Home Resources Latest News & Insights Keep it to yourself

Keep it to yourself

Australia’s new privacy laws are inching closer with legislation set to be introduced into Parliament before the year’s end. Businesses need to be prepared for the new privacy regime.
Published: 27/09/2024
Business Insurance
loading...

Preparing for the new privacy laws

In 2022, the Federal Attorney-General’s Department conducted a review into the Privacy Act 1988 and recommended 116 reforms. In September 2023, the Federal Government issued its response to the review – agreeing to 38 of the reforms, agreeing in-principle to a further 68 (requiring more extensive consultation), and noting the remaining 10.  

In its response, the Government delivered a clear message to businesses – the protection of Australians’ personal information is crucial and inadequate privacy safeguards will not be tolerated. 

The Federal Government is expected to introduce a Bill amending the Privacy Act before the end of the year.  

Proposed changes to the Privacy Act to which the Government agreed (and are likely to be encompassed within the Bill), include: 

  • Giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information. 
  • Making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed. 
  • Providing entities with greater clarity on how to protect individuals’ privacy and simplifying their obligations when handling personal information on behalf of another entity. 
  • Requiring privacy policies to include details of any personal information used in substantially automated decisions with legal or other significant effect. 
  • Giving individuals a right to request meaningful information about how substantially automated decisions with legal or other significant effects are made.  
  • Establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code. 
  • Changing the civil penalty regime, introducing low, medium and high tiers based on the severity of the breach. 

While the specifics of the Bill are as yet unknown, lawyers are encouraging businesses to take proactive steps to prepare for the expected changes. 

How to prepare for the new privacy regime 

While the compliance details will not be known until the Bill is passed, it is expected that businesses that are not already General Data Protection Regime (GDPR) compliant will be required to improve their privacy practices including to embed “privacy by design” and take steps to incorporate privacy compliance strategies into every aspect of their operations.  

Actions businesses may consider to prepare for the new privacy rules include: 

Establish “fit-for-purpose” governance frameworks and controls 

Ensure the business has a means for overseeing and delivering privacy programs and activities. 

  • Action: Ensure the board is aware of the business’ privacy compliance requirements. 
  • Action: Ensure existing data governance systems and controls can be readily uplifted to address new compliance requirements. 
  • Action: Ensure all staff are aware of their privacy compliance obligations. 

Understand your current privacy compliance regime 

Ensure the business understands its current privacy compliance landscape and reviews its current privacy practices. 

  • Action: Ascertain the type, sensitivity, and volume of personal information held. 
  • Action: Evaluate existing privacy policies and collection notices. 
  • Action: Identify technical measures to keep data secure. 
  • Action: Understand the business’ data retention practices. 

Address key aspects of the reforms 

Consider the key reforms and how the business will address them. 

These include: 

  • Expanded definition of personal information to cover information or opinion that relates to (rather than is about) an identified or reasonably identifiable individual.Action: Consider how the expanded definition will impact your data practices, including those that rely on the use of technical data.
  • Requirement to inform individuals when relying on substantially automated decision-making based on personal information.Action: Consider what updates are required for notices, policies and privacy impact assessment processes.
  • Requirement that consent must be voluntary, informed, current, specific, unambiguous, and easily withdrawn.Action: Consider what uplift of notices and consent practices are required, the timing of consent changes, and the mechanisms required to enable individuals to withdraw consent.  
  • Enhanced GDPR-inspired rights for individuals.Action: Consider what systems, processes, and resources are needed to respond to individuals’ exercising their new rights.
  • Requirement for the collection, use or disclosure of personal information to be fair and reasonable in the circumstances.Action: Identify and assess activities that are likely to be considered unfair or unreasonable and consider potential mitigations.
  • Requirement to conduct privacy impact assessments prior to undertaking activities with high privacy risks.Action: Develop or enhance privacy impact assessment processes and templates.
  • Requirement to determine and record the purposes for which you collect, use and disclose personal information.Action: Develop or enhance your approach to governance and compliance records and documentation.
  • Right to opt-out of direct marketing; prohibition on targeting individuals based on sensitive information; and transparency about the use of algorithms and profiling in advertising.Action: Consider the impact of proposed changes on your promotional activities and ability to leverage data when engaging with customers.
  • Requirement to meet baseline data security outcomes; adopt data breach response plans; and notify OAIC of eligible data breaches.Action: Develop or enhance your data breach response plan.
  • Requirement to document minimum and maximum retention periods for different types of personal information held.Action: Develop or update your data retention policy. 
  • New civil penalties – Action: Consider your exposure to increased legal and regulatory enforcement risks. 

Embed “privacy by design” 

Ensure the business prioritises the protection of personal information. 

  • Action: Ensure privacy compliance is considered in all operations and projects. 
  • Action: Implement “privacy by default” technical measures. 
  • Action: Pursue data minimisation and only collect and retain necessary personal information. 

Allocate resources 

Ensure the business allocates resources, including IT, to comply with the new laws. 

  • Action: Invest in and allocate resources to deal with expanded individual rights. 
  • Action: Identify any process that may involve substantially automated decision-making and, where possible, ensure individuals are provided with adequate information about this process. 

Prepare for enhanced cybersecurity requirements 

Review the 2023-2030 Australian Cyber Security Strategy to see what technical and organisational measures you may be required to implement as part of the Government’s agreement to enhance cybersecurity obligations. 

  • Action: Consider implementing the Essential Eight strategies and adopting other cybersecurity best practices. 
  • Action: Undertake regular cybersecurity assessments. 

Ensure your business is protected 

Last, but by no means least, you should talk with your EBM Account Manager to discuss the insurance options (including cyber and management liability cover) to protect your business.  

Published: 27/09/2024
Business Insurance