The Remarkables podcast: Stories of people improving communities and inspiring youth. Listen now.
• The proposed changes will expand the Privacy Act to all organisations that trade in Australia (rather than just those that collect or hold private information).
• Provides Office of the Australian Information Commissioner (OAIC) with the ability to issue infringement notices for small procedural issues (rather than seeking criminal referrals).
• Gives the OAIC the ability to share information about breaches with the public (if deemed in public interest).
• Maximum penalties have increased: for a person other than a body corporate, from $444,000 to $2.5 million; and for a body corporate, from $2.22 million to an amount not exceeding the greater of $50 million, three times the value of the benefit obtained or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.
• The Australian Information Commissioner has significantly enhanced enforcement powers to conduct assessments and issue infringement notices outside of court procedures.
• The Notifiable Data Breaches scheme has been strengthened by empowering the Commissioner to assess an entity's compliance with the scheme's requirements even if a breach has not occurred.
• Review and update your privacy procedures to reflect current business practices and legislative requirements.
• Conduct a data audit and cleanse to fully understand and minimise your data related risk.
• Review your controls for the collection, storage, processing, sharing and destruction of information assets.
• Update your risk register to reflect the changes in impact/consequence and alter mitigation strategies accordingly.
The update to the legislation comes in response to recent high profile data breaches impacting significant numbers of the Australian population. These breaches have clearly demonstrated organisations are not treating privacy, data security, and information risk with appropriate regard.
The Government is taking this opportunity to shine a spotlight on corporate Australia's role and responsibility in protecting the privacy of individuals from potential threats. The updated regime and speed with which it has been enacted is designed to push businesses to review privacy processes and controls and foster a proactive approach to data privacy and security.
These changes, and those likely to come out of the current review of the Privacy Act, are bringing Australian privacy regulations in line with global regimes such as the EU’s General Data Protection Regulation (GDPR) and are intended to ensure organisations take privacy more seriously.
Recent security events have highlighted the need for organisations to consider additional safety measures in the tightly woven ecosystem of privacy and security. Please contact your Grant Thornton representative if you wish to discuss these changes further.
Proactive stress testing to manage macroeconomic risk, strengthen financial stability and banking
Grant Thornton worked with AUSTRAC (the federal Anti-Money Laundering regulator) to support the development of their new AML/CTF Starter Kits released this week, designed specifically for Tranche 2 sectors including lawyers, real estate professionals, accountants, and conveyancers.
The Federal Court’s $5.8M ACL decision signals a new era for privacy, cybersecurity, and governance in Australia. It reinforces that privacy and cyber obligations start Day 1 of any acquisition, governance failures will be scrutinised, and accountability cannot be outsourced. Boards must ensure robust oversight, deep cyber due diligence, and forensic incident response. With OAIC escalating regulatory enforcement, organisations face heightened legal, financial, and reputational risks.
