There’s no ignoring the media’s latest coverage of the calculated cyberattacks targeting Optus, Medibank and now Latitude Financial over the past 6 months. The ripple effect has caused millions of consumers’ personal information to be compromised. The subsequent public outcry pushed our Government to move and introduce privacy framework reforms in order to catch up with the current global standards.
The Attorney-General’s Department released the Privacy Act Review Report on 16 February 2023, as part of the Australian Government’s review of the Privacy Act 1988 (Cth). Stakeholder feedback was tabled and also lodged last month. Therefore, business owners should begin preparing themselves for what will be drastic compliance and regulatory changes on a scale previously not experienced in this country.
KEY TAKEAWAYS FROM THE LATEST REPORT
- Australia’s privacy and cybersecurity legal and regulatory framework will be overhauled to be inline with global standards. The reforms will be enforced over the next 12 months.
- The Office of the Australian Information Commissioner (OAIC) will exercise stricter enforcement activities with greater legal risk for corporations in Australia that suffer cyber incidents, including harsh penalties for serious or repeated interferences with the privacy of an individual.
- For business owners to reduce legal risk, it’s important to:
- identify the impact of legislative change on your company;
- comply with all of your legal obligations in relation to privacy and cybersecurity;
- effectively respond to privacy and cybersecurity incidents; and,
- engage with the OAIC and other stakeholders appropriately.
WHAT ELSE TO KEEP IN MIND AS A BUSINESS OWNER
Reviewing processes for the protection of personal information
‘Personal information’ is everything that involves the collection, use and disclosure of personal information under ‘fair and reasonable’ circumstances, irrespective of whether consent has been obtained. Business owners will need to:
- appoint a senior employee who is responsible for privacy.
- keep a record of their handling of personal information (including technical information such as device IDs and IP addresses), the purpose of collection, use and disclosure, secondary uses and disclosures, the sources of information, and to whom information is being disclosed.
- include mandatory transparency for specific automated operations, the ability for people to opt out of personal data collection/use, and retention/destruction regulations.
Transparency of handling staff data
Requirements for business owners relating to transparency about informing employees how their information is handled, including its security, destruction and data breach reporting is currently in a consultation process and is still under review. Further detailed information is still to come.
Updating privacy policies, consent forms and collection notices
Privacy policies and collection notices will be required to contain new information. Consents must be voluntary, informed, current, specific and unambiguous. Collection notices must also be clear, up-to-date, concise and understandable. Go to oaic.gov.au for a list of the current guidelines.
Change to cyber-attacks and data breach reporting structure
Cyber-attacks and data breaches must be reported to the Information Commissioner (IC) within 72 hours. There will now need to be additional information included in breach notices and companies must also be seen to have taken reasonable steps to implement practices that enable them to respond to cyber-attacks.
Statutory tort for serious invasion of privacy
The Report also proposes a statutory tort for serious invasions of privacy, which falls outside the Act. This is not a new recommendation as it was first proposed by the Australian Law Reform Commission in 2014. The Report acknowledges that existing laws or causes of action, such as breach of confidence or defamation, do not currently provide sufficient redress for a serious invasion of privacy. Further detailed information is still to come.
Role of OAIC enforcement and civil penalties
The Office of the Australian Information Commissioner (OAIC) will be granted additional powers, including being able to make APP codes where this is in the public interest; undertaking public inquiries and reviews; and an expansion of general investigatory powers.
Several tiers of civil penalties will also be introduced. At the top end, maximum penalties will be:
- AUS $50 million; or,
- 3x the value of any benefit obtained through the misuse of information; or,
- 30% of a company’s adjusted turnover in the relevant period.
WHAT SHOULD YOU BE DOING RIGHT NOW?
Smart business owners should be preparing themselves accordingly and be mindful that the upcoming Privacy Act reforms will require all of us to make substantial changes to the way we interact with clients and staff regarding handling their personal information and data.
Businesses should be being proactive and working closely with their IT departments or providers to ensure they meet all the new standards and requirements. To be on the front foot, you need to start:
- reviewing the Privacy Regulatory Action Policy;
- checking the OAIC’s website for the updated Guide to Privacy Regulatory Action;
- reviewing internal privacy policies and procedures;
- ensuring your organisation has an established cyber-attack and data breach escalation protocol; and,
- regularly training your staff on privacy and cybersecurity obligations.
CONCLUSION
The Government’s reaction to the recent cyber-attacks and data breaches has been the catalyst to remind us of the reputational and financial risks associated with compromises to the security of personal information. Remember: No company is too small to be targeted.
While we await the final recommendations of the review, now is a crucial time for Business Owners to think about their existing IT Cybersecurity and Privacy Framework for collecting, storing and processing personal information of clients and employees. By taking the time to review your current processes, you’ll be properly prepared for when the privacy reforms are finally announced.
For a confidential discussion about your company’s IT Cybersecurity and Privacy Framework, please call T4 Group on 1300 765 014.
The full Report can be accessed here: Privacy Act Review Report 2022 (ag.gov.au)
