Legal Insights

Privacy Health Check: the questions to ask to avoid data breaches amid tougher penalties

• 31 October 2022 • 9 min read

The 11 questions to ask following the latest data breaches and proposed tougher penalties and powers under the Privacy Act.

Make Privacy a Priority – 11 Questions to Ask Today

It’s a huge responsibility to be trusted with personal information of your customers, staff and other stakeholders. Privacy and cyber risks need to be proactively managed. It’s a whole of business concern, it’s a board issue and creating a 'privacy as a priority' and 'privacy by design' culture ultimately has huge business benefits in the short and long term.

Having foundational building blocks in place is critical as is a genuine commitment to increasing privacy and cyber maturity across the whole business. It is a very complex issue and we know organisations are feeling overwhelmed by the latest breaches and the prospects of increased penalties and powers under the Privacy Act. We have developed this simple 11 point privacy health check to help organisations gain a clear picture of where they stand and the urgent priorities.

The recent data breaches have also prompted the Australian Government to introduce the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Privacy Penalties Bill). The Privacy Penalties Bill is intended to send a message to organisations that penalties for a major data breach are no longer ‘the cost of doing business’. Given this strong message, organisations need to be taking steps now to identify risks and gaps.

	Urgent Privacy Health Check Question
	Be honest. Have we underinvested in privacy and cyber risk management? Put simply, many Australian organisations have underinvested in managing privacy and cyber risks and compliance under the Privacy Act for the last decade. If your organisation falls into this category, you will need to set aside budget and resources to play some serious 'catch-up'. However, even organisations with mature privacy and cyber risk management levels will need to invest to account for increased threats and proposed legal reforms. We recommend organisations ensure they have set aside sufficient budget and people resources. Given the current risk landscape, resources will need to be uplifted, regardless of current maturity levels.
	Have we conducted a data mapping exercise to understand the personal information your organisation actually holds and how it is collected, used, disclosed and handled, and what systems store what kinds of personal information? Trust is critical but how can you manage risks if you don’t have a very clear picture of your organisation’s data flows and systems which hold personal information. Many organisations still do not have a record or data map of the personal information they hold and what information is stored on which systems. This information needs to be documented internally and now is the time for doing a holistic privacy and data review if your organisation does not have a current and accurate picture.
	Do we collect personal information we don’t need? The over collection of personal information which is not required has been a long standing liability. Old forms or historical processes may ask for personal information such as date of birth, gender or identity documents or details (such as drivers licences or Medicare details) which may not be required but pose a significant risk if compromised. It’s time to critically think about what personal information your organisation actually collects in the first place and if this is needed.
	Are we holding personal information we no longer need? 'Over retention' or keeping personal information for longer than is required is a very real risk which has been in the spotlight with recent major data breaches. Data retention and destruction is a complex issue to manage, however, organisations should be conducting an urgent review to consider if sensitive or valuable personal information is being held past its 'used by date'. All organisations should have clear policies and procedures documenting how long records should be held for and operational controls to ensure records are actually securely deleted or destroyed.
	Do we know how to respond to a data breach with a clear data breach response plan which is properly tested? The OAIC expects organisations to have a clear data breach response plan that sets out procedures and clear lines of authority for responding to a data breach, including to properly assess if a data breach meets the 'serious harm' threshold under the Privacy Act and is notifiable. In certain circumstances reporting under other regimes may also be required. For example, the amendments to the Security of Critical Infrastructure Act require that specific critical infrastructure assets must report certain types of cyber security incidents. Many organisations still do not have a data breach response plan despite the mandatory data breach regime being several years old. The plan needs to be tested and rehearsed with key internal stakeholders including legal, IT and communications. Processes and escalation points need to be understood by front line staff to the Response Team.
	Do we train our staff about privacy? Do you provide regular training and education which is 'fit for purpose' at all levels, from front line staff (such as phishing email campaigns) to the executive and the Board (e.g. running table top and hypothetical scenarios)? Now is the perfect time to launch privacy refresher training given privacy is currently in the spotlight. We remain surprised that many IT teams still do not undertake privacy training. Privacy training and education for all staff should be ongoing and tailored to their role. We see limited value in off-the-shelf privacy training which does not take into account specific business requirements and needs.
	Do we have an appointed privacy officer and privacy and cyber champions within the business? These issues are a whole of business concern and not merely the responsibility of IT or legal! While many organisations have a privacy officer, the appointment of privacy champions is important to embed a culture of privacy within an organisation.
	Do we take a privacy design approach by conducting privacy impact assessments (PIAs)? The OAIC has made clear that entities should have systems and processes in place to conduct privacy impact assessments. PIAs allow organisations to consider privacy at the start of the project and embed privacy controls early on.
	Do we have a privacy management plan? A privacy management plan helps to embed a culture of privacy, establish robust and effective privacy practice, implement procedures and systems, evaluate what you are doing and enhance your response. We are still seeing many private sector organisations operating without a clear privacy framework and plan.
	What is our Essential Eight maturity level? It is often said that privacy and cyber security are different sides of the same coin. Different businesses will be exposed to different cyber risks and different potential consequences. The Essential Eight are a series of mitigations the Australian Cyber Security Centre recommend as one of the most effective approaches to making it harder for malicious parties to compromise systems. For those at the start of their journey, implementing the Essential Eight as quickly as possible should be a priority. Other entities should be looking to increase their Essential Eight maturity level as outlined by the Australian Cyber Security Centre. Don’t forget that cyber and privacy stakeholders should be collaborating and not working in isolation (which we frequently see).
	Do we monitor and stay on top of legal reforms? The proposed changes to the Privacy Act in the Bill (discussed below) are just the tip of the iceberg. The Privacy Act is under review and there are many other legal reforms in the data and privacy space. It is critical to understand potential changes in order to plan proactively. Organisations should have internal stakeholders appointed to monitor changes and a clear compliance roadmap which address steps to be implemented to deal with legislative change.

Urgent Privacy Health Check Question

Be honest. Have we underinvested in privacy and cyber risk management?

Put simply, many Australian organisations have underinvested in managing privacy and cyber risks and compliance under the Privacy Act for the last decade. If your organisation falls into this category, you will need to set aside budget and resources to play some serious 'catch-up'. However, even organisations with mature privacy and cyber risk management levels will need to invest to account for increased threats and proposed legal reforms. We recommend organisations ensure they have set aside sufficient budget and people resources. Given the current risk landscape, resources will need to be uplifted, regardless of current maturity levels.

Have we conducted a data mapping exercise to understand the personal information your organisation actually holds and how it is collected, used, disclosed and handled, and what systems store what kinds of personal information?

Trust is critical but how can you manage risks if you don’t have a very clear picture of your organisation’s data flows and systems which hold personal information. Many organisations still do not have a record or data map of the personal information they hold and what information is stored on which systems. This information needs to be documented internally and now is the time for doing a holistic privacy and data review if your organisation does not have a current and accurate picture.

Do we collect personal information we don’t need?

The over collection of personal information which is not required has been a long standing liability. Old forms or historical processes may ask for personal information such as date of birth, gender or identity documents or details (such as drivers licences or Medicare details) which may not be required but pose a significant risk if compromised. It’s time to critically think about what personal information your organisation actually collects in the first place and if this is needed.

Are we holding personal information we no longer need?

'Over retention' or keeping personal information for longer than is required is a very real risk which has been in the spotlight with recent major data breaches. Data retention and destruction is a complex issue to manage, however, organisations should be conducting an urgent review to consider if sensitive or valuable personal information is being held past its 'used by date'. All organisations should have clear policies and procedures documenting how long records should be held for and operational controls to ensure records are actually securely deleted or destroyed.

Do we know how to respond to a data breach with a clear data breach response plan which is properly tested?

The OAIC expects organisations to have a clear data breach response plan that sets out procedures and clear lines of authority for responding to a data breach, including to properly assess if a data breach meets the 'serious harm' threshold under the Privacy Act and is notifiable.

In certain circumstances reporting under other regimes may also be required. For example, the amendments to the Security of Critical Infrastructure Act require that specific critical infrastructure assets must report certain types of cyber security incidents. Many organisations still do not have a data breach response plan despite the mandatory data breach regime being several years old.

The plan needs to be tested and rehearsed with key internal stakeholders including legal, IT and communications. Processes and escalation points need to be understood by front line staff to the Response Team.

Do we train our staff about privacy?

Do you provide regular training and education which is 'fit for purpose' at all levels, from front line staff (such as phishing email campaigns) to the executive and the Board (e.g. running table top and hypothetical scenarios)?

Now is the perfect time to launch privacy refresher training given privacy is currently in the spotlight.

We remain surprised that many IT teams still do not undertake privacy training. Privacy training and education for all staff should be ongoing and tailored to their role. We see limited value in off-the-shelf privacy training which does not take into account specific business requirements and needs.

Do we have an appointed privacy officer and privacy and cyber champions within the business?

These issues are a whole of business concern and not merely the responsibility of IT or legal! While many organisations have a privacy officer, the appointment of privacy champions is important to embed a culture of privacy within an organisation.

Do we take a privacy design approach by conducting privacy impact assessments (PIAs)?

The OAIC has made clear that entities should have systems and processes in place to conduct privacy impact assessments. PIAs allow organisations to consider privacy at the start of the project and embed privacy controls early on.

Do we have a privacy management plan?

A privacy management plan helps to embed a culture of privacy, establish robust and effective privacy practice, implement procedures and systems, evaluate what you are doing and enhance your response. We are still seeing many private sector organisations operating without a clear privacy framework and plan.

What is our Essential Eight maturity level?

It is often said that privacy and cyber security are different sides of the same coin. Different businesses will be exposed to different cyber risks and different potential consequences. The Essential Eight are a series of mitigations the Australian Cyber Security Centre recommend as one of the most effective approaches to making it harder for malicious parties to compromise systems. For those at the start of their journey, implementing the Essential Eight as quickly as possible should be a priority. Other entities should be looking to increase their Essential Eight maturity level as outlined by the Australian Cyber Security Centre.

Don’t forget that cyber and privacy stakeholders should be collaborating and not working in isolation (which we frequently see).

Do we monitor and stay on top of legal reforms?

The proposed changes to the Privacy Act in the Bill (discussed below) are just the tip of the iceberg. The Privacy Act is under review and there are many other legal reforms in the data and privacy space. It is critical to understand potential changes in order to plan proactively. Organisations should have internal stakeholders appointed to monitor changes and a clear compliance roadmap which address steps to be implemented to deal with legislative change.

The Privacy Penalties Bill and the key points

In a nutshell, the Privacy Penalties Bill proposes to introduce four key measures:

a significant increase in the penalties under the Privacy Act
strengthening the enforcement powers available to the OAIC
strengthening the Notifiable Data Breaches Scheme under the Privacy Act
providing the Commissioner with greater information sharing powers including with the Australian Communications and Media Authority (ACMA)

Increased Penalties
The Privacy Penalties Bill proposes to substantially increase the maximum financial penalty for a corporation’s serious or repeated interference of privacy from $2.22 million to the greater of:
- $50 million; and
- three times the value of any benefit obtained through the misuse of information; or
- if the court cannot determine the value of the benefit, 30 per cent of a company’s adjusted turnover in the relevant period.
The substantial increase in penalties is clearly the most significant amendment to the Privacy Act and is intended to give organisations a meaningful deterrence for conduct that interferes with individuals’ privacy. For some global organisations, this could potentially result in penalties exceeding $100 million. This increase in penalties would bring the Privacy Act more in line with other jurisdictions such as the UK/EU GDPR.
Greater enforcement powers for the OAIC
The Privacy Penalties Bill also provides the OAIC with the following enhanced powers:
- expanding the types of declarations that the Commissioner can make at the conclusion of an investigation;
- broadening the extraterritorial reach of the Privacy Act so that foreign organisations that carry on a business in Australia, whether or not they directly collect or hold Australians’ personal information, are now also subject to the requirements of the Privacy Act;
- new powers to conduct assessments; and
- new infringement notice powers to penalise entities who fail to provide information to the Commissioner without needing to commence litigation.
Importantly, the amended extraterritorial reach will now catch overseas organisations such as web hosting companies or third-party providers who store personal information for organisations caught by the Privacy Act.
Strengthening the Notifiable Data Breach Scheme

Under the Privacy Penalties Bill, the OAIC also has powers to request and obtain relevant information during an eligible data breach. This amendment is aimed at ensuring that the OAIC is able to have comprehensive knowledge in an eligible data breach. Again, this appears to be aimed at bolstering the ability for the OAIC to commence enforcement actions. This change should ensure that organisations who suffer an eligible data breach are proactive in gathering information and are able to provide a clear picture to the OAIC on key facts of the eligible data breach.
Information sharing between the ACMA and the OAIC

The Privacy Penalties Bill will also amend the ACMA Act so that the ACMA is able to share information with a commonwealth entity such as the OAIC. Previously, the ACMA Act had a prescribed list of authorities which it was permitted to share information with.

The Privacy Penalties Bill also enhances the OAIC’s ability to share information with other enforcement bodies and authorities (including foreign privacy authorities) and disclosing information publicly, if it is deemed to be in the public interest. Again, this raises the reputational risk and consequences for organisations who have not complied with their obligations under the Privacy Act.