data security

Daily, we are handing over and using our personal information to do simple tasks such as online shopping, using apps, signing up to services and in the current COVID-19 climate, when signing in at restaurants and venues. Though how is our personal information protected, and how can it be used? In turn, what obligations do agencies and organisations have concerning personal information? The Privacy Act 1988 (Cth) promotes the protection of individuals’ privacy and personal information.

After the ACCC’s Digital Platforms Inquiry – final report (2019), the Australian Government committed to review the Act. In October 2020, the Attorney-General’s Department released a Privacy Act Review – Issues Paper which detailed areas of review and invited submissions, which can now be reviewed on the A-G’s website. The issues paper looks at the adequacy and effectiveness of the Privacy Act, particularly in a time where we rely on technology, and some people are increasingly concerned about their privacy rights.

Personal Information – obligations, breaches and definition 

The Act has thirteen Australian Privacy Principles that set out how an entity or organisation can use, collect, manage and store personal information; it also sets out other obligations and enforcement mechanisms. In particular, the Act includes a notifiable data breach scheme which states when an organisation must notify the Office of the Australian Information Commissioner and affected individuals of a breach of personal information. As part of the review, the AG’s Department will be looking at the scheme and how it is currently working.

The definition of personal information will also form part of the review. Currently, the Act sets out a broad definition of personal information; personal information can range from an individual’s name, phone number and date of birth to their health information and religious views. Opinions also fall under personal information, irrespective of whether they are “true or not”. Definitions of personal information in overseas jurisdictions vary.

Other areas of review

The AG’s Department has also stated that the review will consider:

• the scope and application of the Act – including any current exemptions;
• if the Act adequately protects personal information and has a practical and proportionate framework to promote good privacy practices – including erasing data, consent to default privacy settings and overseas data flows;
• the introduction of a statutory tort for serious invasions of privacy;
• if individuals should be entitled to direct rights of action for the enforcement of privacy obligations;
• the standard of enforcement and the interaction of the Act with other regulatory frameworks; and
• the viability of an independent certification scheme.

 Following the Issues Paper, the AG’s Department has indicated the release of a discussion paper this year. The discussion paper will ask for further feedback about any preliminary outcomes and proposed reforms. The review will be an area to watch to see what reforms will be presented and potentially introduced under the Privacy Act.

Author: Sharna White, Graduate Lawyer. Sharna has recently finished her time with us to take up a great position – we wish her all the best!

All businesses that are currently subject to the Privacy Act will have new mandatory data breach notification obligations from 22 February 2018.

With new obligations under the European Union General Data Protection Regulation (EU GDPR) also applying to many Australian businesses, now is the time to finalise your updated privacy procedures.

Step 1 – understand your obligations. You will need to have an understanding of the new mandatory data breach notification requirements and, if you handle EU customer information, of the GDPR requirements.

Step 2 – audit your existing systems. Do you have clear, simple plans for changing passwords, limiting access, editing or removing online information and notifying the right people internally? Assess the likely security risks in your organisation and consider possible weak points.

Step 3 – audit your suppliers. You will need to review vendor contracts, specifically for IT vendors, to check whether you have appropriate privacy requirements in place for your suppliers.  Have you identified suppliers you can call on to help you identify, cap and respond to breaches?

Step 4 – update your plan.  Many organisations will already have data breach response plans in place. Check whether these are up to date – current people, contact details and systems need to be added. Plans will need to be updated to reflect Australian mandatory reporting obligations and GDPR requirements.  In particular, for GDPR requirements, you need to note the 72 hour timeframe for notification. Ensure that your privacy policy is up to date – we see a lot of privacy policies that were drafted before the changes of the last few years and haven’t been updated.

Step 5 – test your plan. Run through possible scenarios to ensure that you have the right procedures and systems in place.

You should ensure that your procedures are ready during the next month.

We can help you with a privacy toolkit including details of the new requirements, updated policies, procedures and reviews to ensure that you are ready for February. If you would like to discuss our privacy toolkit, contact us.

Australian businesses of any size need to be aware of the new European Union General Data Protection Regulation, which will be implemented on 25 May 2018.

Small Australian businesses, with a turnover below $3 million, are used to being exempt from the Australian Privacy Act (unless they fall into specific categories). Many do not have privacy policies or procedures in place.

The GDPR does not exempt small businesses.

Which Australian businesses will be affected?

The GDPR will apply to all Australian businesses which:

• have an establishment in the EU,
• offer goods and services in the EU, or
• monitor the behaviour of individuals in the EU.

The OAIC has provided some guidance, with examples of these criteria:

• an Australian business with an office in the EU,
• an Australian business with a website that targets EU customers,
• an Australian business whose website mentions customers or users in the EU, or
• an Australian business that tracks individuals in the EU online, and uses data processing techniques to profile them.

Examples of targeting EU customers include enabling the ordering of goods or services in a European language, or enabling payment in euros.

The European language factor appears broad, but the GDPR makes it clear that where a website uses a language that is generally used in the business’ home country, this will not necessarily mean that the GDPR will apply. Australian businesses offering services in community languages should be conscious of this issue, and, if necessary, make it clear that that their presence is only local.

The issue of “mentioning” customers or users in the EU arises from Recital 23 of the GDPR, which states that where a website mentions customers or users who are in the EU, this may make it apparent that a business envisages offering goods or services to EU data subjects.

What are the requirements?

Key new aspects of the GDPR are stricter accountability measures, including audits, privacy impact assessments, activity records, policy reviews, and the appointment of a data protection officer for large-scale data handling operations.

The GDPR and the Australian Privacy Act share many requirements, including the need:

• to implement a “privacy by design” approach to compliance
• to be able to demonstrate compliance with privacy obligations, and
• to adopt transparent information handling practices.

There are also some significant differences.  These include data portability and a right of erasure which go considerably further than Privacy Act requirements.

What should Australian businesses do?

According to an ISACA survey of executives, as at 9 months before implementation, fewer than a third of those surveyed were satisfied with their organisation’s progress to prepare for GDPR; more disconcertingly, 35% were not aware of their organisation’s progress.

To put your business in better shape to meet this new regulatory framework, you should be acting now in the following areas.

If your business is currently below the Privacy Act threshold, but will be directly affected by the GDPR, you will need to kick start your compliance program.

To adapt a current privacy program to the GDPR, you will need to focus on the following areas:

• compliance: classify personal data; conduct risk assessments; implement privacy protection practices for all business areas; identify an employee with responsibility for data protection, and, if your organisation handles significant amounts of data, appoint a data protection officer; implement compliance audits; and document all processes.
• data handling: be aware that individuals under 16 cannot consent to the collection of their data; implement systems to delete data if it is no longer used for its initial purpose; delete data if the individual revokes consent.
• transparency: put in place processes to provide individuals with full and clear information about the treatment of their personal data; review end user licence terms and customer terms; be prepared to notify regulators (within 72 hours) and affected individuals if a data breach occurs.

Even if your business is not directly affected, the ability of your EU business partners, distributors and corporate group members to provide you with information from their own operations will be affected, so you may need to adjust existing business practices to address this issue.

You should also consider whether your business relies on business data that is sourced from affected organisations.  Industry sources expect the GDPR, once implemented, will significantly affect the flow of business data which is currently processed and used for analysis by Australian businesses.

If you need help to develop privacy policies and processes, or to adapt your existing procedures to meet GDPR requirements, contact us.