On 28 September 2023, the Australian Federal Government released its formal response to the Privacy Act Review Report, echoing its agreement with a substantial portion of the 116 proposals made in the report earlier this year.
The response sends a clear message to businesses that while the legislation to implement change is not yet drafted, we can expect a significant number of the changes to be drafted in the near future.
There are proactive steps that businesses can now take to prepare for these impending changes, potentially minimising the costs and disruptions when the new legislation takes effect, even if the exact detail is not known.
The proposed changes to the Privacy Act aim to enhance the protection, transparency, and control of personal information in Australia. Organisations need to understand the potential impact of these changes on their existing systems and to take steps to ensure compliance with the proposed regulations.
By reviewing and updating policies and procedures, addressing systemic privacy issues, and providing (at a minimum) privacy awareness training to employees, organisations can maintain the trust and confidence of their customers and protect personal information from the risk of identity fraud and scams.
Why is the Privacy Act being reviewed?
In response to a number of large-scale data breaches in 2022, the Australian Government released a report on its review of the Privacy Act 1988 (Cth) (Privacy Act). The report, containing 116 proposals, aims to enhance the protection of personal information and the fairness of its handling by organisations.
What were the proposals?
The report proposed several significant changes to the Privacy Act, including:
- introducing a positive obligation that personal information handling is fair and reasonable, shifting the responsibility for privacy protection from individuals to organisations
- enhancing the powers of the Office of the Australian Information Commissioner (OAIC) to enforce privacy obligations and address privacy breaches
- enabling individuals to exercise new privacy rights and take direct action in courts if their privacy is breached
- removing some exemptions from the Privacy Act to provide greater privacy protection for individuals.
Who needs to be aware of the changes?
Boards who are setting long term strategies for organisations need to be thinking about how the changes might affect future operations. Senior management and compliance teams should be aware of the potential changes to privacy regulations and the need to review and update how the organisation routinely handles personal information.
IT and security teams should be aware of the increased emphasis on the protection and secure handling of personal information. Cybersecurity and privacy go hand in hand in ensuring an organisation protects personal information it holds. The proposal to expand the definition of personal information to include inferred or generated information means organisations need to look at the analytics processes they use.
Front line employees handling personal information should be trained on privacy awareness and the fact that changes and enhanced rules are in the pipeline.
Navigating the evolving privacy landscape in Australia
The new landscape brings opportunities to review and refocus business policies and procedures to ensure they reflect the ever increasing baseline privacy rights expected by the community.
What can businesses do now?
To prepare your business for the upcoming changes, the first step is to familiarise yourself with the 38 proposals with which the government agreed and which will be first off the blocks in terms of drafting and implementation. These proposals serve as the foundation for the future of privacy regulations in Australia.
You can then make informed decisions about how your organisation needs to adapt its privacy practices and policies to remain compliant with the evolving regulatory framework.
Review your organisation’s existing privacy policies and procedures and identify any areas that will most likely need updating to ensure compliance with the proposed changes. This can be done by assessing current practices – i.e., your data collection, storage, access, consent mechanisms, breach response protocols, and more.
The final step is to ensure that employees who handle personal information are privacy aware. As changes are introduced into draft legislation, training on specific obligations can be provided.
A final risk mitigation step is to do a data audit and refresh (or establish) a data retention regime. As data breaches continue to occur, fines have increased and potential consumer rights to take action for breach (agreed in principle) mean organisations want to minimise the amount of data they hold and how long they hold it for. If you begin an audit and purge process now, you will be well placed to minimise breach risk and will have removed a potential compliance problem when new provisions are legislated.
Changes in Australia’s privacy landscape require proactive steps from businesses. Familiarising yourself with the proposed changes, reviewing and updating privacy policies, and training employees are essential actions to ensure your organisation can navigate the evolving privacy regulations successfully. By taking these steps now, businesses can not only avoid potential legal issues but also build trust and confidence with their customers by demonstrating a commitment to responsible data handling practices.
By Lyn Nicholson, General Counsel, Holding Redlich
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.