What You Need to Know – Expected Changes to The Privacy Act
What You Need to Know – Expected Changes to The Privacy Act
Starting with the basics, privacy laws have been put in place to protect each citizen’s identity.
The challenge is that Australian privacy laws lag behind Europe, called “GDPR” (short for General Data Protection Regulation), and some US States in particular California.
To keep up with the rest of the world, the Australian Attorney-General’s Department reviewed The Privacy Act 1998 (Privacy Act) and made 116 recommendations.
Although most of the recommended changes are not entirely unexpected, the expanded reach to business, greater regulatory power and proposed new penalties are significant.
Our Take on the Key Items
- Companies Turning Over Less Than $3m Now Included – note that 93% of Australian businesses turnover less than $2m per year.
- Greater Regulatory Power – the Office of the Australian Information Commissioner (OAIC), which is the independent national regulator for privacy and freedom of information, will obtain?enhanced information gathering powers particularly in relation to data breaches, and will also be able to?share information?publicly if it is in the public interest to do so
- Higher fines (all ready in place and fast-tracked in October 2022) – this is maximum penalty to increase from $2.2m to the greater of:
$50 million; or
Three times the value of the benefit obtained attributable to the breach; or
30% of turnover
- Specific consent required to gather data – only valid if consent is voluntary, informed, current, specific and unambiguous.?Further, any consent must be capable of being withdrawn at any time
- Right to remove data - an individual will have the right to have their personal information removed?
So What Next?
The recommended changes to the Privacy Act as at October 2023, are not yet law.
This means you have time now to review the potential impact on your business and how resilient your business will be to the proposed changes. Considerations could include:
People - do we have the right skills including capability and capacity?
Process - how are we gathering, managing and protecting our data and/or other people’s data?
Technology - do we have the right tools, operating in the right way?
Insurance - what risk scenarios could occur, such as a data breach, and do we have the right risk mitigation in place including insurance?
As cyber insurance is a relatively new product, with large variations in coverage, we would happy to advise and navigate how this insurance can assist you.
SherpaTech
October 2023