Privacy law reform on the horizon: what businesses can do now to prepare

Following the passage of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, the Australian Government is set to table a draft privacy amendment Bill, part of the second tranche of privacy reforms in Australia, this month. These reforms aim to bring Australia’s privacy laws into the digital age and closer to global benchmarks. While there are rumours of further delays, prudent businesses should take advantage by taking proactive steps now to prepare.

In September 2023, the Australian Government released its response (Response) to the Privacy Act Review Report (Report). Of the 116 recommendations proposed in the Report, the Government has agreed to 38 recommendations and agreed in-principle to 68 other recommendations.

In its Response, the Government delivers a very clear message to Australian businesses – the protection of Australians’ personal information is paramount, and inadequate privacy safeguards will not be tolerated. This message has been reiterated by Privacy Commissioner, Carly Kind, who has said, “the Privacy Act reforms will permit [the Officer of the Australian Information Commissioner] to go after a range of different privacy harms and violations across the spectrum.”

Although detailed compliance measures will need to wait until the Bill is passed, it’s apparent that businesses that are not already GDPR compliant would be required to step up their privacy practices including to embed ‘privacy by design’ and take steps to incorporate privacy compliance strategies into every aspect of their operations as soon as possible.

Step 1 – Establish ‘fit for purpose’ governance frameworks and controls

Having suitably qualified senior personnel responsible for overseeing and delivering privacy programs and activities will be essential for any compliance strategy. Indeed, the reforms may require businesses to appoint or designate a senior employee to have specific responsibility for privacy within the business. Businesses should consider establishing or reconfiguring governance structures to ensure that:

• they have a privacy reform project team involving experts from legal, compliance, IT and product that draws on advice from external experts to review the proposed reforms and commence planning;
  
  
• roles and responsibilities between key personnel in the privacy compliance team are clearly delineated with clear reporting lines to the Board;
  
  
• Boards are aware of their business’ privacy compliance posture and that privacy compliance is a regular agenda item;
  
  
• existing data governance systems and controls (including data classification policies, privacy impact assessments, third party due diligence processed, data retention policies, suite of contracts and risk matrices) can be readily uplifted to address new compliance requirements; and
  
  
• all staff are aware of their privacy compliance obligations by implementing regular training programs.

Step 2 - Understand ‘current state’ privacy compliance regime

With the reforms expected to overhaul every aspect of the way businesses collect, use, disclose and retain personal information, businesses should review current privacy practices and understand their current privacy compliance landscape. This includes auditing data assets and practices and using robust data governance tools to:

• ascertain the type, sensitivity, and volume of personal information held (for example, individuals’ names, addresses, health information). When doing so, businesses should bear in mind proposed expanded definition of ‘personal information’ which will include technical information (e.g. IP addresses and location data) and inferred information (e.g. predictions of behaviour or preferences);
  
  
• evaluate existing privacy policies and collection notices to understand the basis of the collection, use and disclosure of personal information within the business and consider whether existing data collection and usages practices are excessively intrusive. This may include exploring whether there are other ways to meet legitimate business needs;
  
  
• determine measures required to implement the anticipated reforms, in particular, having regard to the upcoming ‘fair and reasonable’ test. This test will apply irrespective of consent and will require businesses to consider whether the individual would reasonably expect their personal information to be collected, used or disclosed in the circumstances;
  
  
• ensure data assets are accurately classified according to their sensitivity;
  
  
• map data flows for material or potentially ‘high-risk’ business operations (including those that involve third parties) e.g. activities that involve procurement of emerging technologies such as artificial intelligence or facial recognition technology, marketing to children or any other activity that is likely to have a significant impact on the privacy of individuals;
  
  
• identify technical measures used or available for use by the business to keep data assets secure; and
  
  
• understand businesses’ data retention practices, the regulatory requirements applicable to the business’ ongoing retention of data and associated internal records retention and destruction policies.

The outcomes of such audit should be mapped against current privacy policies, collection notices and regulatory requirements to identify potential gaps and uplifts required.

Step 3 – Embed ‘privacy by design’

The Australian Government expects a dramatic shift in business’ existing privacy practices and culture with the protection of personal information being front of mind. Certain businesses, such as those involved in data commercialisation, may even need to reconsider their business model.

From designing and building products and services to administering workplace relationships, businesses should prioritise the protection of personal information at the earliest opportunity. Businesses should:

• be aware that they may no longer be able to use personal information in the same way;
  
  
• understand that privacy compliance is a ‘whole of organisation’ issue and not just the responsibility of select few;
  
  
• uplift project governance tools and structure to ensure that privacy compliance is considered in all operations and projects;
  
  
• implement ‘privacy by default’ technical measures;
  
  
• pursue data minimisation and only retain personal information that is necessary for the business’ functions and activities using the new ‘fair and reasonable’ test;
  
  
• establish mechanisms (for example, age verification processes) to identify and deal with personal information of children as well as people experiencing vulnerability; and
  
  
• revisit direct marketing practices and decision-making processes to account for additional restrictions applicable to personal information of children and people experiencing vulnerability.

Step 4 – Uplift IT and other resources to comply with new individual rights

Empowering individuals with control over their personal information is at the heart of the reforms. If the reforms are passed, individuals will have the right to:

• object to the collection, use and disclosure of their personal information;
  
  
• obtain an explanation of how the business collected and used their personal information through an enhanced right of access;
  
  
• be notified about their rights and how to exercise them at the point of collection;
  
  
• the right to have their personal information erased; and
  
  
• the right to request meaningful information regarding any automated decision-making used by the business where this is the case.

This will mean that businesses will need to consider how they will respond to the new rights. Businesses should:

• invest in and allocate adequate resources to deal with expanded individual rights, including to implement new policies and procedures to deal with these rights;
  
  
• review existing systems to determine whether the organisation has the necessary functionality to facilitate performance of those requirements;
  
  
• identify any capability ‘gaps’ in the systems and consider the procurement strategy for necessary additional or upgraded systems; and
  
  
• identify any process that may involve substantially automated decision-making, and, where applicable, ensure that individuals are provided with adequate information regarding this process.

In its Response, the Government also acknowledged that the expanded individual rights could potentially be burdensome on businesses and agreed in principle that these rights should be subject to exceptions.

Step 5 - Prepare for enhanced cyber security requirements

The Australian Government has agreed to enhance cyber security obligations, including specifying technical and organisational measures that businesses may be required to implement. It is expected that this will be guided by the 2023-2030 Australian Cyber Security Strategy (Cyber Strategy). Businesses should:

• consider implementing the Essential Eight strategies and adopting other cyber security best practices set out in the Cyber Strategy;
  
  
• where appropriate, undertake regular cyber security assessments such as penetration testing to assess and any identify cyber security risks or gaps; and 
  
  
• consider whether it is desirable and appropriate for the organisation to obtain and maintain recognised cyber security standards and certifications such as ISO 27001.