In response to the Optus data breach, the Federal Attorney-General Mark Dreyfus has committed to making “urgent” reforms to the Federal Privacy Act, ideally by the end of 2022. With only four sitting weeks left for Parliament, it would be impossible for these reforms to address the full suite of reforms on the table as part of the broader on-going review of the Privacy Act, which began in 2019. Rather it seems likely the reforms will be directed at addressing the key weaknesses of the Privacy Act that have been highlighted by the Optus data breach and that were under consultation by the previous Morrison Government.
Federal Parliament next sits on 25 October 2022, so we have a couple of weeks to wait and see what direction the government will take. But based on recent commentary, it seems likely the reforms for 2022 may include:
- Higher penalties: increase from current maximum penalty for serious or repeated breaches of privacy of $2.1 million for organisations to $10 million or 3 times the value of any benefit obtained through the misuse of information, or 10% of annual Australian turnover.
- Stronger data retention requirements: more directive requirements for organisations with respect to data minimisation, data security and data retention, such as a tightening of the existing principle in Australian Privacy Principle 11). There would also need to be reform to related legislative requirements to retain personal information.
- Tighter mandatory data breach notification: potential tightening of the Notifiable Data Breaches (NDB) scheme, including timing for conduct of assessment and notification of an eligible data breach.
- Better resourced regulator: to support the reforms, there is a need for increased funding for the Office of the Australian Information Commissioner (so that it can take a more active role in enforcement). It remains to be seen if this will be included in the proposed 2022 reforms.
What should organisations do now?
Now is the time for organisations to prepare for anticipated reform to the Privacy Act.
As a first step, organisations need to know their current obligations under the Privacy Act and how they measure up. A privacy audit or maturity assessment is a useful exercise – this is a whole-of-organisation review of practices, procedures and systems for the handling of personal information against the Australian Privacy Principles (APPs) and any binding privacy codes that apply to the organisation, as well as privacy best practice. For example:
- Does the organisation have documented, implemented and maintained policies and procedures, such as an actionable data breach response plan, up-to-date published privacy policy and appropriate collection notices?
- Does the organisation have a clear understanding of the personal information it collects and holds and how the organisation meets its obligations under APP 3 and APP 11 on an on-going basis?
- How is third party security risk managed by the organisation? For example, does the organisation require a security assessment for new suppliers? Are there set minimum information security requirements for supply contracts?
- How prepared is the organisation to deal with and respond to a data breach, privacy complaints, access and correction requests and other enquiries?
- What is the organisation doing to ensure and measure privacy awareness and knowledge, and build and support a privacy culture? Does the organisation have a “privacy champion”?
Once the privacy law reforms are known, the second step will be to conduct a gap analysis and implement a program to “up-lift” the organisation’s existing privacy management framework. This will include updating practices, procedures and systems and conducting a privacy awareness program.
This approach was helpful for organisations when the last major reforms to the Privacy Act were introduced in 2014 (the change to the Australian Privacy Principles and other amendments) and the later introduction of the Notifiable Data Breaches scheme in 2018.
While the detail of the reforms is not yet known, we do know that the Privacy Act will be reformed in the next 12 months, with some reform potentially before the end of 2022. Organisations can (and should) start to prepare now.
For more information, please contact Sophie Bradshaw, Sarah Gilkes, Alex Ninis and Simon Carrodus.
