An update of the 35-year-old Privacy Act will make boards more accountable for how they handle information from individuals.
Privacy has been a sleeper issue for many organisations and their boards, left to management to worry about or tucked away somewhere in the cybersecurity strategy. This will change with the proposed changes to the Privacy Act 1988, which will give individuals more control over how organisations use their data (and will make those organisations and their boards more accountable for how they handle individuals’ information).
“This is a quantum shift — a big shift in Australian privacy,” says Alec Christie, a partner in privacy, cyber and digital at law firm Clyde & Co. “It’s going to be more prescriptive, it’s going to be enforced more, it’s going to be more detailed.”
The change will be bigger for some organisations than others, because it fills out the detail and puts into practice what many should already be doing. Companies that are compliant already will still find the changes significant, but much easier to implement than those that aren’t.
“For a company not complying with privacy requirements now, this will be like the GST coming,” says Christie. “This will be an amazing change for them.”
The looming privacy reforms stem from last year’s Privacy Act review, which considered whether the Act and its enforcement are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy.
In late September, the government announced that it would accept many of the report’s recommendations and legislate accordingly, although observers say the reforms will take a number of years to be legislated and the changes might be introduced in stages.
Christie says a key driver of the reforms is to bring Australia more into line with the European Union’s General Data Protection Regulation (GDPR) regime and so potentially ease the path for Australian businesses to share information with entities in Europe. Currently, Australian businesses have to jump multiple hurdles to share even small amounts of data. Should the EU recognise the equivalence of Australia’s data protection regime it will make data sharing much simpler for companies with branch offices in Europe, which have data processed in Europe or are planning M&A deals, for example.
The majority of boards currently leave privacy to management — and they will need to play a greater role in oversight of the organisation’s privacy and cybersecurity risk management and compliance. “The privacy compliance of an organisation is part of a director meeting their duty for due care and skill,” says Christie, noting that boards should be assessing where their company is now with privacy and cybersecurity.
“The board needs to ensure their organisation is meeting [current requirements] or has a program of work to uplift in order to meet the current requirements,” he says. “That is a fundamental step in starting to be ready for the changes.”
Directors should also ask when the company last had an independent review of its privacy and cybersecurity settings — hopefully within the past two years — and whether the company has acted on areas of concern that might have been raised.
Christie points out a director must exercise due care diligence on privacy, but that it shouldn’t stop a company from carrying out its business. “There’s got to be a pragmatic lens on whatever we do in a privacy sense, as well.”
Larissa Cook GAICD, a principal at Baker Cook Advisory — and a non-executive director at Central and Eastern Sydney Private Health Network, St John Ambulance (NSW) and Hunter Health Insurance — says the privacy reforms will make boards and management realise that privacy isn’t just “set and forget”. Instead of using off-the-shelf privacy policies, companies will need to come up with a bespoke privacy model that reflects what the business actually does. “The whole process now has to be more bespoke,” she says. “You have to have a privacy policy that specifically deals with what it is you do as a company, what information you collect, for what purpose, how you’re going to store it, what you’re going to do with it, who you’re going to disclose it to.”
Cook suggests companies carry out an audit of the data they hold. “Data destruction policies go hand in hand with data protection policies.”
Personal data in the firing line
Privacy hit the headlines in September last year when telco Optus suffered a data breach that affected up to 9.7 million current and former customers, whose names, birthdates, home addresses, phone numbers, email addresses, passport and driving licence numbers were stolen.
A month later, health insurer Medibank Private was also breached. Along with similar information that was stolen in the Optus attack, the hackers took medical claims data, including information about diagnosis, procedures and location of medical services.
Both organisations are the subject of ongoing class actions. Optus apologised to customers, identified lessons learned and commissioned an independent external review, led by Deloitte. Medibank established a cyber response support program for current and former customers.
The most recent Deloitte Privacy Index reveals the reputation risk that organisations face if they do not have adequate data handling and protection policies. Australians who have suffered a breach tend to be more disappointed with the organisation than with the actual cybercriminals. And 80 per cent believe organisations should be liable for compensating data-breach victims.
The expanded definition of personal information from information “about a person” to information “that relates” to a person will include a much wider sweep of data, such as analytic insights a company has derived from data it holds.
Kate Monckton, a risk advisory partner at Deloitte, says personal information can include technical data such as IP addresses, which can reveal a location, and even someone’s email address. For instance, bill.smith@acme.com.au reveals Bill Smith’s name, the fact that he works for Acme and lives in Australia. Companies need to consider whether the expanded definition means they will have to start treating previously excluded data sets as personal information and bring them into their privacy programs.
Some organisations advised by Deloitte are proactively taking a “we can, but should we?” approach to their use of data and establishing ethical frameworks for data handling. Monckton advises companies to put aside budget to implement the looming changes. Additionally, if they are planning a big tech investment that will run for several years, they need to ensure it is future-proofed to comply with the new regime.
