Last Updated on September 6, 2024 by Ashok Kumar
In response to a series of high-profile data breaches, the Australian government implemented significant reforms with the passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
The Bill dramatically increased fines for severe data breaches to deter companies from lax data security practices. Additionally, the Bill strengthened the enforcement authority of the Office of the Australian Information Commissioner (OAIC).
These measures are intended to enhance the protection of sensitive information, empower the OAIC in holding accountable those who mishandle data, and foster a culture of responsible data management in Australia.
What is the Australian Privacy Act?
In December 2022, the Australian Privacy Act saw its most recent amendments (Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022). This came after a lengthy review process that began in 2020. The aim wasn’t a complete overhaul, but to address concerns around increasing data breaches and the evolving digital landscape. The amendments grant the Office of the Australian Information Commissioner (OAIC) greater power to enforce the law, including increased penalties for serious privacy breaches. This is meant to deter harmful practices and ensure organizations handle personal information responsibly.
Key proposed changes include abolishing the small business exemption under specific conditions, limiting targeted advertising, particularly for children, and establishing individual privacy rights such as the “right of erasure” and the deindexing of sensitive search results. The public is invited to provide feedback on these proposed reforms until March 31, 2023.
The Office of the Australian Information Commissioner has welcomed the report and emphasized the need for a fair and reasonable approach to the handling of personal information.
How Did Companies React to the Reforms?
Privacy advocates have welcomed the proposed reforms as a step towards a more sensible privacy regime fit for the digital economy. Anna Johnston, Founder of Salinger Privacy, applauds the government’s focus on protecting individuals regardless of the entity involved or whether their data is processed online or offline. However, she expresses frustration with the further consultation after three years of review.
Annelies Moens, Managing Director of Privcore, warns that the removal of the small business exemption will significantly expand compliance requirements. She also anticipates increased litigation with the introduction of a direct right of action and statutory tort. Johnston encourages businesses to proactively embrace the “right to erasure” and improve their data hygiene practices. Moens highlights the introduction of an objective test for handling personal information, emphasizing the increased accountability for organizations.
Despite these positive steps, Johnston raises concerns about the retention of “big exemptions,” which could potentially hinder Australia’s status as an adequate jurisdiction for data transfer under the EU General Data Protection Regulation (GDPR).
Who has rights under the Australian Privacy Act?
The Privacy Act of 1988 empowers individuals with control over the handling of their personal data. Under this act, data subjects have the following rights:
- The Right To Access: Know the purpose of data collection, its intended use, and who will receive it.
- The Right To Anonymity: Choose not to disclose your identity or use a pseudonym in specific situations.
- The Right To Disclosure: Request access to your personal information, including health records.
- The Right To Opt-out of marketing: Decline to receive unsolicited marketing communications.
- The Right To Correction: Rectify any inaccuracies in your personal data.
- The Right To Issue Complaints: Lodge a complaint if you believe an organization has mishandled your personal information.
What Businesses are Covered in the Australian Privacy Act?
The Privacy Act extends its protection to certain small businesses, those with an annual turnover of $3 million or less. Within this category, it specifically covers entities providing private sector health services, such as:
- Hospitals
- Clinics
- Allied health professionals
- Complementary therapists
- Gyms and weight loss centers
- Child care centers
- Private schools
- Tertiary educational institutions
- Businesses involved in the sale or purchase of personal information
- Credit reporting bodies
- Service providers under Australian Government contracts
- Employee associations
- Businesses accredited under the Consumer Data Right System
- Those that have voluntarily opted into the Act.
Additionally, businesses related to those covered by the Privacy Act, as well as those prescribed by the Privacy Regulation 2013, are also subject to its provisions.
What’s Next?
The Attorney-General’s Department has initiated a public consultation period extending until March 31st. This period involves a comprehensive 42-question feedback survey aimed at gathering diverse perspectives on proposed reforms. The department’s intention is to foster balanced and effective solutions through this participatory process. Subsequently, Attorney-General Mark Dreyfus plans to present a bill to the parliament within the current government’s tenure, either in 2023 or 2024.
How Lepide Helps Comply with the Australian Privacy Act
The Lepide Data Security Platform assists organizations in adhering to the Australian Privacy Act by providing the following capabilities:
Data Visibility and Governance:
- Discovers and classifies sensitive personal information across systems to identify potential risks.
- Provides detailed reports on data access, usage, and modifications, ensuring transparency and accountability.
Data Access Control:
- Helps to enforce granular access controls to limit unauthorized access to personal information.
- Monitors user activities and alerts administrators of suspicious behavior.
Data Breach Prevention:
- Detects and blocks malicious activities that could compromise personal information, such as phishing attacks and ransomware.
- Provides real-time alerts and remediation tools to mitigate data breaches and minimize the impact.
Data Breach Response:
- Facilitates rapid incident response and recovery by quickly identifying the scope of a breach via an intuitive console.
- Assists in reporting breaches to the Office of the Australian Information Commissioner (OAIC) within the required timeframe.
Compliance Reporting:
- Generates customizable reports that demonstrate compliance with the Privacy Act and other relevant regulations.
- Provides evidence of data protection measures and audit trails to support compliance audits and investigations.
If you’d like to see how the Lepide Data Security Platform can help you comply with the Australian Privacy Act, schedule a demo with one of our engineers.