WRITTEN BY Katie Innes
Following years of substantial review of the Privacy Act 1988 (Cth) (Privacy Act), Parliament passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) amending the Privacy Act in December 2024. Implementing 23 out of the 116 legislative proposals outlined in the Government Response to the Privacy Act Review Report, these changes are the beginning of sweeping changes to Australia’s privacy law landscape.
The key reforms thus far include:
These reforms introduce stricter data protection requirements for businesses which emphasise transparency, accountability and enhanced consumer rights which will require businesses to adjust their data handling practices and compliance strategies. The staggered commencement of these reforms means that businesses have time to implement measures such as the ‘whitelist’ of countries which are deemed similar to ours has not been approved yet.
For further information on each of these reforms including compliance requirements, enforcement measures, and some of the reforms yet to be enacted please refer to our essential guide here.
Considering the enhancement of regulatory powers, it is expected that the implementation of all the reforms will see a higher degree of OAIC enforcement activity. It is vital that businesses consider the following to ensure compliance and avoid the new strict penalties.
Have you reviewed your privacy policy recently?
Evaluating and updating your current privacy policy is essential to address the automated decision-making requirements and to illustrate your organisation’s current data handling practices.
You should be auditing your business processes to determine what data is collected, why, where it is stored and kept secure and how it is shared. Where you use personal information in an automated decision, such as using a software to approve or reject an application which compares personal information against pre-defined objective criteria, then you should update your privacy policy to provide for this.
To ensure compliance with the new Australian Privacy Principle, you should implement not only technical data security protections but also sufficient governance and organisational structures to manage and protect personal information (if you do not have any already). This could include encrypting data, securing access to systems and preferences, limiting access, and additional training for staff on data management.
How would you manage a breach?
With the introduction of the tort for serious invasions of privacy, the risk of civil liability has heightened for both APP entities previously covered under the Privacy Act and now other organisations such as small businesses. This civil liability means businesses will face direct or vicarious corporate responsibility if they or any of their employees/agents breach a person’s privacy or misuse information. One step businesses can take to mitigate the liability is showing they have taken all reasonable steps to avoid the breach of privacy including preparing a data breach response/compliance plan. Such a plan outlines the roles and responsibilities considered when managing a data breach and steps which will be taken if a breach occurs. These plans can also include broader policies about when an organisation will delete or deidentify personal information, again to mitigate the potential breach of privacy. In addition to having the plan, entities should be training their staff on how to enact the plan and reviewing it regularly to ensure the procedures are working. All entities should consider implementing this as it enables businesses to quickly respond to breaches, minimising the impact on affected individuals and the threat of civil liability.
Whilst these reforms are just the beginning of a major shift in Australian privacy law, and there is likely more reform on the way, businesses should proactively begin reviewing their current policies to ensure compliance.
If you have any queries or require further advice, please get in touch with the Business & Commercial team on 02 6274 0999 to discuss further.