In the wake of the recent wave of high-profile data breaches at Optus, Medibank and MyDeal, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed by Federal Parliament on 28 November 2022. The Attorney-General referred to the data breaches as having highlighted ‘the potential to cause serious financial and emotional harm to Australians’ and that the Bill sends a clear message that the government takes privacy, security and data protection seriously.
Penalties have been significantly increased under the Privacy Act 1988 (Cth), and the Privacy Commissioner now has increased powers to resolve privacy breaches. The Notifiable Data Breaches Scheme has also been strengthened.
Penalties for a serious or repeated breach of privacy have significantly increased from a maximum of $2.22 million to not more than the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of the information; or,
- if the value of the benefit obtained cannot be determined, 30% of a company’s domestic turnover in the relevant period, which is a minimum 12 months.
In the Second Reading Speech, the Attorney-General stated that, ‘penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.’
Strengthened Notifiable Data Breaches Scheme (NDB Scheme)
The existing NDB Scheme has been strengthened in two significant ways:
- Empowering the Privacy Commissioner to assess an entity’s compliance with the Scheme’s requirements.
- Providing the Privacy Commissioner with new information-gathering powers in regard to the Scheme’s reporting and notification requirements.
Enhanced enforcement powers
The Bill has also improved the powers available to the Privacy Commissioner to:
- resolve privacy breaches by empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directly affected are informed;
- compel entities to undertake external reviews to improve their practices to reduce the likelihood of them committing a breach again; and
- provide new information-gathering powers to conduct assessments and new infringement notice powers that can be used if an entity fails to provide information when required, without the need to engage in litigation.
The Privacy Act’s extraterritoriality provisions have been amended, so that foreign organisations which ‘carry on a business’ in Australia must meet the obligations under the Privacy Act. In the second-reading speech, the Attorney-General explained that the purpose of this amendment is ‘to ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore’.
Greater information sharing arrangements
The Privacy Commissioner has the express power to publish a final determination following a privacy investigation as well as information about their final assessment report. The Commissioner is able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest.
The Commissioner is also able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the Commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority also now has better powers to share information within government for enforcement purposes.
The aim of the improved information sharing arrangements is to ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.
Review the checklist below to see how well prepared your organisation is to demonstrate compliance with the Australian Privacy Act 1988 (Cth).
1. Policy Compliance
Check that Privacy Policies and Notices are up-to-date and compliant.
- Audit whether the collection of personal data accords with the Privacy Notice.
2. Data Minimisation
Check – what personal data does your organisation really need to collect?
One of the critical risks to finally receive attention in Australia arising from the Optus and Harcourt data breaches is the over-collection and over-retention of personal data.
Review Privacy Notices and audit personal data being collected to assess whether it is reasonably required to provide a service or to be collected in accordance with a regulatory obligation to collect and retain that personal data.
3. Data Over-Retention
Check the process for securely disposing personal data.
Audit whether personal data is being disposed of when it is no longer required to be retained in accordance with the organisation’s Records and Archiving Policy or with regulatory requirements to retain records.
In light of the recent high profile data breaches, the over-retention of personal data poses a significant risk for organisations in the event of a serious data breach.
4. Data Map
Ensure there is an up-to-date data map showing where data is stored, particularly personal data, which is essential for:
- robust information lifecycle management, including disposal of data that is no longer required to be retained;
- responding efficiently to a serious data breach by being able to quickly identify types of data that have been subject to unauthorised access;
- demonstrating the measures in place to protect and secure personal data in accordance with the requirements of the Privacy Act.
Check whether it includes identifying and locating personal data in all the organisation’s systems including cloud storage and any third-party systems listed on the data map identifying all the locations where personal data is stored.
5. Data Security
Ensure the organisation is prepared to defend against and respond to cyber-attacks and incidents by assessing whether:
- Organisational IT policies (BYOD, password, data management, IT procurement, network access) are up to date and being complied with (check via audit).
- Necessary steps have been taken to protect personal data in the custody of the organisation – e.g. encryption being applied to all personal data both in transit and at rest as required.
- User, application and backend access controls are correct and up to date. Personal data is being held in locations with limited or just-in-time access.
- Local, cloud-based and third party controlled applications used by the organisation have been tested for security suitability and approved for use.
- The organisation has fit-for-purpose security software and hardware to assist in the prevention, detection and response to security incidents (e.g. multi-factor authentication on critical systems particularly those with external access, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).
- Proactive steps to build security culture and awareness within the organisation are taking place (e.g. training, education, phishing and social engineering exercises).
- Relevant security information and performance metrics are being reported to executives and the board.
6. Data Breach Incident Response Plan
Check if your data breach incident response plan has been reviewed and updated. Consider the following elements:
- Are roles and responsibilities during a data breach clearly laid out and up to date?
- Are there clear escalation procedures and established arrangements to activate internal or external incident response specialists?
- Does the plan have sufficient detail and guidance to address both deliberate and accidental data breach incidents, as well as internal and external originating threats?
- Are there protocols in place for the capture and analysis of logs and other records from critical systems in the event of a suspected breach?
- Does the response plan provide sufficient guidance on how to approach internal and external communications, particularly with media and customers?
- Has there been a recent data breach response training exercise carried out involving executives, Board and key players listed in the response plan?
7. Robust Information Governance
Implement and/or review the Information Governance Framework and policies to ensure adequate holistic information governance reporting, identifying and monitoring privacy compliance across the organisation, including the various areas of privacy and legal, IT and cybersecurity and records and information siloes.
A robust enterprise-wide information governance framework provides a mechanism to coordinate and collaborate across the organisational siloes and to promote an information and data protection culture led from the top-down to minimise privacy and data breach risks.
At least one-third of all data breaches are caused by human error and many other successful cyberattacks are greatly enabled by human error from within an organisation. Robust information governance can greatly assist in both minimising data and information risks as well as enabling organisations to maximise data and information value.