The spate of “huge data breaches that we saw last year” from the likes of Optus, Pizza Hut, JB Hi Fi, and Harvey Norman informed impending privacy laws, Australian Information Commissioner Angelene Falk has confirmed.
The federal government is working to overhaul Australia’s privacy laws, with the bill to amend the Privacy Act 1988 anticipated this year to make the legislation ‘fit-for-purpose’ in the digital age.
Speaking to Szymon Duniec, the CEO of ORIMA Research, at yesterday’s ELEVATE Australian Data and Insights Association (ADIA) Leaders Forum, Falk said digital transformation provides both opportunities and risks.
“Coming off the back of data breaches and the increased cyber risks that you see in our geo-political environment is the government’s cyber security strategy that was recently released,” Falk said.
“There is an ambition for Australia to be a world leader in cyber security by 2030, and so we see amendments to the Privacy Act being really instrumental in supporting that ambition. You need to have strong privacy laws that ensure that all of the economy is covered by the Privacy Act.”
Another major reason Falk pointed to when it comes to the importance of the reforms is that 89% of the community has indicated they want government to pass more laws to protect privacy.
“The act only covers businesses with $3 million turnover or more, and actually, that means that 95% of all businesses registered in Australia are not required to comply with the Privacy Act.
“We say that it’s really fundamental to change that, so that it really secures the supply chain for Australia in cyber.”
Duniec opened the session by claiming the stakes are high: “Privacy protection is an existential issue for our industry.
“We’ve talked about workplace relations and various other elements of the operating environment, but if we drop the ball of privacy protection, we lose our social licence. That undermines our credibility, trust, and really would make it impossible for us to do our job.”
Key reforms
Falk said business owners should be across three major reforms.
The first is that the government has agreed, in principle, to a new requirement that makes sure all information handling is “fair and reasonable.”
“This really accords with our sense of what’s right and just, it’s a standard that’s known in other legal contexts,” Falk told the room.
“That, for the first time, expressly requires organisations to put the interests of the individual at the heart of any of its information handling practices, and to ask whether they could or are likely to cause harm to individuals.”
The second is another accountability measure, which is a requirement to undertake a privacy impact assessment.
Falk described this change as “a risk assessment about how personal information will be handled, and how you can mitigate that. That would apply whenever there’s a handling of personal information that creates a privacy risk.”
The third is the addition of further security measures.
“There will be security outcomes that will be placed into the legislation if it goes ahead as proposed, and that will require organisations to make sure they have the level of resilience required to protect personal information,” Falk said.
Getting ahead of the curve
Duniec asked Falk if she had any key advice for businesses looking to make sure they are prepared for the likely reforms.
“The reforms are building on the current framework, so if you’re already fully compliant, you’re going to be well placed for the reform compliance,” Falk assured.
For those businesses looking to be more prepared, Falk advised: “If you’re not already building in privacy by design and a system that undertakes privacy impact assessments, I’d build that in as part of your risk assessment now.
“Also make sure in terms of a notifiable data breach, that you’ve got a data breach response plan in place. Make sure it’s not gathering dust in the bottom of the drawer, it’s actually being operationalised in your organisation.”
–
Top Image: Angelene Falk