Changes are coming. Now is the time to prepare, consider the impact to your business and secure budget.
The recommendations from the Attorney-General’s review of the Privacy Act were published on the 16th February 2023. The Government has now completed their review (28th September 2023) and indicated their intention to act on a range of recommendations. We expect that some of these recommendations will make their way into legislation and for others, further consultation with industry and relevant stakeholders will be completed.
What appears to be changing/things to be aware of?
There are a range of overdue changes and some that will hopefully get a second look before becoming legislation. Some are merely clarifications while others strengthen the consequences of non-compliance. Key focus areas include:
- Scope & Clarifications: A number of clarifications
including that the Act’s scope is “personal information”, what sort of
organisations it applies to (for example the government agrees in principle
that the exemption to small business, with revenue less than $3M, should be
lifted), what are and are not reasonable steps (via updates to Australian Privacy
Principles) and that a child is defined as someone not yet 18 years of age –
enabling the introduction of a Children’s Online Privacy Code. - Enforcement & consequences: Reviewing
the role of the OIAC in enforcement, recommendations to enhance the power to
act on breaches of the Privacy Act including consequences for the act of
reverse engineering de-identified data. - Flexibility to act: A range of delegations to the Information Commissioner to be able to change on a permanent or temporary basis the Australian Privacy Principles (APP) on the advice of the Attorney-General (including modifications to the Act to allow companies to share data with Commonwealth & State bodies in an emergency).
- Research & Innovation: Allowances to support innovation and simplify the use of personal data for research purposes by research organisations.
- Technology Advances (AI & Biometrics):
A number of inclusions to catch up with technology, including the handling of
biometric data and duty to notify individuals, within the privacy policy, of how
their personal information will be used in automated processes/decision-making.
A number of the themes presented in the recommendations, and agreed for action, reflect recent learnings in Australia from significant data breaches and the Government’s ability to respond quickly to limit the impact for Australians. Other suggestions would have made it easier to coordinate at a National level in response to COVID.
Additional powers granted to the OAIC, that allow the APP to be modified quickly, in the public’s interest, may require organisations to lift the maturity of data management practices to be able to respond effectively and efficiently.
What can I do now?
It may be some time before the government’s recommendations become law, and there is likely to be a grace period, but starting now with some practical steps that will enhance your ability to respond.
Practical steps you can take now (if not already
done/doing):
- Australian Privacy Principles: If the changes to the Act mean that it will apply to you, start by reviewing the Australian Privacy Principles that exist today. Review the proposed changes and establish policies and processes for managing customer data now.
- Data Audit & Classification: review existing data stores and data management practices/policies to ensure that they would continue to remain aligned to proposed legislation, and where not, prepare budget estimates for future funding cycles. Identify and tag customer data that belongs to adults and children so that you can easily respond to future changes.
- Privacy Impact Assessment: establish governance processes for the management of all data internally and externally sourced. Identify owners that can in turn ensure that data is used within the scope of agreed policies and processes. Embed this into your delivery processes.
- Decision Making: Identify business processes that use personal information to make decisions, review privacy statements and customer touch points.
- Maturity Review: Make sure that your data management practices are up to scratch, don’t wait for the Act to change, establish the governance processes that will help you act quickly when they do!
Exco Partners have a depth of experience helping organisations to review and establish data governance practices to ensure that policies and processes are aligned to organisational requirements and address the requirements of legislation. We’ve helped a number of government and private sector organisations review, improve and implement data governance.
Contact us here to find out how we can help ready your organisation lift your data governance Maturity and prepare for changes to the Australian privacy Act.