Is your agency ready for the privacy tsunami?
Get ready with our 10 point Action Plan
The Hon Mark Dreyfus KC MP has foreshadowed that the overhaul to the Privacy Act will begin with legislation introduced this month.
Even though we are still waiting for the precise details of how the Privacy Act will be amended to be announced, Australian Government agencies should be taking some practical steps now, to prepare for the likely deluge of privacy work that will be involved in implementing the reforms.
Here is our 10 point Action Plan to get ready:
-
1. Conduct data mapping exercises
- Create a ‘data map’ of all personal information that your agency currently holds (remember that personal information can be ‘held’ under the Privacy Act by both an agency and its subcontractor).
- This should document what personal information is held, where it is held, and (ideally) why it is being held.
-
2. Review what you hold
- Over-collection and over-retention of personal information is a liability.
- Think critically about all personal information your agency has collected and whether it is still needed.
- Ensure that personal information that is no longer required can be deleted under the Archives Act 1983 (Cth).
-
3. Review and test your data breach response plan
- Now is the perfect time to practice using your plan, to test and improve management of eligible data breaches.
- How will you change your plan as a result of the reforms?
-
4. Review your privacy training
- Make sure your current mandatory privacy training is appropriate – does it prepare your staff for the anticipated reforms?
-
5. Audit of existing Privacy Impact Assessments (PIAs) and Privacy Assurance Advices (PAAs)
- Compliance now does not mean compliance forever.
- Do you know which PIAs and PAAs may need updating as a result of the reforms?
-
6. Review current consent and collection notices
- The boundaries of consent will likely be more clearly defined in the reforms.
- Do you have a process to review your agency’s current consent and collection notices?
-
7. ‘Future proof’ your contracts
- Make sure your privacy clauses and protections are not just ‘good enough’.
- Do your existing contractual measures give you enough flexibility to manage the reform changes?
-
8. Review existing data sharing arrangements
- Review and update data-sharing agreement templates in light of anticipated reforms.
- Do you need additional de-identification techniques or protections?
-
9. Governance documents
- Do you have the right internal governance documents in place (e.g. privacy management plan, privacy threshold assessment template)?
- Review and update them to account for the anticipated changes.
-
10. Review current resourcing levels
- Set aside sufficient resources to invest in implementing the reforms.
- Prepare to uplift current privacy and cyber risk management levels, even if they are already mature.
Our Privacy, Data and Information Law team is ready to help you navigate through the above issues.
Get in touch with our team for more information.
Keep up to date with our legal insights and events
Sign upRecent articles
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
Goldmate Reversed – The Public Purpose Must Be Authority Specific
Transport for NSW acquired part of a property owned by Goldmate Property Luddenham No 1 Pty Ltd
Preparing for the Caretaker Period
The next federal election is due to occur before 17 May 2025.
Partner
Canberra