Sonia Sharma
Sonia has wide ranging experience advising on technology, cyber, telecommunication and general commercial matters, specialising in cyber and data resilience advice.
View profile
The Australian Government has introduced the first tranche of its reforms to the Privacy Act 1988 (Cth) (Privacy Act) through the Privacy and Other Legislation Amendment Bill 2024 (Privacy Bill).
This Privacy Bill:
Despite the above changes – the Privacy Bill has excluded a significant portion of the more substantive reform that would bring Australia’s privacy and data regulatory regime in line with other jurisdictions, such as the European Union.
This provides organisations with time to get ahead of the Government – and take practical steps to prepare for the Privacy Act reforms. The message from Maddocks on the Privacy Act reforms has been consistent – organisations need to be taking proactive preparatory steps, rather than waiting for the final form of the changes.
Regardless of the Privacy Act reforms, over the last four years, cyber attacks have become exponentially more sophisticated, with an attack reported to the Australian Centre for Cyber Security every six minutes – see ASD Cyber Threat Report 2022-2023.
In early 2024, ASIC flagged that it would be targeting executives and boards in relation to their organisation’s cyber weaknesses and privacy breaches, while also targeting organisations which fail to ensure that their third party providers adequately protect personal information. Reporting suggests that the corporate regulator will seek to make an example out of boards and executives who are recklessly ill-prepared for a cyber attack. ASIC has made clear that for all boards, cyber resilience has got to be a top priority and that risks of third-party providers should be managed. In June, the OAIC and ASIC signed a memorandum of understanding which makes information sharing easier for the two regulators.
The current threat landscape and broader regulatory developments mean that organisations must be taking a robust and proactive approach to compliance, managing risks and preparing for anticipated reforms.
While the precise shape of the final Privacy Act reforms is yet to be determined, there are a number of practical steps that organisations can take now to prepare themselves. We have set these out in our practical checklist below with easy to follow steps.
Some may be disappointed by the lack of reforms in the Privacy Bill, which are limited to reforms that have been “agreed” by the Government. The Privacy Regulator, OAIC, has made clear that more is to be done.
Some of the most significant proposed legislative changes in the Privacy Bill are:
The Privacy Bill also:
A number of more substantive amendments are still to come.
There are a number of key agreed in principle legislative proposals which have been left out of the Privacy Bill and are foreshadowed to come in Tranche 2, including:
While organisations wait to see what the Privacy Act will look like once the Government has pushed through its final reforms, there are a number of key practical steps to take to prepare now.
We have drafted a checklist you can use:
| Task | Yes | No |
|---|---|---|
| Determine if the Privacy Act applies to your organisation, or may in the future, if the Privacy Act reforms take place. | ||
| Conduct a maturity assessment for current compliance with the Privacy Act and the APPs, as this base line understanding will be critical to responding to reforms. | ||
Conduct a data mapping exercise to understand and record:
| ||
| Implement a data breach response plan and test this plan (be prepared to respond to shorter timeframes). | ||
| Review existing collection notices, consents and privacy policies. | ||
| Appoint staff who are responsible for privacy, such as a privacy officer, and privacy champions. | ||
| Train staff on privacy compliance. | ||
| Conduct Privacy Impact Assessments (PIAs) whenever your organisation is considering implementing a new or changed way of handling personal information. | ||
| Consider your organisation’s Essential Eight maturity level, according to the Australian Cyber Security Centre’s ‘Essential Eight’ model. This can be linked back to the APP 11 requirement to have in place technical and organisational methods. | ||
| Invest in privacy and cyber risk management. It is critical to put aside sufficient budget and people allocation to manage current risks as well as deal with significant reforms. | ||
| Implement a privacy management plan. A privacy management plan is essential for tracking maturity and outlining key roles and responsibilities. Having a clear privacy management plan now will assist organisations methodically respond to reforms. Monitoring the reforms should be an action included in any privacy management plan. |
The Privacy Bill introduces some key reforms that will have major ramifications for organisations. Strengthened penalty and enforcement provisions should come as no surprise, given the surge in cyber attacks and data breaches in recent years, and signal a tick of approval for further regulatory action against organisations who fail to protect personal information and take cyber risks seriously. The statutory cause of action for a serious invasion of privacy may also empower individuals to hold large organisations to account for how they deal with their personal information.
Despite the above – the Privacy Bill has excluded a significant portion of the more substantive reform that would bring Australia’s privacy and data regulatory regime in line with other jurisdictions, such as the European Union. However, these are anticipated to come.
Organisations must be taking steps now to get ahead of the Government – and take practical steps to prepare for reforms, as well as mitigate current threats.
Find out more here
Sonia has wide ranging experience advising on technology, cyber, telecommunication and general commercial matters, specialising in cyber and data resilience advice.
View profileKeep up to date with our legal insights and events
Sign upThe ACCC responds to the growing use and safety issues arising from the use of these products.
OAIC determinations clarify privacy obligations for organisations using tracking pixels.
Targeted changes are now in place for approvals, strategic assessments, information sharing and advisory processes.
The Court addressed the proper approach to assessing both economic and cultural loss.
Partner
Sydney