim damages for breach/interference with privacy.

8. The use of AI

The Government is concerned about the use of artificial intelligence tools, particularly those with automated decision-making processes and little human input. If businesses are using tools that make decisions about individuals or their data, then that will need to be specifically considered and spelled out clearly in the organisation’s privacy policy.

The message could not be more clear that the Government expects a significant shift in the way that many organisations address privacy compliance and a firm understanding that paying lip service to privacy obligations will no longer be tolerated.

Some pre-planning and action now is prudent from a risk and governance perspective and will reduce the workload down the line when the changes are implemented.