Beyond the numbers with Grant Thornton: Listen now
With more than 100 recommendations ranging from trivial to seismic, the long-awaited Privacy Act Review has set the stage for a step-change in how Australian businesses interact with private information.
Although the Government is yet to announce which of these recommendations will become enshrined into law, it is evident that organisations of all sizes will need to make significant changes in their governance, policies and procedures in order to remain compliant.
The recommendations proposed by the Review were driven by concerns about the increasing misuse of personal data by businesses, and the need for greater protection of individuals' privacy rights. These proposed changes will align Australian privacy law with far more stringent global frameworks such as the GDPR in Europe and the UK, designed to provide greater transparency and accountability in relation to the collection, use, disclosure, storage, and security of data in the digital economy and better align individuals’ privacy and security rights and expectations.
The need for change has been further highlighted by the recent string of major data breaches involving the personal information of customers of Optus, Medibank and Latitude, leaving millions of Australians exposed to increased privacy risks or genuine harm including identity fraud, scams, reputational damage, and other harmful activities. These incidents, and others like them, demonstrate the increased need to not just protect personal information but to also have a valid business purpose for holding it. Find out more in our recent article, three simple questions every board should ask about cyber security.
Clarification of what constitutes ‘personal’ information.
Removal of small business exemption and Removal of the exemption for small business who trade in personal information.
Removal of the exemption for small business who collect biometric information.
Extending privacy protections to employee records of private sector organisations.
Individuals will have an unqualified right to opt-out of their personal information being used for direct marketing, an unqualified right to opt-out of receiving targeted advertising and the right to erasure of any of their personal information.
Individuals will have the right to object to collection, use and disclosure of personal information.
Organisations will have to include information in privacy policies about the use of personal information in substantially automated decisions which have a legal or similarly significant effect on the individual’s rights. Businesses will also be required to report data breaches to the regulator, the OAIC, within 72 hours of becoming aware of the data breach. The individual’s right of action for an interference with privacy will be expanded to permit individuals to apply to the court for relief including loss and damage suffered because of a privacy breach.
Entities will have to undertake Privacy Impact Assessments before implementing any technology and/or commencement of any activities that will have high privacy risks.
Businesses will be required to establish their own minimum and maximum data retention periods in relation to personal information that they are holding.
The OAIC’s enforcement powers to be expanded to enable a better targeted regulatory response to privacy law breaches.
In November 2022, the Government increased penalties for repeated or serious privacy breaches from $2.22m to the greater of $50m – three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period. These recommendations from the Privacy Act Review go above and beyond that change, meaning compliance is getting harder while penalties for non-compliance are increasing.
When combined with the proposed reforms, these items mark a significant and positive step towards greater protection for individuals' privacy rights in Australia. The final list of changes to the Privacy Act are likely to be implemented within the next 12 to 18 months, and business should begin preparing for compliance now.
Whilst there will be some relatively simple changes once the legislation has been enacted, other longer-term activities – such as decluttering your existing data, changing your organisation’s privacy culture, and updating arrangements with third-party providers – may require a longer and more considered approach. The days of hoarding data 'just because' are numbered.
It is imperative that businesses are aware of these reforms, understand the extent of the impact and take appropriate steps to comply. For many organisations, the workload ahead will be significant, and the consequences of non-compliance are likely far greater than financial penalties alone.
Over the next few months, we will continue to update you on what the proposed reform means for you and your business. In the meantime, reach out with any questions or if you would like to discuss these changes further.
Grant Thornton uses cookies to monitor the performance of this website and improve user experience. If you are happy to accept cookies from this site, please check the box. To find out more about cookies, what they are and how we use them, please see our privacy notice, which also provides information on how to delete cookies from your hard drive.