What your organisation needs to know about changes to the Privacy Act and your digital environment
The Federal Government has passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 aimed at protecting Australian’s digital privacy. Notably, there’s a substantially increased penalty regime for entities that have obligations to protect Australians’ personal information from data breaches under the Privacy Act.
With penalties imposed now expected to dramatically increase, Avocado’s Cyber Security Practice Manager, David Vohradsky outlines what this means for organisations and how they can respond.
How did we get here?
In a fast-moving digital and cyber environment, laws regulating digital privacy have not kept up with the pace of change in both the business agility needed, as well as the threat environment.
Since September to October 2022, these inadequacies have been thrust into the spotlight, with large-scale data breaches – including Optus, Medibank and Mydeal – affecting the personal information of millions of Australians.
The after-effects of these breaches will continue to be felt for a long time, impacting individuals through financial harm via identity theft or fraud and psychological harm, as well as organisations through loss of trust and loss of shareholder value.
While an ongoing privacy review conducted by the Attorney-General’s Department was in place, this Bill was expeditated to address immediate concerns that arose from the data breaches, in relation to data collection and retention.
The law now places the affected individual at the centre, ensuring there is a conscious effort to protect personal information organisations hold from unauthorised access.
What are the changes?
The Privacy Act now regulates ‘a serious or repeated interference with privacy’ with a penalty regime to deter organisations. The penalty regime includes:
- An increase in penalties for serious or repeated interferences with privacy under the Privacy Act 1988 from the current maximum of $2.2 million to an amount that is the greater of $50 million; or
- Three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy; or
- 30% of an entity’s adjusted turnover in the relevant period.
It also provides the Australian Information Commissioner with greater enforcement and information sharing powers, such as disclosing certain information in the public interest; and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.
We anticipate that the penalties actually imposed (which were an order of magnitude smaller) will dramatically increase.
So, what would be considered a ‘serious interference with privacy’?
As usual, in the absence of definitions in the legislation or precedents, and despite groups asking for more clarity, the limited guidance within the government’s Explanatory Memorandum needs to be relied upon.
In this case, the ordinary meaning of the terms ‘serious’ and ‘repeated’ would apply.
The OAIC state that the threshold reflects the opinion of a ‘reasonable person’ and they have given a list of factors they would consider relevant when considering whether a particular interference with privacy is serious.
- The number of individuals potentially affected
- Whether it involved ‘sensitive information’ or other information of a sensitive nature
- Whether significant adverse consequences were caused or are likely to be caused to one or more individuals from the interference
- Whether vulnerable or disadvantaged people may have been or may be particularly adversely affected or targeted
- Whether it involved deliberate or reckless conduct
- Whether senior or experienced personnel were responsible for the conduct.
The OAIC also administratively defines ‘repeated interference with privacy’ to mean:
- An entity has interfered with the privacy of an individual or individuals on two or more separate occasions, which could arise from:
- The same act or practice done on two or more occasions
- Different acts or practices done on two or more occasions.
How do these changes compare to the rest of the world?
These changes send a strong message to entities that complacency with Australians data is no longer acceptable.
As outlined in the Bill, ‘when compared to equivalent legislation in overseas jurisdictions, the proposed maximum penalty of $50 million in the Bill is significantly higher than the maximum penalty of $20 million EURO (approximately $31 million AUD) under the European Union General Data. However, the proposed penalty of 30% of a body corporate’s annual Australian turnover in the Bill may not be directly comparable with the penalty of 4% of an entity’s global annual turnover under the GDPR.’
The inclusion of ‘repeated’ issues also aligns to the findings of courts, particularly in the United States, that have awarded damages in cases of repeated breaches or repeated demonstrated negligence.
What can organisations be doing now?
The increased penalty regime focuses on the consequences for an entity’s failure to protect personal information it holds from unauthorised access. However, while the amendments to the Privacy Act will act as a deterrent, it does not address the root cause issues at the beginning of the information lifecycle and data retention.
With this in mind, these are the top four questions Avocado recommends organisations consider right now:
- How can we minimise the collection of personal information?
Organisations should be auditing the types of sensitive data they collect, where it is being stored, and the volume – minimising to only what’s necessary. In some cases, this may involve business process re-engineering.
As a yard stick, the collection of data should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. A good example here is recording sensitive information such as identity documents for quicker fulfilment. Businesses should be asking themselves – is the risk worth the reward in over-collection of data?
2. Do we know where all our at-risk data is and what our vulnerabilities are?
Protecting your crown jewels is about knowing what data you have and how it is stored. By understanding your crown jewels, you can assess your individual and aggregate vulnerabilities and better protect your business. You need to also requantify your risk to include the new penalty regime – this should allow you to develop a business case for an uplift in cyber security controls for the Board.
3. Do we have the right privacy culture within our organisation to understand why they collect data, how they should store it and how to be cyber-safe?
Strong cyber cultures further support knowing and understanding your data and vulnerabilities. Today, data is siloed across organisations and differing data is collected across functions. Organisations must think about how they receive data, what they do with it and how they keep it up to date. They must also ensure people understand their cyber risks and responsibilities. Organisations must educate their whole organisation and have processes that ensure individuals data is protected.
4. Do we have the right security infrastructure in place to avoid, contain and respond to attacks?
Today, there are several security solutions that give greater visibility to organisations and their data, as well as help strengthen the security posture from threat actors. Many times, organisations may not realise they have been exposed for more than a year before damage starts to occur. Being able to detect vulnerabilities in real time is becoming a necessity for businesses. These tools work in conjunction with a cyber security strategy to help detect and respond to cyber-attacks.
If you want to know how the Privacy Act affects your organisation and want to take action to safeguard your customers, book in a complimentary discovery session with our Cyber Security Team at Avocado. You can read more about our Cyber Services here.