On 28 November 2022, Australia moved another step closer to having the harshest penalties in the developed world for breach of privacy laws. With the recent cybersecurity hacks of Optus and Medibank, and the alleged stealing of customers’ personal information, the proposed amendments have been fast tracked and passed both houses of Parliament. In light of these changes, all businesses should review their policy practices, data retention policies and security measures to ensure best practice and compliance. A data breach will not only have reputational risks, but exposure to significant costs and penalties.
Most businesses require their customers to hand over ‘personal’ and in some cases ‘sensitive’ information in order for the business to adequately provide their services. Such information includes full legal name, phone number, address, and in certain cases, copies of passports, driver’s licence (or similar identification documentation) and medical information.
Under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which has been passed to amend the Privacy Act, the maximum penalty for a serious interference, or a repeated interference, with an individual’s privacy will significantly increase to:
The Attorney General said that the intention of the tougher penalties is to incentivise better behaviour from businesses towards their customers, so that the cost of a breach is seen more seriously than the flippant “it’s the cost of doing business”.
As a result of the amendments:
There is no clear date for when the Bill will receive Royal Assent to become law, but it usually takes between 7 to 10 business days. These amendments are a move towards better security to safeguard the personal and sensitive information of Australians. The Attorney-General’s Department will be completing the ongoing comprehensive review of the Privacy Act by the end of this year, and it is expected that further recommendations for change will be made.
Given the impending changes to the Privacy Act, the new significant penalties for non-compliance and the ever-increasing data breaches and cyber security incidents, it is now more important than ever to audit your privacy practices and ensure you have robust systems in place to respond to any data breaches and security incidents.
Please contact Elizabeth Tylich to assist you with a review of your practices and to recommend any improvements.