There’s no ignoring the media’s dedicated coverage of the calculated cyberattacks targeting Optus, Medibank and Latitude Financial over the past year. The ripple effect has caused millions of consumers’ personal information to be compromised. The subsequent public outcry pushed our Government to move and introduce privacy framework reforms in order to catch up with the current global standards.

The Attorney-General’s Department released the Privacy Act Review Report in February 2023, as part of the Australian Government’s review of the Privacy Act 1988 (Cth). Stakeholder feedback was tabled and lodged. Therefore, business owners should begin preparing themselves for what will be drastic compliance and regulatory changes on a scale previously not experienced in this country.

WHAT TO KEEP IN MIND AS AN ACCOUNTING PRACTICE

Reviewing processes for the protection of personal information

‘Personal information’ is everything that involves the collection, use and disclosure of personal information under ‘fair and reasonable’ circumstances, irrespective of whether consent has been obtained. Business owners will need to:

• appoint a senior employee who is responsible for privacy.
• keep a record of their handling of personal information (including technical information such as device IDs and IP addresses), the purpose of collection, use and disclosure, secondary uses and disclosures, the sources of information, and to whom information is being disclosed.
• include mandatory transparency for specific automated operations, the ability for people to opt out of personal data collection/use, and retention/destruction regulations.
  

Transparency of handling staff data

Requirements for business owners relating to transparency about informing employees how their information is handled, including its security, destruction and data breach reporting is currently in a consultation process and is still under review. Further detailed information is still to come.

‍

Updating privacy policies, consent forms and collection notices

Privacy policies and collection notices will be required to contain new information. Consents must be voluntary, informed, current, specific and unambiguous. Collection notices must also be clear, up-to-date, concise and understandable. Go to oaic.gov.au for a list of the current guidelines.

‍

‍

Change to cyber-attacks and data breach reporting structure

Cyber-attacks and data breaches must be reported to the Information Commissioner (IC) within 72 hours. There will now need to be additional information included in breach notices and companies must also be seen to have taken reasonable steps to implement practices that enable them to respond to cyber-attacks.

Statutory tort for serious invasion of privacy

The Report also proposes a statutory tort for serious invasions of privacy, which falls outside the Act. This is not a new recommendation as it was first proposed by the Australian Law Reform Commission in 2014. The Report acknowledges that existing laws or causes of action, such as breach of confidence or defamation, do not currently provide sufficient redress for a serious invasion of privacy. Further detailed information is still to come.

Role of OAIC enforcement and civil penalties

The Office of the Australian Information Commissioner (OAIC) will be granted additional powers, including being able to make APP codes where this is in the public interest; undertaking public inquiries and reviews; and an expansion of general investigatory powers.

Several tiers of civil penalties will also be introduced. At the top end, maximum penalties will be:

• AUS $50 million; or,
• 3x the value of any benefit obtained through the misuse of information; or,
• 30% of a company’s adjusted turnover in the relevant period.

WHAT SHOULD YOU BE DOING RIGHT NOW?

Smart business owners should be preparing themselves accordingly and be mindful that the upcoming Privacy Act reforms will require all of us to make substantial changes to the way we interact with clients and staff regarding handling their personal information and data.

Businesses should be being proactive and working closely with their IT departments or providers to ensure they meet all the new standards and requirements. To be on the front foot, you need to start:

• reviewing the Privacy Regulatory Action Policy;
• checking the OAIC’s website for the updated Guide to Privacy Regulatory Action;
• reviewing internal privacy policies and procedures;
• ensuring your organisation has an established cyber-attack and data breach escalation protocol; and,
• regularly training your staff on privacy and cybersecurity obligations.

CONCLUSION

The Government’s reaction to the recent cyber-attacks and data breaches has been the catalyst to remind us of the reputational and financial risks associated with compromises to the security of personal information.

‍

Remember: No company is too small to be targeted.

While we await the final recommendations of the review, now is a crucial time for Business Owners to think about their existing IT Cybersecurity and Privacy Framework for collecting, storing and processing personal information of clients and employees. By taking the time to review your current processes, you’ll be properly prepared for when the privacy reforms are finally announced.

Here’s a simple way to get an instant ‘snapshot’ of the vulnerability of your company’s I.T. Systems. We call it our T4 Group CyberSCORE assessment. It’s a series of questions you answer online, which instantly provides you with a cyber score. This lets you know how vulnerable you really are.