Australian privacy reform gathers momentum with new report
The Australian Attorney-General’s Department has recently published the outcome of its long-awaited review of the Privacy Act 1988. This marks a significant step towards reforming the country’s privacy law to keep up with the ever-evolving digital landscape.
The Privacy Act Review Report, which was released on a Thursday, contains 116 recommendations based on the feedback and contributions of stakeholders over the past two years. The report covers 30 key themes and proposals related to privacy regulation, including the protection of personal information, transparency and accountability, and the enforcement of privacy laws.
The recommendations put forth in the report aim to enhance the privacy rights of individuals and strengthen the regulatory framework around the handling of personal information by organizations. This is particularly important in light of recent high-profile data breaches and increased public awareness of the potential risks associated with the collection and use of personal data.
The report is expected to have a significant impact on the privacy practices of businesses and organisations across Australia. It has been welcomed by privacy advocates, who see it as a positive step towards greater protection of individuals’ privacy rights. The report is now being considered by the government, and it remains to be seen which recommendations will be implemented and how they will be enforced.
Scott Hesford, Director – Solutions Engineering APAC, BeyondTrust
“Today, organisations that understand they are truly custodians of their customers’ personal data, and apply strong cybersecurity controls, have a much higher likelihood of defending brand reputation, customer loyalty and thereby profitability. In the light of the government’s Privacy Review, it’s important to note that putting a security framework in place in any enterprise can support a focus on valuing the data a business holds and also highlight the threat actors coming at you.
“In Australia, we may not need to write an entirely fresh collection of legally binding cybersecurity requirements for organisations holding Personally Identifiable Information (PII) but we do need to ensure that we’re holding that data under the appropriate settings in accordance with recognised strategies such as the well-defined ASD Essential Eight set of guidelines. This includes mandating organisations to manage restrict administrator privileges, limit access to sensitive data and also to put in place controls for how long any person within an organisation can have access to privileged accounts.
“Indeed, The Essential Eight framework covers a variety of items that security teams need to consider as a starting point. In addition to restricting administrator privileges, software patching, the deployment of multi-factor authentication capabilities for both custodians of PII and their customers, and application control (or who can run what and where) are all included and can provide robust safeguards for supporting an organisation’ customer privacy requirements in line with evolving legislation. Organisations may also need to look further afield to approaches such as zero trust to protect their customer data truly.
Glyn Geoghegan, Security and Compliance Director, Devicie
“It should not be too surprising that the existing Privacy Act finds itself a little out of date and out of touch.
“The personal information we willingly, unwillingly, and unknowingly reveal to those mining data has grown seemingly exponentially. With recently publicised abuses of personal data (Cambridge Analytica), loss of data to the bad guys (Optus, Medibank), and general overreach on the use of our information (looking at you, social media networks), we are now all far more aware of the implications of sharing that information.
“The Act set out strong principles around security, which the Attorney General rightly acknowledges a desire to build upon. However, looking around the world at gold standards of informed consent and rights over our personal information shows Australia is now behind the curve on formally acknowledging individual rights and responsibilities of the corporate world over that data.
“The European Union General Data Protection Regulation (the GDPR) sets out explicit rights to correct, delete, control, or transfer data for an individual, and that organisations must accurately and fairly disclose what they intend to do with the data. The California Consumer Privacy Act (CCPA) (and similar legislation in multiple US States) allows people to opt-out of the commercialisation of their data.
“The Australian Government’s Report recognises that setting out these rights for data subjects, is both guiding organisations on their responsibilities and the repercussions should they fail to respect them.
“The Act again shows its origins in the era of faxes and phone calls in the ambiguity about what information is to be protected and setting clear guard rails. The report seeks to address this by making it clearer what data can currently ‘reasonably be used to identify an individual’, while also allowing the definition to carry forward as the technology and use evolve. Can we predict how Machine Learning and AI which consume huge volumes of training data will affect this? Can a musician be reasonably identified by the chord progressions manifesting in an ML single? An artist from their brush strokes in derivative art?
“Name, city, and phone number seem obvious – but username, email address consisting of first.last@company, IP address—would these have been things our 1980s cohort could have conceived for future refinements of the Act? Will I still have a mobile number in another 5, 10, or 25 years?
“The third pillar of the review is focussed on how better to cope with the inevitable failures around protecting data. There is a focus in the on-pager on the punitive measures, facilitating the Courts and Regulators with the sticks to get the attention of organisations handling the data (and in part, the stick was strengthened in the amendments passed in December 2023). The experience of the UK and the EU have shown that greater fines have been an incentive for organisations to pay attention (there was little motivation when the fine was less than the cost to fix).
“The real strength of the Review seems to be in the guidance and education pieces; helping the Individual understand what data matters and why, and perhaps to think twice about handing it over, and having the opportunity to change their mind.
“Furthermore, the guidance and education pieces focussed on the organisations in both why and how they should handle, protect, and importantly respect individuals’ data (which gently reminds them that financial and other implications may face them if they fail).”
Michael Bovalino, ANZ Country Manager, LogRhythm
“The Privacy Act reform is a welcome update considering the amount of business digitisation that Australia has achieved in recent years. At the same time, the recent Optus and Medibank breaches have shown citizens just how data protection regulations can affect them when so much personal information is held on the basis of trust with the organisations they are transacting with.
“The reform needs to provide a clearer definition of “Personal Information” and for security protections to be applied to information that has been de-identified, especially if these have the possibility to be re-identified. At the same time, with small business being 350% more likely to experience social engineering attacks, it makes sense for the legislation not only to include smaller businesses but also to provide support to these businesses to ensure that they have the time and budget to obtain the proper infrastructure and training required to comply with the reforms.
“In addition, while the reform suggests individual rights could be modelled on the EU’s GDPR, this gives Australians some “right to be forgotten,” as well as more transparency and control over just how their data is being handled. In this age where a simple search exposes who you are and makes it easy to be impersonated, it’s good to have that option available. At the same time, individuals should also be wary of who they’re giving consent to.
“At the end of the day, businesses should proactively seek to comply to various data protection and cybersecurity regulations relevant to their industries. After all, recent LogRhythm research found that 67 per cent of companies have lost a deal due to their prospect’s lack of confidence in their security at a time when the OAIC is also seeking a greater mandate in relation to investigations, public inquiries and determinations. Compliance will give businesses a strategic advantage, especially when it’s not a legal requirement, as it shows the company’s commitment towards reducing risks. This, alongside the new civil penalties introduced, means that there will now be stronger enforcement.
“All up, these reforms continue to scope how businesses should protect personal data. They will ensure that Australia remains a low-risk and attractive place to conduct business in.”