InfoGovANZ

Information Governance Think Tank

Susan Bennett

Changes to Australia’s Privacy Act: Overview and Preparation Checklist

by

 

In the wake of the recent wave of high-profile data breaches at Optus, Medibank and MyDeal, Attorney-General Mark Dreyfus tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) in Parliament on 26 October 2022.   The Attorney-General referred to the data breaches having highlighted ‘the potential to cause serious financial and emotional harm to Australians’ and that the bill sends a clear message that the government takes privacy, security and data protection seriously.  The Bill significantly increases penalties under the Privacy Act 1988 (Cth), provides the Australian Information and Privacy Commissioner with increased powers to resolve privacy breaches and strengthens the Notifiable Data Breaches Scheme.

Increased penalties

Penalties for a serious or repeated breach of privacy will be significantly increased from the current maximum of $2.22 million to not more than the greater of:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of the information; or,
  • if the value of the benefit obtained cannot be determined, 30% of a company’s domestic turnover in the relevant period, which is a minimum 12 months.

In the Second Reading Speech, the Attorney-General stated that, ‘penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.’

Strengthened Notifiable Data Breaches Scheme (NDB Scheme)

The existing NDB Scheme will be strengthened in two significant ways by:

  • empowering the Privacy Commissioner to assess an entity’s compliance with the Scheme’s requirements.
  • providing the Privacy Commissioner with new information-gathering powers in regard to the Scheme’s reporting and notification requirements.

Enhanced enforcement powers

The Bill will also improve the powers available to the Privacy Commissioner to:

  • Resolve privacy breaches by empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directly affected are informed;
  • Compel entities to undertake external reviews to improve their practices to reduce the likelihood of them committing a breach again; and
  • Provide new information-gathering powers to conduct assessments and new infringement notice powers that can be used if an entity fails to provide information when required, without the need to engage in litigation.

Extraterritorial powers

The Privacy Act’s extraterritoriality provisions will be amended, so that foreign organisations which ‘carry on a business’ in Australia must meet the obligations under the Privacy Act.  In the second-reading speech, the Attorney-General explained that the purpose of this amendment is ‘to ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore’.

Greater information sharing arrangements

The Privacy Commissioner will have the express power to publish a final determination following a privacy investigation as well as information about their final assessment report. The Commissioner will be able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest.

The Commissioner will also be able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the Commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority will also be provided better powers to share information within government for enforcement purposes.

The aim of the improved information sharing arrangements is to, ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.

PREPARATION CHECKLIST

Review the checklist below to see how well prepared your organisation is to demonstrate compliance with the Australian Privacy Act 1988 (Cth) (Cth.

1. Policy Compliance

Check that Privacy Policies and Notices up to date and compliant.

  • Audit whether your Privacy Policy is being adhered to within the organisation.
  • Audit whether the collection of personal data accords with the Privacy Notice.

2. Data Minimisation

Check – what personal data does your organisation really need to collect?

One of the critical risks to finally receive attention in Australia arising from the Optus and Harcourt data breaches is the over-collection and over-retention of personal data.

Review Privacy Notices and audit personal data being collected to assess whether it is reasonably required to provide a service or to be collected in accordance with a regulatory obligation to collect and retain that personal data.

3. Data Over-Retention

Check the process for securely disposing personal data.

Audit whether personal data is being disposed of when it is no longer required to be retained in accordance with the organisation’s Records and Archiving Policy or with regulatory requirements to retain records.

In light of the recent high profile data breaches, the over-retention of personal data poses a significant risk for organisations in the event of a serious data breach.

4. Data Map

Ensure there is an up-to-date data map, showing where data is stored, particularly personal data, which is essential for:

  • Robust information lifecycle management, including disposal of data that is no longer required to be retained;
  • Responding efficiently to a serious data breach by being able to quickly identity the types of data that have been subject to unauthorised access;
  • Demonstrating the measures in place to protect and secure personal data in accordance with the requirements of the Privacy Act.

Check whether it is includes identifying and locating personal in all the organisation’s systems including cloud storage and any third-parties’ systems that have been listed on the data map identifying all the locations where personal data is stored?

5. Data Security

Ensure the organisation is prepared to defend against and respond to cyber-attacks and incidents by assessing whether:

  • Organisational IT policies (BYOD, password, data management, IT procurement, network access) up to date and being complied with (check via audit).
  • Necessary steps have been taken to protect personal data in the custody of the organisation – e.g. encryption being applied to all personal data both in transit and at rest as required.
  • User, application and backend access controls are correct and up to date. Personal data being held in locations with limited or just-in-time access.
  • Local and cloud-based and third party controlled applications used by the organisation have been tested for security suitability and approved for use.
  • The organisation has fit for purpose security software and hardware to assist in the prevention, detection and response to security incidents (e.g. multi-factor authentication on critical systems particularly those with external access, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).
  • Proactive steps to build security culture and awareness within the organisation are taking place (e.g. training, education, phishing and social engineering exercises).
  • Relevant security information and performance metrics are being reported to executives and the board

6. Data Breach Incident Response Plan

Check has your data breach incident response plan been reviewed and updated? Consider the following elements:

  • Are roles and responsibilities during a data breach clearly laid out and up to date?
  • Is there clear escalation procedures and established arrangements to activate internal or external incident response specialists?
  • Does the plan have sufficient detail and guidance to address both deliberate and accidental data breach incidents, as well as internal and external originating threats?
  • Are there protocols in place for capture and analysis of logs and other records from critical systems in the event of a suspected breach?
  • Does the response plan provide sufficient guidance on how to approach internal and external communications, particularly with media and customers?
  • Has there been recent data breach response training exercise carried out involving executives, Board and key players listed in the response plan?

