2023 State of Play – Australian Privacy Reform
Where we are now
Three years on from announcing it would be undertaking a review to “consider whether the scope of the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose”, and a full year after its initial target completion date, the Attorney-General’s Department has completed its review and prepared the final report.
Progress appeared to pick up considerable pace in the second half of 2022, with a number of high-profile privacy incidents that resulted in data breaches shining a spotlight on inadequacies with the current Privacy Act as well as the limited enforcement powers of the privacy regulator, the Office of the Australian Information Commissioner (OAIC). In response, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was fast tracked into legislation in November 2022 to significantly increase the OAIC’s enforcement powers and penalties (from a previous maximum of $2.2m to a potential maximum of $50m) for organisations found to be in serious and/or repeated breaches of the Privacy Act. Additionally, the OAIC’s enforcement powers have been strengthened to include the right to request information from organisations and conduct compliance assessments in response to data breaches, as well as requiring an organisation to conduct an external review of their personal information processing operations.
What to expect this year
Attorney-General Mark Dreyfus confirmed receipt of the final report in mid-December 2022. Mr Dreyfus’ office will now review the recommendations for reform before providing a response and releasing the report publicly. Speaking at the IAPP ANZ Summit in Sydney in November 2022, Angelene Falk (Australian Information Commissioner and Privacy Commissioner) said she anticipates this process would be completed in the first half of 2023, with the revised Privacy Act then passing through parliament and being enacted prior to 2024.
What will likely change
Given the last significant reform of the Privacy Act occurred in the year 2000 with the introduction of the Australian Privacy Principles (APPs), as well as the current cyber threat landscape and the criminal value of individuals’ personal information, it is anticipated that a considerable number of reforms will be proposed. At the IAPP ANZ Summit, Ms Falk also outlined some of the key changes she anticipates in the Privacy Act which included:
- OAIC mandated audits: Ms Falk spoke about the benefits of a model in which the OAIC could require organisations to undergo an audit of their privacy processes and activities upon request. A similar provision has been included in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 and it is envisaged that the audits would follow a defined methodology and be performed by an approved independent third-party, somewhat similar to APRA’s CPS 234 tripartite assessment model.
- Standardised privacy notices and consent mechanisms: It is anticipated that the revised Privacy Act will contain stricter conditions and clearer guidance on how consent to process individuals’ personal information must be collected. This could potentially follow the European GDPR model and prohibit consent for processing personal information being bundled with other terms and conditions, and banning mechanisms such as pre-ticked boxes to collect consent. Additionally, a standardised format for privacy notices for organisations to clearly inform individuals how their personal information is processed is expected.
- Mandatory PIAs: Similar to the European GDPR model, the revised Privacy Act could make PIAs (Privacy Impact Assessments) mandatory in certain situations. This would require organisations to conduct a formal privacy assessment of particular personal information processing activities to identify risks involved and develop appropriate mitigation strategies. For example, GDPR requires organisations to perform a risk assessment of any processes which involve the large scale monitoring of a publicly accessible area on a large scale, large scale processing of sensitive personal information, or any process which involves automated decision making or profiling which could significantly impact an individual.
- Removal of exemptions: A popular topic in the discussion and issues papers previously published by the Attorney-General’s Department considered the removal of certain exemptions in the current Privacy Act, notably the employment exemption. Currently, any personal information collected and used by an organisation in relation to an employment relationship with an individual is exempt from the current Privacy Act, meaning the APPs and other protections do not necessarily need to be applied to this information. However, it is widely anticipated that this exemption will be amended or removed as part of the reform. This would greatly increase the extent of an organisation’s privacy compliance obligations, as the removal of the exemption will bring personal information such as past, current, and prospective employee records into scope.
- Right to be forgotten: Speaking in January 2023, Mr Dreyfus indicated the proposed reform will recommend additional rights for individuals be included in the revised Privacy Act. In particular, the right to erasure/right to be forgotten is expected to be included which will afford individuals the right to request organisations destroy all personal information they retain pertaining to that individual. This will obviously create a challenge for many organisations to ensure they have effective processes and technology to accurately identify all relevant personal information, securely and permanently destroy the information, and ultimately comply with any valid requests.
What you can do now to get ready
With the reform expected to be approved and enacted by 2024, the clock is ticking for organisations to ensure their privacy programs are well established and operating effectively. Whilst the exact provisions of the reform will not be known until Mr Dreyfus’ office publishes the final report and government response, organisations can prepare by undertaking the following key activities in 2023:
- Internal audit: Ms Falk also spoke about the value of utilising the organisation’s internal audit function or engaging external specialists to conduct a comprehensive assessment of the organisation’s privacy program. Identifying improvement opportunities and compliance gaps with the current Privacy Act as soon as possible will streamline compliance when the reformed Privacy Act is enacted.
- Data destruction: The importance of having an effective data management program and adhering to a defined data retention schedule cannot be understated. The Privacy Act in its current-state requires organisations to destroy personal information when it is no longer required. As most organisations will have a number of data retention requirements from other applicable legislation (such as the Fair Work Act 2009 and Corporations Act 2001), it is essential to define a retention and destruction schedule for all categories of data and personal information and implement appropriate controls and tools to adhere to these schedules.
- Data minimisation: It is recommended to review and where necessary amend privacy practices to ensure personal information that is not strictly necessary for the purpose in which it was originally collected is destroyed and not collected in future. This is best achieved through performing a PIA on specific business processes, assessing all categories of personal information which are collected as part of the process and identifying any personal information which is not strictly necessary as part of the process.
How Protiviti can help
To find out more about Protiviti’s data privacy consulting services, please click here.