"As the world has become increasingly connected and information flows more complex, our privacy laws need to adapt to ensure that personal information is protected and handled fairly."
On Thursday 16th February 2023, the Australian Attorney-General's Department (AGD) released its review of the Privacy Act 1988. The Privacy Act Review includes 116 recommendations based on 30 "key themes and proposals". These proposed reforms follow the passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill on 28th November 2022, which significantly increased fines for serious data breaches and enforcement powers for the Office of the Australian Information Commissioner (OAIC).
The legislation was expedited following some high-profile data breaches in Australia. The AGD is encouraging interested parties to have their say about privacy reform in Australia through the AGD’s feedback process on the proposed reforms until 31st March 2023.
Falk further addressed this, stating, "The OAIC sees the proposal to introduce a positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework. This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place."
Organisations outside of Australia, but doing business in Australia and handling personal information, are likely to be impacted by this change. This comes as a result of the 'Australian link test' being broadened in Section 5B of the Privacy Act. The changes proposed to this section mean an organisation only needs to meet the condition that "The organisation or operator carries on business in Australia or an external Territory" to be impacted by the Act.
Is it time to build data privacy best practices?
Other potential reforms cover a wide range of issues and may have far reaching impacts, including:
-
- Appointing or designating a senior employee responsible for privacy.
-
- Implementing new limits on targeted advertising particularly aimed at children.
-
- Conducting a Privacy Impact Assessment (PIA) for activities with high privacy risks, and producing that PIA for the OAIC on request.
-
- Inclusion rights such as the "right of erasure".
-
- Abolishment of the small business exemption (but only after several conditions).
-
- Online privacy settings reflecting the privacy by default framework of the Act.
-
- Deindexing search results with sensitive or inaccurate information, among many others.
NCC Group is uniquely positioned as a global player in the cyber security and privacy space. We are keenly aware of the potential implications to organisations and can assist clients in a myriad of ways, including:
1. Conducting eDiscovery scans across information assets.
-
- Our eDiscovery platform can ingest un/structured data into our ISO 27001 investigation environment to search through vast amounts of data, find relevant information and produce detailed eDiscovery reports.
2. Conducting workshops/awareness sessions to validate data/information processing across clients' business to determine:
-
- What information assets are collected and processed by business functions.
-
- How information assets are transferred and stored by business functions.
-
- What the accountabilities are across information assets and the information flow.
-
- What risks are posed to information assets.
3. Providing staff augmentation (vDPO, vCISO, vISM) services to deliver functions to secure and lead clients strategically, tactically or operationally, which may include:
-
- Managing privacy-related committees.
-
- Collaborating with Legal, IT, information security, and cyber security.
-
- Establishing Privacy Programme Management.
-
- Reviewing policies, privacy notices, procedures, controls, and governance.
-
- Incorporating Privacy by Design.
-
- Conducting privacy-related awareness and training.
-
- Conducting Incident Response and privacy investigations.
-
- Conducting privacy impact assessments (PIAs).
-
- Preparing the business for legislative and regulatory changes.
4. Applying best practice into Data Management and Data Lifecycle Management practices.
-
-
Review and adopt the Data Management Capability Assessment Model.
-
The review comes as the Federal Government consults on whether the Security of Critical Infrastructure (SOCI) Act should be strengthened to include customer data and systems- ‘systems’ in the definition of critical assets. This would ensure the powers afforded to Government under the SOCI Act extend to major data breaches such as those experienced by Medibank and Optus, not just operational disruptions.
Enterprise Security & Privacy Architect, NCC Group APAC
Mogamad is a Cyber Security & Privacy Senior Advisor operating out of Melbourne, Australia, and a key part of NCC Group's APAC team. With deep experience in the telecoms, health, retail banking, and government industries, he strives to help organisations strengthen their security posture and work toward better business risk outcomes.
As a member of multiple national associations for information security, a privacy strategy consultant to boards, and an authorized assessor for frameworks such as the BPMM, Mogamad has become a trusted cyber security advisor for privacy initiatives in the Australian Government.
Stay ahead of the incoming changes to the Australian Privacy Act.
The new legislation and proposed reforms will have a far-reaching impact. Schedule a private discussion with one of our experts to help your business or organisation prepare.