What You Need to Know About Changes to the Privacy Act
The Privacy and Personal Information Protection Act (PPIP) 1998 is currently going through reforms aimed at augmenting the protection of personal information and the control individuals have over their information. The changes to the act intend to strengthen privacy protection, support digital innovation, and enhance Australia’s reputation as a trusted trading partner. However, the reforms signify considerable changes for organisations in order for them to align with the Australian Privacy Principles (APPs).
What You Need to Know
The APPs set out the obligations of organisations that collect, store, use and disclose personal information.
The federal privacy law currently applies to Australian Government agencies, businesses with an annual turnover of more than $3 million, and some other organisations.
- There is a current maximum penalty of $2.1 million for serious or repeated breaches of privacy.
- There is a newly proposed draft bill in that the maximum penalty of $2.1 million for serious or repeated breaches of privacy will increase to not more than the greater of $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the entity's annual Australian turnover.
Federal law requires these organisations to:
- Collection - Only collect personal information that is necessary for the organisation's functions or activities
- Use and disclosure - Use and disclose personal information only for the purpose for which it was collected, or a related purpose that the individual would reasonably expect
- Data quality - Take reasonable steps to ensure that personal information collected is accurate, up to date and complete
- Data security - Take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure
- Openness - Have a clearly expressed and up-to-date privacy policy outlining how the organisation manages personal information
- Access and correction - Provide individuals with access to their personal information and allow them to correct it if it is inaccurate, out-of-date or incomplete
- Identifiers - Do not adopt, use or disclose a government-related identifier unless it is required or authorised by law
- Anonymity - Allow individuals to interact anonymously, if it is practical to do so
- Transborder data flows - Take reasonable steps to ensure that personal information is protected when it is sent overseas
- Sensitive information - Obtain consent to collect sensitive information, such as health information, and only use or disclose it for a specific purpose
State and territory-based Privacy law, and changes:
Most (not all) state and territories in Australia have their own privacy laws, which apply to state and local government agencies, and some private sector organisations. These laws vary between states and territories but generally cover similar principles to the federal privacy law. It is important to note that in the event of a conflict between state and federal laws, the federal law will prevail. WA and SA don’t have specific privacy legislation and so The Privacy Act applies to them.
Here is a quick snapshot of the Privacy Laws from each State/Territory and its key requirements:
- Privacy and Personal Information Protection Act 1998 (NSW) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Information Privacy Act 2009 (QLD) - Only collect personal information necessary for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Privacy and Data Protection Act 2014 (VIC) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Information Act 2002 (NT) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
NSW Key-callouts:
In NSW, The PPIP Amendment Bill proposes the following key changes to the PPIP Act:
- The introduction of a MDBN scheme. The scheme will require public sector agencies to notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information which are likely to result in serious harm.
- New governance requirements for public sector agencies, including obligations to prepare and publish a data breach policy, keep a register of breach notifications, establish and maintain an internal register of eligible data breaches and update Privacy Management Plans to include references to MDBN scheme obligations.
- Enhanced regulatory powers for the NSW Information Commissioner in relation to enforcement of the MDBN scheme.
- Extending the application of the PPIP Act to state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988 (Cth), being:
- Transport Asset Holding Entity of NSW
- Forestry Corporation of NSW
- Hunter Water
- Port Authority of NSW
- Sydney Water
- Landcom
- Water NSW
Affected state-owned corporations may therefore need to implement internal processes to ensure they can comply with the PPIP Act as a whole, in addition to the MDBN scheme.
What Does This Mean for Your Organisation?
Once the changes come into effect, all agencies will be required to observe mandatory notification provisions under Part 6A of the PPIP Act. Under the MNDB Scheme, agencies will be required to:
- Urgently take all reasonable steps to contain a data breach.
- Initiate an assessment within 30 days when an eligible data breach is suspected.
- Make all reasonable attempts to mitigate damage by the suspected breach during the assessment period.
- Decide whether a beach is an eligible data breach or whether there are reasonable grounds to believe the breach is an eligible data breach.
- Notify the Privacy Commission and affected individuals of the eligible data breach.
The MNDB scheme will also require agencies to adhere to other data management requirements, including maintaining an internal data breach incident register and providing a publicly accessible data breach policy.
How to Prepare For the MNDB Scheme
There are several steps that agencies should take over the coming months in order to prepare for the MNDB scheme, including:
- Establishing Roles and Responsibilities - clear roles and responsibilities should be set out for managing a breach or suspected breach. This may include creating a data breach response team or appointing a specific staff member to lead the response.
- Review and Update Your Privacy Management Plan - agencies should review and update their plan to ensure it complies with the new section 33(2)(c1) of the act. This plan should include provisions relating to procedures and practices that ensure compliance.
- Preparing and Publishing a Data Breach Policy - agencies should prepare and publish a data breach policy to comply with section 59ZD of the act. The policy should outline how the agency will respond to a data breach, the steps it will follow if a breach occurs, and clearly outline the roles and responsibilities of staff who will be managing the breach.
- Reviewing and Updating Policies and Procedures - agencies should review and update any relevant policies and procedures so that they comply with the obligations set out under the MNDB scheme.
- Maintaining an Incident Register - under section 59ZE of the act, an internal incident register should be established and maintained to record specified information relating to eligible breaches.
- Maintaining a Public Notification Register - agencies are required to keep a public register of any notifications that fall under section 59N(2) of the act. The information should be available for at least 12 months from publication.
How InfoTrust Can Help
As the Privacy Act will be extended to all Australian companies, preparing to comply with the PPIP Act is critical. InfoTrust is perfectly placed to help you prepare for alignment with the PPIP Act, provide expert advice, and guide you through any questions you may have. Contact us today.
Stay tuned for another blog where I will be summarising the Bill proposed to change the federal Privacy Act.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help