When private conversations should be made public
Andrew Mullins, Partner - Mullins
(click here to view on Mullins website)
Organisations should take steps now to address the sweeping changes which will be made in the coming months when the Federal Government
implements major reforms to the Privacy Act.
With the Government suffering embarrassment as a result of its perceived lack of action and failure to hold organisations accountable in the
wake of high-profile breaches by large corporates such as Optus and Medibank, it is no coincidence that Privacy reform has been elevated to
the top of its agenda for 2023.
The clean-up commenced in late 2022 when the Government passed amendments to the Privacy Act, including an increase of the Privacy
Commissioners’ powers of investigation, and the ability to disclose its findings for actual and suspected data breaches. To gain the
market’s attention, penalties were also increased (from $3 million) to $50 million for serious/repeat infringements.
Some of the steps organisations should be taking include:
1. Addressing data retention practices
A critical assessment should be made on data retention (and deletion) practices, with consideration given to whether data is retained for
longer than required.
This was a cause of concern for Optus and Medibank where data of former customers (some deceased) was unnecessarily retained and
subsequently accessed by hackers. Deletion of data is currently required under the Privacy Act but not generally given proper attention.
However, the Government has indicated this will be a key area of focus.
2. Identifying the source of information
The changes are likely to require organisations to disclose the source of information collected when an individual requests those details.
Organisations should start recording that detail now, particularly for any new information collected, to avoid having to identify the source
at a later time.
3. Undertaking a technical review
As the definition of personal information will be expanded to include internet ID and browsing history (to tailor user experience)
organisations should be working with their technical providers to ensure that the collection of that web browser information complies with
4. Addressing children’s data
The rights of vulnerable groups such as children and the disadvantaged will be considerably expanded. As many organisations have no
mechanism to identify those groups, despite under 18’s accounting for one-third of the digital economy, many will need to take steps to
address the new requirements and will be better placed to start early.
5. Reviewing collection of consents
Greater clarity will be required when obtaining consent to use an individual’s personal information. Accordingly, organisations should
review their collection notices and consents now, otherwise organisations may need to obtain additional/new consent when the changes are
Many Australians also now have a different view concerning the handling of their personal information as a result of being affected by one
or more of the recent high-profile breaches. For those reasons, privacy should now be front of mind for Boards, senior management, and
persons in charge of organisations in addressing governance, compliance, and/or risk management.
With many customers/clients also looking more closely at an organisation’s data security, there is now a significant advantage for those who
implement greater safeguards and have a higher level of compliance.
It is clear that the Government requires a substantial shift in the attitude to privacy compliance. That is apparent through the extent of
some of the proposed changes which include:
1. Removal of small business exemptions
Until now, entities that have a turnover of less than $3 million have been exempt from complying with the Privacy Act, with limited
exceptions. However, all organisations (which collect personal information) will now be required to comply, regardless of turnover.
There is expected to be a lead-in period and assistance for small businesses before the changes are implemented, but all organisations in
Australia which hold personal information will be required to meet privacy standards.
That means many organisations which have not previously had to comply with the Privacy Act will now need to assess the information they
collect, store, manage, and disclose as well as meet the additional requirements which are soon to be implemented.
2. Diluting employee records exemption
There is a strong push to have the exemption removed altogether to bring Australia more in line with international privacy requirements,
particularly those applied in Europe under the GDPR.
Far greater transparency will be required regarding the handling of all staff personal information.
This is also a greatly misunderstood area as many businesses consider that they have a complete exemption from privacy compliance in
relation to the handling of staff records/information when that is not the case. The Government has flagged this will be another key focus
3. Reporting Data Breaches
All serious data breaches will have to be reported to the Privacy Commissioner within 72 hours – significantly reduced from the current
28-day reporting timeframe.
Due to the reduced timeframe, all organisations should be establishing a data breach plan, rather than having to address matters on the run.
4. Marketing, targeting, and data trading
There will be extensive changes to marketing requirements, which are split into categories relating to direct marketing, targeting and
trading. Targeting and trading are new concepts:
- Targeting applies to de-identified information, such as using unidentified internet history to tailor content.
- Individuals will have the right to opt out of direct marketing and targeted advertising.
- Data trading in personal information must only be undertaken with consent.
5. Obtaining and clarifying consents
Consent will need to be voluntary, informed, current, specific, and unambiguous. Organisations should be reviewing their collection
practices when obtaining consent, including revising collection notices which will be required to outline new information.
6. New requirements will apply for children and vulnerable individuals
In relation to children, those will include:
- a prohibition on direct marketing (and targeting) of children
- all trading of the personal information of children is to be prohibited.
Individuals will be given a right to sue and claim damages for breach/interference with privacy.
8. The use of AI
The Government is concerned about the use of artificial intelligence tools, particularly those with automated decision-making processes and
little human input. If businesses are using tools that make decisions about individuals or their data, then that will need to be
The message could not be more clear that the Government expects a significant shift in the way that many organisations address privacy
compliance and a firm understanding that paying lip service to privacy obligations will no longer be tolerated.
Some pre-planning and action now is prudent from a risk and governance perspective and will reduce the workload down the line when the
changes are implemented.
Should you require further information: www.mullinslawyers.com.au | e: email@example.com
| ph: 07 3224 0261