In November 2022, the Government endorsed and passed a new bill that introduced tougher privacy laws following the Optus and Medibank data breaches which exposed the private details of millions of people.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 amends the Privacy Act (1988), the Australian Information Commissioner Act (2010) and the Australian Communications and Media Authority Act (2005). The intention of this bill is to put privacy front and centre. Under this new bill:
Small Businesses Need to Start Thinking About Privacy
Within the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, there was the removal of a small business exemption. Prior to this bill, businesses with less than $3 million in annual turnover were exempt from reporting privacy breaches and being held responsible for misuse of data.
Businesses that collect personal information will now need to ensure the information is necessary and is directly related to one or more of the business’s functions. Additionally, they will need to report how they store, update and disclose personal information within their company. It will force all businesses to review their privacy policy and cyber security policies and measures to ensure they are not vulnerable or at risk.
Under current Australian Privacy Principle requirements, businesses can only collect and use personal information if required by law or necessary to verify an individual’s identity. They also must destroy or de-identify personal data and take reasonable action to protect personal and sensitive information from misuse, hacks or disclosure.
There will be Tougher Penalties
The Privacy Legislation Amendment 2022 affects Section 13G of the Privacy Act (1988) and increases the penalties for serious or repeated interferences of privacy for both individuals and body corporates (businesses).
The increase in penalties is to act as a deterrent for individuals and body corporates as previous penalties were considered too soft for such an impactful matter. It is also designed to incentivise businesses to improve corporate cyber compliance by investing in cyber security measures and policies
Greater Enforcement Powers
The OAIC has also been given greater enforcement powers to resolve privacy matters more efficiently. With this new power, the Commissioner can issue infringement notices to body corporates for failing to answer questions, give information or produce records or documents regarding their privacy breach.
It also extends their existing power. Now, the OAIC will be able to:
This promotes privacy as individuals and body corporates will look to handle information with care and due diligence. It also strengthens the Notifiable Data Breach scheme to ensure the Commissioner has comprehensive knowledge of the information compromised to assess the particular risk of harm to individuals.
Sharing of Information
Following the two data breaches, it was recognised that there were some barriers between the OAIC and ACMA that impacted the efficiency and result of enforcing the Privacy Act (1988).
To remedy this the Privacy Legislation Amendment 2022 facilitates better cooperation between the OAIC, ACMA and other regulatory authorities by allowing the Commissioner to share information provided that it is reasonable, necessary and proportionate to do so. It is limited to these five restrictions to ensure and promote privacy:
Extraterritorial Jurisdiction
The Privacy Amendment also clarifies how the Australian government will handle international companies which hold Australian data. Now foreign organisations that “carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information from a source in Australia”. This amendment mirrors provisions of the Australia Consumer Law Consumer and Competitor Act 2010 and is designed to better protect our digital identities by holding platforms accountable for leaks and misuse of personal information provided.
With the new amendments to the Privacy Act (1988) the best way to ensure your privacy policy and cybersecurity policies are up to date is to talk to our experienced Corporate & Commercial team who will be able to provide a tailored approach to ensuring your business is compliant with all new regulations. To obtain advice or arrange a meeting, give us a call or fill out the enquiry form.