Time to review your privacy policy and procedures: Tougher penalties apply

On 28 November 2022, Australia moved another step closer to having the harshest penalties in the developed world for breach of privacy laws. With the recent cybersecurity hacks of Optus and Medibank, and the alleged stealing of customers’ personal information, the proposed amendments have been fast tracked and passed both houses of Parliament. In light of these changes, all businesses should review their policy practices, data retention policies and security measures to ensure best practice and compliance. A data breach will not only have reputational risks, but exposure to significant costs and penalties.

Why are the changes relevant?

Most businesses require their customers to hand over ‘personal’ and in some cases ‘sensitive’ information in order for the business to adequately provide their services. Such information includes full legal name, phone number, address, and in certain cases, copies of passports, driver’s licence (or similar identification documentation) and medical information.

Under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which has been passed to amend the Privacy Act, the maximum penalty for a serious interference, or a repeated interference, with an individual’s privacy will significantly increase to:

1. for an individual, $2.5 million (from $444,000); and
   
2. for a body corporate, (from $2.22 million) to the greater of:
   
   1. $50 million;
      
   2. 3 times the value of any benefit obtained through the misuse of information; or
      
   3. 30% of a body corporate’s adjusted turnover in the relevant period.

The Attorney General said that the intention of the tougher penalties is to incentivise better behaviour from businesses towards their customers, so that the cost of a breach is seen more seriously than the flippant “it’s the cost of doing business”.

As a result of the amendments:

1. the Australian Information Commissioner is given greater powers to resolve privacy breaches;
   
2. the Notifiable Data Breaches scheme is strengthened to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals;
   
3. the Australian Information Commissioner and the Australian Communications and Media Authority is granted greater information gathering and sharing powers (including enabling them to share information publicly if it is in the public interest to do so); and
   
4. the jurisdiction of the Privacy Act is expanded so that foreign organisations that carry on business in Australia are required to meet obligations under the Act, even if they do not collect or hold private information of Australians.

There is no clear date for when the Bill will receive Royal Assent to become law, but it usually takes between 7 to 10 business days. These amendments are a move towards better security to safeguard the personal and sensitive information of Australians. The Attorney-General’s Department will be completing the ongoing comprehensive review of the Privacy Act by the end of this year, and it is expected that further recommendations for change will be made.

What can you do now?

If you haven’t already, it is time to review your privacy policy and practices, and to understand the types of personal information you hold about your customers, clients, suppliers, contractors and other stakeholders, and whether your practices are reasonable to protect this information. Most importantly, it is time to consider whether you need to collect such personal information, and if so, what is a reasonable and lawful period of time to continue to hold such information.

Given the impending changes to the Privacy Act, the new significant penalties for non-compliance and the ever-increasing data breaches and cyber security incidents, it is now more important than ever to audit your privacy practices and ensure you have robust systems in place to respond to any data breaches and security incidents.

Please contact Elizabeth Tylich to assist you with a review of your practices and to recommend any improvements.