© 2020 Content Security Pty Ltd.

How recent changes to the Privacy Act affect your business

The federal Privacy Act 1988 was recently amended for the eleventh time, and it’s crucial you check to see if your business complies with the legislation.

Here’s your guide to what the latest changes mean.

What is the Privacy Act, and does it apply to you?

The Privacy Act 1988 (Privacy Act for short) aims to promote and protect the privacy of individuals. It also regulates how Australian Government agencies handle personal information, and the regulations are stricter for sensitive personal information rather than other types of personal information.

Organisations, including businesses with a $3-million-plus annual turnover, are within the act’s ambit. However, other organisational types, which turn over less than $3 million a year, are also included in the Act.

Then, the Privacy Act also covers particular acts and practices of other small businesses. Specifically, they relate to anti-money laundering, counter-terrorism financing, residential tenancy databases and conducting a protected action ballot.

You’ll need to comply if your business is exposed to any of those categories above during its activities. Seek legal advice if you’re unsure.

Even if you don’t think the act applies to your business, it’s still good practice to follow the privacy provisions and the work of the agency that enforces it – the Office of the Australian Information Commissioner (OAIC).

Be sure to keep updated on the Privacy Act; it’s already been amended 11 times in the past three years, and, says The Guardian, further reforms are on the cards. They’re likely to mimic European-style privacy reforms. And The Australian Financial Review reported in January 2022 that the federal government plans to reduce from 90% the number of Australian businesses exempt from privacy obligations. 

The recent changes

Here’s a list of the key changes:

  • Serious or repeated privacy breaches risk an increased fine of up to $50 million for businesses or organisations and $2.5 million for an individual. They may be regarded as a criminal offence
  • A stronger Notifiable Data Breaches scheme
  • New powers and more funding for the OIAC to demand information, investigate and impose penalties for actual or suspected privacy breaches
  • Enhanced OIAC powers for two-way sharing of information with other enforcement regulators and bodies, including the Australian Communications and Media Authority, and
  • Expanded coverage to practices outside of Australia, if the entity operates in Australia, or collects or holds information about us directly from an Australian source.

For more detail, check the legal wording of the latest version of the Privacy Act. For the amendments, this official parliamentary website gives an insight into the legislation’s passage through the Australian Parliament before it was gazetted on 12 December 2022. It’s called the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

What your business needs to do

Businesses are encouraged to review and bolster their process and systems to make sure they comply with the act and related laws. As well as auditing your processes, another way to manage privacy breaches that occur in your business due to cyber attacks is insurance.

Expect the data security gaps between levels of government – such as in Victoria, NSW and local government – to be bridged. You can get an inkling of the inconsistencies from OAIC.

The previous federal government issued a whole-of-economy vision for data – the Australian Data Strategy. Next came a discussion paper for a National Data Security Action Plan, released in December 2021. It set out issues in the data security landscape that need harmonising. The Department of Home Affairs received 81 submissions about it by mid-2022, and it’s still consulting with industry and governments. Check this official webpage for updates because those loopholes are on the agenda to be closed.

The onus is on businesses to improve the way they manage privacy risks. The bottom line is that privacy risks can no longer be seen as just a risk of doing business.

For more information please contact our cybersecurity professionals today.

Recent news