Following the passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the Australian Government is set to table a draft privacy amendment Bill, part of the second tranche of privacy reforms in Australia, this month. These reforms aim to bring Australia's privacy laws into the digital age and closer to global benchmarks. While there are rumours of further delays, prudent businesses should take advantage by taking proactive steps now to prepare.
In September 2023, the Australian Government released its response (Response) to the Privacy Act Review Report (Report). Of the 116 recommendations proposed in the Report, the Government has agreed to 38 recommendations and agreed in-principle to 68 other recommendations.
In its Response, the Government delivers a very clear message to Australian businesses – the protection of Australians' personal information is paramount, and inadequate privacy safeguards will not be tolerated. This message has been reiterated by Privacy Commissioner, Carly Kind, who has said, "the Privacy Act reforms will permit [the Officer of the Australian Information Commissioner] to go after a range of different privacy harms and violations across the spectrum."
Although detailed compliance measures will need to wait until the Bill is passed, it's apparent that businesses that are not already GDPR compliant would be required to step up their privacy practices including to embed 'privacy by design' and take steps to incorporate privacy compliance strategies into every aspect of their operations as soon as possible.
Step 1 – Establish 'fit for purpose' governance frameworks and controls
Having suitably qualified senior personnel responsible for overseeing and delivering privacy programs and activities will be essential for any compliance strategy. Indeed, the reforms may require businesses to appoint or designate a senior employee to have specific responsibility for privacy within the business. Businesses should consider establishing or reconfiguring governance structures to ensure that:
- they have a privacy reform project team involving experts from
legal, compliance, IT and product that draws on advice from
external experts to review the proposed reforms and commence
planning;
- roles and responsibilities between key personnel in the privacy
compliance team are clearly delineated with clear reporting lines
to the Board;
- Boards are aware of their business' privacy compliance
posture and that privacy compliance is a regular agenda item;
- existing data governance systems and controls (including data
classification policies, privacy impact assessments, third party
due diligence processed, data retention policies, suite of
contracts and risk matrices) can be readily uplifted to address new
compliance requirements; and
- all staff are aware of their privacy compliance obligations by implementing regular training programs.
Step 2 - Understand 'current state' privacy compliance regime
With the reforms expected to overhaul every aspect of the way businesses collect, use, disclose and retain personal information, businesses should review current privacy practices and understand their current privacy compliance landscape. This includes auditing data assets and practices and using robust data governance tools to:
- ascertain the type, sensitivity, and volume of personal
information held (for example, individuals' names, addresses,
health information). When doing so, businesses should bear in mind
proposed expanded definition of 'personal information'
which will include technical information (e.g. IP addresses and
location data) and inferred information (e.g. predictions of
behaviour or preferences);
- evaluate existing privacy policies and collection notices to
understand the basis of the collection, use and disclosure of
personal information within the business and consider whether
existing data collection and usages practices are excessively
intrusive. This may include exploring whether there are other ways
to meet legitimate business needs;
- determine measures required to implement the anticipated
reforms, in particular, having regard to the upcoming 'fair and
reasonable' test. This test will apply irrespective of consent
and will require businesses to consider whether the individual
would reasonably expect their personal information to be collected,
used or disclosed in the circumstances;
- ensure data assets are accurately classified according to their
sensitivity;
- map data flows for material or potentially 'high-risk'
business operations (including those that involve third parties)
e.g. activities that involve procurement of emerging technologies
such as artificial intelligence or facial recognition technology,
marketing to children or any other activity that is likely to have
a significant impact on the privacy of individuals;
- identify technical measures used or available for use by the
business to keep data assets secure; and
- understand businesses' data retention practices, the regulatory requirements applicable to the business' ongoing retention of data and associated internal records retention and destruction policies.
The outcomes of such audit should be mapped against current privacy policies, collection notices and regulatory requirements to identify potential gaps and uplifts required.
Step 3 – Embed 'privacy by design'
The Australian Government expects a dramatic shift in business' existing privacy practices and culture with the protection of personal information being front of mind. Certain businesses, such as those involved in data commercialisation, may even need to reconsider their business model.
From designing and building products and services to administering workplace relationships, businesses should prioritise the protection of personal information at the earliest opportunity. Businesses should:
- be aware that they may no longer be able to use personal
information in the same way;
- understand that privacy compliance is a 'whole of
organisation' issue and not just the responsibility of select
few;
- uplift project governance tools and structure to ensure that
privacy compliance is considered in all operations and
projects;
- implement 'privacy by default' technical
measures;
- pursue data minimisation and only retain personal information
that is necessary for the business' functions and activities
using the new 'fair and reasonable' test;
- establish mechanisms (for example, age verification processes)
to identify and deal with personal information of children as well
as people experiencing vulnerability; and
- revisit direct marketing practices and decision-making processes to account for additional restrictions applicable to personal information of children and people experiencing vulnerability.
Step 4 – Uplift IT and other resources to comply with new individual rights
Empowering individuals with control over their personal information is at the heart of the reforms. If the reforms are passed, individuals will have the right to:
- object to the collection, use and disclosure of their personal
information;
- obtain an explanation of how the business collected and used
their personal information through an enhanced right of
access;
- be notified about their rights and how to exercise them at the
point of collection;
- the right to have their personal information erased; and
- the right to request meaningful information regarding any automated decision-making used by the business where this is the case.
This will mean that businesses will need to consider how they will respond to the new rights. Businesses should:
- invest in and allocate adequate resources to deal with expanded
individual rights, including to implement new policies and
procedures to deal with these rights;
- review existing systems to determine whether the organisation
has the necessary functionality to facilitate performance of those
requirements;
- identify any capability 'gaps' in the systems and
consider the procurement strategy for necessary additional or
upgraded systems; and
- identify any process that may involve substantially automated decision-making, and, where applicable, ensure that individuals are provided with adequate information regarding this process.
In its Response, the Government also acknowledged that the expanded individual rights could potentially be burdensome on businesses and agreed in principle that these rights should be subject to exceptions.
Step 5 - Prepare for enhanced cyber security requirements
The Australian Government has agreed to enhance cyber security obligations, including specifying technical and organisational measures that businesses may be required to implement. It is expected that this will be guided by the 2023-2030 Australian Cyber Security Strategy (Cyber Strategy). Businesses should:
- consider implementing the Essential Eight strategies and
adopting other cyber security best practices set out in the Cyber
Strategy;
- where appropriate, undertake regular cyber security assessments
such as penetration testing to assess and any identify cyber
security risks or gaps; and
- consider whether it is desirable and appropriate for the organisation to obtain and maintain recognised cyber security standards and certifications such as ISO 27001.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Lawyers Weekly Law firm of the year
2021 |
Employer of Choice for Gender Equality
(WGEA) |