The Australian Federal Government has passed major changes to the Privacy Act 1988 (Cth) in the form of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. These changes signal a call to action for organisations to review their privacy, security, and information handling practices.

Major changes

• The proposed changes will expand the Privacy Act to all organisations that trade in Australia (rather than just those that collect or hold private information).

• Provides Office of the Australian Information Commissioner (OAIC) with the ability to issue infringement notices for small procedural issues (rather than seeking criminal referrals).

• Gives the OAIC the ability to share information about breaches with the public (if deemed in public interest).

• Maximum penalties have increased: for a person other than a body corporate, from $444,000 to $2.5 million; and for a body corporate, from $2.22 million to an amount not exceeding the greater of $50 million, three times the value of the benefit obtained or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.

• The Australian Information Commissioner has significantly enhanced enforcement powers to conduct assessments and issue infringement notices outside of court procedures.

• The Notifiable Data Breaches scheme has been strengthened by empowering the Commissioner to assess an entity's compliance with the scheme's requirements even if a breach has not occurred.

What action should your business take?

• Review and update your privacy procedures to reflect current business practices and legislative requirements.

• Conduct a data audit and cleanse to fully understand and minimise your data related risk.

• Review your controls for the collection, storage, processing, sharing and destruction of information assets.

• Update your risk register to reflect the changes in impact/consequence and alter mitigation strategies accordingly.

The impetus for change

The update to the legislation comes in response to recent high profile data breaches impacting significant numbers of the Australian population. These breaches have clearly demonstrated organisations are not treating privacy, data security, and information risk with appropriate regard.

The Government is taking this opportunity to shine a spotlight on corporate Australia's role and responsibility in protecting the privacy of individuals from potential threats. The updated regime and speed with which it has been enacted is designed to push businesses to review privacy processes and controls and foster a proactive approach to data privacy and security.

These changes, and those likely to come out of the current review of the Privacy Act, are bringing Australian privacy regulations in line with global regimes such as the EU’s General Data Protection Regulation (GDPR) and are intended to ensure organisations take privacy more seriously.

We’re here to help

Recent security events have highlighted the need for organisations to consider additional safety measures in the tightly woven ecosystem of privacy and security. Please contact your Grant Thornton representative if you wish to discuss these changes further.