“The smart organisations are getting ahead now. It might not be huge investments of time or money right now, but it’s enough to know this is coming,” she says. “You can’t wait until that happens in some of the organisations that have long funding cycles.”
Privacy impact assessment
The reforms will likely require companies to carry out a privacy-impact assessment (PIA) before starting an activity with high privacy risks. A PIA is a systematic evaluation that identifies how a project or product might affect the privacy of individuals and sets out recommendations for managing, minimising or eliminating that impact.
“This will force organisations and boards to really think broadly around how users use their services, the information they provide to do that and the information organisations use about the users to provide the services,” says Clare Baxter GAICD, executive general manager of legal and governance at metering company Intellihub Group and a non-executive director of Laurus Higher Education. “I don’t think that’s a bad thing. That’s good governance and that’s understanding your business and the impact you have on individuals.”
Baxter says the current privacy principles require companies and directors to use and protect their data in the same way they will have to once the changes are introduced. But the proposed new requirements — such as the fair and reasonable test and PIAs — will create a framework for directors to consider the broader use of that information. The framework should enable a risk assessment and build a culture of compliance and consideration of an organisation’s social responsibility.
One major change to the Privacy Act will be the requirement that organisations seek consent to collect sensitive information, which should be voluntary, informed, current, specific and unambiguous — and able to be withdrawn. Cybersecurity and privacy law consultant Patrick Fair GAICD says the changes will “up the bar” from current arrangements, where many companies believe disclosing activities in their privacy policy allows them to perform those activities. It will push companies to reconsider what information they collect from customers. For instance, names and addresses are essential for deliveries, but customers might not want their purchase history used for further marketing.
“That’s not necessary, really,” says Fair. “From your point of view, it’s a function of your business and it’s adding value and it’s part of how you keep your business afloat. But from the customer’s point of view, it’s about you, it’s not about them.”
Fair adds that along with already introduced higher penalties for privacy breaches, the new regime is also likely to include a direct right of action for individuals. In its response to the privacy report, the government says this would “increase the avenues available to individuals who suffer loss or damage as a result of an interference with privacy to seek compensation”.
“Directors should be thinking at a high level and asking, considering the level of risk that this regulatory regime imposes to our ordinary operations, can I clarify and eliminate that risk by keeping less information and keeping it for a shorter period?” he says. “Can I improve my system so that the risk of a data breach particularly is eliminated? Can I also examine where most privacy exposures come from, which is my third-party relationships and how I’ve contracted with people, how they get into my systems? What access do they have to my data?”
The proposed removal of the small business exemption will create significant compliance challenges and cost for small businesses.
The government has agreed in principle that organisations appoint or designate a senior employee responsible for privacy within the entity. This person may also have other duties, the government states in its response to the privacy report, but doesn’t provide any more details. There is a question over whether that person should be part of in-house legal, the risk team or the IT or cybersecurity team.
Christie says that regardless of where the responsibility sits, the responsible person should coordinate with all the affected functions of the business. “That’s where boards can really assist because they can be the end of the line where it’s all reported to.”
Proposed changes to the Privacy Act 1988
Recommendations from the Privacy Act Review, to which the government has agreed “in principle”.
Expanded definition of personal information
Expanded from “information or an opinion about an identified individual, or an individual who is reasonably identifiable” to “information or an opinion that relates to an identified individual, or an individual who is reasonably identifiable”.
Strengthened consent requirements
Consent from individuals to have their data collected or used to be “voluntary, informed, current, specific and unambiguous”. Individuals should also be able to just as easily withdraw consent.
A fair and reasonable test
Organisations must carry out an objective assessment of how a reasonable person would expect personal information to be collected, used or disclosed.
New individual rights
Individuals will have more control over how businesses handle their personal information, with the introduction of the right to erasure, the right to object and the right to de-index search results.
Small business exemption
Remove the exemption from the Privacy Act for businesses with a turnover of less than $3m, but only after further consultation.
Shorter timeframes for data breach notification
Shorter timeframes of 72 hours, reduced from 30 days under current legislation, for reporting notifiable data breach.
More protections for de-identified data
De-identified data doesn’t currently fall under the Privacy Act. The report proposes protecting de-identified information from unauthorised access or interference, and prohibiting the re-identification of de-identified data by third-party and overseas entities.
Higher penalties — already legislated
Last year, the government introduced higher maximum penalties for breaches of the Privacy Act.
For companies, it will be the greater of:
$50m
Three times the value of benefits obtained or attributable to the breach (if quantifiable)
30 per cent of the corporation’s “adjusted turnover” during the “breach turnover period” (if the court cannot determine the value of benefit obtained).
For individuals it will be:
$2.5m
This article first appeared under the headline ‘Right to Privacy’ in the November 2023 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content