February 2024

Change is on the horizon: privacy, personal information & organisations

Change is on the horizon for businesses and their approaches to privacy, with the Australian Federal Government responding to the Privacy Act Review Report on September 28, 2023.

38 out of the 116 proposals for improvement made in the report have been endorsed, signalling a commitment to increased privacy protections, transparency, and control of personal information.

What does this mean?

As part of the response to the large-scale data breaches that occurred in 2022, the Privacy Act review proposed significant changes. These include introducing a positive obligation for fair and reasonable personal information handling, enhancing the powers of the Office of the Australian Information Commissioner (OAIC), and removing certain exemptions to provide greater privacy protection for individuals.

The proposed changes aim to strengthen the protection and fairness of personal information handling by organisations.

While the legislation to implement these changes is yet to be drafted, businesses can proactively prepare for the impending alterations, potentially minimising costs and disruptions when the new legislation takes effect.

The reforms

The government has agreed upon key reforms, encompassing various aspects of privacy regulations. These reforms aim to address critical areas, ensuring robust protection of personal information and enhancing accountability.

Agreed-upon reforms:

These reforms collectively represent a comprehensive effort to adapt privacy regulations to the evolving landscape, aiming to enhance the protection of personal information and uphold accountability principles in the digital era.

The government has tentatively agreed to key reforms ‘inprinciple’, that necessitate further consideration. These include:

What do you need to do?

To prepare for the upcoming changes, businesses should familiarise themselves with the 38 proposals endorsed by the government, which will be prioritised for drafting and implementation. This serves as the foundation for future privacy regulations.

Crucially, reviewing existing privacy policies and procedures is necessary, identifying areas that may need updating to ensure compliance with the proposed changes. This involves assessing current practices such as data collection, storage, access, consent mechanisms, and breach response protocols. Equally important is ensuring that employees handling personal information are privacy-aware. As changes are introduced into draft legislation, specific obligation training can be provided to keep the workforce informed.

As a final risk mitigation step, businesses should conduct a data audit and establish or refresh a data retention regime. Given the occurrence of data breaches, organisations need to minimise the data they hold and how long they hold it.

By taking these proactive steps, businesses can successfully navigate the evolving privacy regulations, not only avoiding potential legal issues but also building trust and confidence with customers by demonstrating a commitment to responsible data-handling practices.

More like this