7. Robust Information Governance

Implement and/or review the Information Governance Framework and polices to ensure there is adequate holistic information governance reporting, which is identifying and monitoring privacy compliance across the organisation including the various areas of privacy and legal, IT and cybersecurity and records and information siloes.

A robust enterprise-wide information governance framework provides a mechanism to co-ordinate and collaborate across the organisational siloes and to promote an information and data protection culture led from the top-down to minimise privacy and data breach risks.

At least one-third of all data breaches are caused by human error and many other successful cyberattacks are greatly enabled by human error from within an organisation.  Robust information governance can greatly assist in both minimising data and information risks as well as enabling organisations to maximise data and information value.

Authors: Susan Bennett, Founder and Executive-Director InfoGovANZ and Dr Peter Chapman, Forensic Technology Expert and InfoGovANZ Advisory Board

Optus Data Breach – the risks of data over – retention

by

  The Optus Data Breach incident has shed some much-needed light on the need for robust, top-down board governance over organisational data and information. It is evident that this attack has demonstrated the need for organisations to sufficiently invest in cyber-attack prevention, detection and response. While the Optus data breach is still under investigation, the consensus from government statements and external experts seems to be that that human error played a significant part in this data breach. It is not uncommon for human factors to either cause or amplify technical weaknesses resulting in a data breach, about one-third of all reported personal data breaches from OAIC’s Notifiable Data Breaches Reports are attributed to human error as the primary factor. Whether data breaches are caused by human error or technical fault, security experts widely agreed that organisations should consider data breaches a question of ‘when’ rather than ‘if’. This in turn […]
Member only content (join now)

IAPP Global Summit 2022 Report

by

Celebrating the joy of reconnecting was the theme of the opening address by Trevor Hughes, President and CEO of IAPP.  This year’s Global Privacy Summit had over 4,000 attendees and took place over four jam-packed days in Washington DC. The Opening General Session got off to a flying start with three very different and thought-provoking key notes. Bestselling author Malcolm Gladwell highlighted the lessons to be learned from his recent book “The Bomber Mafia”. Warning against asking the wrong questions and solving the wrong problems, he noted that technology takes time to evolve and that “visionaries need help” with practical application.  Gladwell urged the audience to be humble about what technology can do and patient before deploying well-intended technological innovations with uncharted moral consequences. Professor Amy Gajda, author of “Seek and Hide”, discussed the pivotal 1928 Supreme Court case of Olmstead v. United States, in which Justice Louis Brandeis dissented […]
Member only content (join now)

New Frontiers and Information Technology Governance

by

Professor Michael Adams, Head of UNE Law School, InfoGovANZ Advisory Board    Introduction The last two years have been a period of disruption due to COVID-19 pandemic and the need for all businesses and organisations to “pivot”. In the information governance space this has been a major positive and a serious risk. The positive is an up-grade in technology, so people can work from home. The use of collaborative tools, such as Sharepoint, MS Teams, ZOOOM, Google docs and many more have been a boon for flexibility. The EY 2022 Future Workplace Index [1] based on over 500 company responses across many sectors that 75% anticipate no central physical office in the foreseeable future and 72% have hybrid remote/office approaches in place. The big news is Pre-COVID about 45% of companies expected everyone in the office and only 15% could work remotely. Currently the status is only 27% in the office […]
Member only content (join now)

APAC Primer for eDiscovery published

by

Setting the global standards for eDiscovery, the EDRM – Electronic Discovery Reference Model has released version 1.0 of the Primer for eDiscovery in the Asia Pacific (APAC) region. The goal of the Primer is to help foreign practitioners involved in legal proceedings in APAC to understand the different discovery requirements in each of the countries covered together with privacy issues and cross-border discovery considerations. Susan Bennett, Project Trustee and Principal Drafter, led a global team to create a primer on eDiscovery in the APAC region. The following countries were researched and written by these drafters: Australia, Maureen Duffy; China, Jared T. Nelson and Tom Groom; India, Sandeep Jadav; Japan, Sebastian Ko and Daryl Osuch; Hong Kong, Sebastian Ko; Korea, David Kang; Malaysia, Gita Radhakrishna; New Zealand, Maureen Duffy and Andrew King; and Singapore, Gita Radhakrishna. Originally chartered by The Sedona Conference®, EDRM has published this primer at the request of the project team and Sedona. EDRM plans to webify the content and provide pages […]
Member only content (join now)