As Australia edges closer to implementing significant changes to its Privacy Act, businesses across the country are preparing for a wave of new responsibilities and obligations. The forthcoming reforms—expected to be tabled in Parliament this week—represent a major shift in how personal information is handled, with a particular focus on employee data, privacy policy clarity, and data breach management.
In this second instalment of our series on the upcoming Privacy Act changes, we take a look at some of the most impactful areas of the expected new legislation. From the end of exemptions for employee records to the introduction of stricter data retention policies, these changes will require businesses to rethink their approach to privacy and data protection.
Rather than seeing these upcoming privacy reforms as a burden, businesses could embrace them as a strategic opportunity to enhance their operations. By proactively aligning with the new requirements, organisations can not only ensure compliance but also demonstrate a strong commitment to safeguarding personal information. This is a chance to strengthen relationships with employees and customers, building trust and loyalty that can drive long-term success. Embracing these changes positions businesses as leaders in privacy protection, ultimately contributing to a more secure and transparent digital environment.
Employee Records Will No Longer Be Exempt
At the moment, employee records for both current former employees are exempt from the Privacy Act. It is likely that this will change. Employee records will be covered so businesses will need to ensure adequate protection, and data breach notifications will need to be made.
Designated Employees
Organisations must implement increased accountability measures. This means appointing a senior employee with specific responsibility for privacy (like a Privacy Officer). The aim of this change is to ensure there is dedicated oversight and compliance with privacy regulations, enhancing the organisation’s ability to protect personal data and maintain transparency.
Clear, Up to Date, Concise Privacy Policies
Privacy Policies and collection notices are currently too complex, lengthy, legalistic, and vague. On average:
- There are 6,876 words in a typical Privacy Policy
- It takes 29 minutes to read a typical Privacy Policy
- It would take 46 hours per month to read every Privacy Policy encountered
New requirements will mandate clarity, conciseness, and understandability.
Organisations will need to ensure their Privacy Policies are clear, up to date, and concise. This will help create greater transparency and trust with customers, ensuring that data practices are clearly communicated and easily understood.
Minimum and Maximum Data Retention Periods
Organisations are expected to establish their own maximum and minimum data retention period. These will need to be outlined in their Privacy Policy and reviewed regularly. This will help maintain data integrity, improve transparency, and ensure compliance with the updated Privacy Act.
Notifiable Data Breaches Scheme
The proposed Privacy Act changes include heightened requirements for organisations in the event of a data breach, including:
- notifying the Information Commissioner within 72 hours (reduced from 30 days)
- informing affected individuals as soon as practical
- demonstrating that they have taken “reasonable steps” to implement systems, procedures, and operating practices around personal information and data breaches
Increased Rights for Individuals
Individuals will have more control over how businesses handle their personal information, with the introduction of the right to erasure, the right to object and the right to de-index search results.
Consent requirements will also be increased. Consent from individuals to have their data collected or used to be “voluntary, informed, current, specific and unambiguous”. Individuals should also be able to just as easily withdraw consent.
The Fair and Reasonable Test
Currently, the burden of managing privacy falls largely on individuals to decipher complex privacy policies and collection notices. To address this imbalance, the burden will be shifted to organisations. There will be a new requirement that the collection, use
and disclosure of personal information is fair and reasonable, irrespective of whether consent has been obtained or not.
Increased Rights for Individuals to Litigate
At the moment, individuals have few legal options in the face of data breaches.
The Government has agreed in-principle to:
- a direct right of action for individuals to seek remedies (including damages) for breaches of the Privacy Act
- a statutory tort for serious invasions of privacy
Increased Penalties
Last year, the government introduced higher maximum penalties for breaches of the Privacy Act. For companies, it is the greater of:
- $50 million
- Three times the value of benefits obtained or attributable to the breach (if quantifiable)
- 30 per cent of the corporation’s “adjusted turnover” during the “breach turnover period” (if the court cannot determine the value of benefit obtained).
For individuals the maximum penalty is $2.5 million.
Data Controller Versus Data Processor
To align more closely with the GDPR, the revised Privacy Act is likely to introduce a distinction between personal information data controllers and data processors.
Data controller: a person or organisation that decides why and how personal information is used.
Example: An association collects customers’ email addresses to send them promotional offers. The association decides what information to collect, how to use it, and for what purpose.
Data processor: a person or organisation that handles personal information on behalf of the data controller, following their instructions.
Example: iMIS manages and sends out promotional emails on behalf of the association, using the customer email addresses provided by the association. iMIS follows the instructions of the association.
Evidence of Compliance
Companies will need to be prepared to provide clear and comprehensive evidence of their compliance efforts:
- Regulatory bodies will have increased powers to conduct audits and investigations.
- Demonstrating compliance can help mitigate the risk of penalties and fines.
- Providing evidence of compliance can enhance trust and confidence among customers.
- It leads to better overall governance and accountability.
Tags:
