In December 2019, the Attorney-General announced a review of the Privacy Act 1988 (Cth) (Privacy Act).

In light of recent cyber-attacks of Optus and Medibank Private, the Attorney-General has introduced a Bill (the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022), which fast-tracks some amendments to the Privacy Act. In particular, the Bill, if passed, will increase the current financial penalty which can be imposed on Australian Government agencies who have been found guilty of serious and repeated privacy breaches (see section 13G of the Privacy Act) from 2,000 penalty units to a maximum of $2.5 million. In addition, the Bill, if passed, will result in:

• substantial increases to the maximum financial penalties for body corporates found to have engaged in serious and repeated privacy breaches (there will be a discretion to impose penalties of up to $50 million or higher, based on relevant turnover and/or any benefit derived from the conduct that caused the breach); and
• strengthened investigative powers for the Office of the Australian Information Commissioner (e.g. the ability for the Information Commissioner to compel the production of particular documents or information).

The Bill means that compliance with the Privacy Act is more important than ever. It is particularly important for agencies to be able to demonstrate that reasonable steps have been taken to protect the personal information that they hold.

Practical steps to avoid the cost of a data breach

The best thing that agencies can do to avoid the costs which are inevitably associated with a data breach (in addition to the changes discussed above, significant time and resources are needed to manage all data breaches), is to avoid a data breach in the first place – or at least ensure an efficient, effective and defensible response.

From a practical perspective, we suggest that Australian Government agencies:

• Create a ‘data map’ of the personal information they hold (noting that personal information can be ‘held’ under the Privacy Act by both an agency and its subcontractor). This should document what personal information is held, where it is held, and (ideally) why it is being held by the agency.
• Minimise the amount of personal information held, and ensure that personal information that is not, or is no longer, required can be deleted under the Archives Act 1983 (Cth).
• Consider undertaking a privacy audit of current security settings (both technical and non-technical measures used to secure personal information), to ensure that they are up to date and robust.
• Ensure ICT systems have undergone sufficiently recent security assessments, and that any recommendations arising from those assessments have been implemented.
• Review contractual arrangements with third party ICT and other suppliers, to ensure they contain robust privacy and security obligations.
• Ensure staff have regular privacy training, so they understand their privacy obligations and what they must do to secure personal information.
• Review their Data Breach Response Plan (the Office of the Australian Information Commissioner has reflected that ‘a data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach’).
• Practice using their Data Breach Response Plan, to test and improve how an actual or suspected eligible data breach is managed.
• Closely monitor the progress of the Bill and further proposed amendments to the Privacy Act and seek internal or external legal advice to ensure that your agency is complying with its obligations.