In February 2023, the Australian Attorney-General's Department (AGD) released its review of the Privacy Act 1988. The Privacy Act Review includes 116 recommendations based on 30 "key themes and proposals".
These proposed reforms follow the passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill on 28th November 2022, which significantly increased fines for serious data breaches and enforcement powers for the Office of the Australian Information Commissioner (OAIC).
The legislation was expedited following some high-profile data breaches in Australia. The AGD is encouraging interested parties to have their say about privacy reform in Australia through the AGD’s feedback process on the proposed reforms until 31st March 2023.
Organisations outside of Australia but doing business in Australia and handling personal information are likely to be impacted by this change. This comes as a result of the "Australian link test" being broadened in Section 5B of the Privacy Act. The changes proposed to this section means an organisation only needs to meet the condition that "The organisation or operator carries on business in Australia or an external Territory." to be impacted by the Act.
Is your PII / PHI secure?
NCC Group recommends gaining a comprehensive understanding of your data management practices, including what data you are collecting; where they are stored, processed, transferred, retained; and how they are disposed of.
We can then provide you with guidance and advisory support to drive an improvement programme using a risk-based approach to comply with regulation and to mitigate information security and privacy risks.
Our team will work to strengthen your privacy management posture by conducting an assessment against best practice privacy frameworks, such as the “NIST Privacy Framework: Improving Privacy through Enterprise Risk Management” or the ISO Privacy Framework.
In Australia, we would recommend conducting a privacy impact assessment (PIA) to ensure compliance with the obligations against the Australian Privacy Principles and the Privacy Act 1988.
Consider engaging NCC Group to:
- Conduct eDiscovery scans across your information assets.
- Validate data / information processing across the business.
- Complete assurance testing to ensure compliance with obligations.
- Analyse to determine risks associated with information assets, including their handling.
- Analyse to ensure individuals’ rights are maintained according to the Act and that systems can support those obligations, e.g. "right of erasure."
- Conduct Privacy Impact Assessments based on NIST Privacy Framework or ISO complying with the Office of the Australian Information Commissioner (OAIC) requirements.
- Build Privacy by Design.
- Support with appointing or designating a senior employee responsible for privacy, roles, and responsibilities.