Moving into Q2 of 2023, it is all happening in the privacy space! In this issue of Privacy Perspectives for Australian Government entities, we cover:

• the latest news on the proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act);
• the latest data breach statistics; and
• what’s coming up in Privacy Awareness Week.

Proposed amendments to the Privacy Act

There have been recent changes made, and a number of significant changes proposed, to the Privacy Act.

The Privacy Act was amended late last year to see the maximum penalties for serious or repeated privacy breaches increased to that which is the greater of $50 million, three times the value of any benefit obtained through the misuse of information or 30 per cent of a company’s adjusted turnover in the relevant period. Other measures adopted at this time included expanding the powers of relevant regulators, with the government considering a more extensive reform agenda for the future.

According to the Privacy Act Review Report recently released by the Attorney-General’s Department, it is likely significant changes will be made to Australia’s privacy laws. Some notable recommendations include:

• Broadening the definition of personal information – in particular, this would include defining personal information to mean information ‘relating to’ an individual (not just information ‘about’ an individual). The proposal is also to consider including a non-exhaustive list of information that may be personal information, including information such as location data and technical data.

• Strengthening consent and notice requirements, including requiring consent to collect, use, disclose and store precise geolocation data and including additional matters in consent notices.

• Extending some current privacy protections to ‘de-identified information’, including to introduce similar obligations to those currently in APP 11.1 (i.e. agencies will have obligations to protect de-identified information from misuse, interference and loss, and unauthorised re-identification, access, modification or disclosure) and APP 8 (i.e. agencies will need to take particular steps before disclosing de-identified information to an overseas recipient).

• Including an overarching ‘fair and reasonable’ test, so that even if a particular collection, use and disclosure of personal information satisfies other Privacy Act requirements, the agency’s handling must also meet this test.

• Having a 72 hour time frame to notify the Australian Information Commissioner of serious data breaches.

What does this mean for you?

From a practical perspective, we suggest that Australian Government agencies start taking steps to ensure that they are prepared for any future amendments to the Privacy Act. In particular, we suggest that Australian Government agencies ensure they understand the breadth of their data holdings, and ensure that they are able to demonstrate that reasonable steps have been taken to protect the personal information that they hold.

We suggest that Australian Government agencies:
Create a ‘data map’ of the personal information they hold (noting that personal information can be ‘held’ under the Privacy Act by both an agency and its subcontractor). This data map should document what personal information is held, where it is held, and (ideally) why it is being held by the agency.
Minimise the amount of personal information held, and ensure that personal information that is not, or is no longer, required can be deleted under the Archives Act 1983 (Cth).
Consider undertaking a privacy audit of current security settings (both technical and non-technical measures used to secure personal information), to ensure that they are up to date and robust.
Ensure ICT systems have undergone sufficiently recent security assessments, and that any recommendations arising from those assessments have been implemented.
Review contractual arrangements with third party ICT and other suppliers, to ensure they contain robust privacy and security obligations which will continue to be effective if the reforms are implemented.
Ensure staff have regular privacy training, so they understand their privacy obligations and what they must do to secure personal information. Consider updating existing training to ensure that staff also understand that reforms to the current arrangements are being proposed.
Review their Data Breach Response Plan (the Office of the Australian Information Commissioner (OAIC) has reflected that ‘a data breach response plan is essential to facilitate a swift response and ensure that any legal obligations are met following a data breach’).
Practice using their Data Breach Response Plan to test and improve how an actual or suspected eligible data breach is managed.
Closely monitor the proposed amendments to the Privacy Act and seek internal or external legal advice to ensure that your agency is complying with its obligations.

If you have any questions about the proposed amendments to the Privacy Act, or if you would like assistance with ensuring that your agency is complying with its obligations, please contact us.

Latest news on data breaches

According to the latest report on data breaches published by the OAIC, there was a concerning increase of 41% in the number of data breaches caused by malicious or criminal attacks for the July to December 2022 period. Data breaches caused by such attacks now constitute an astonishing 70% of the total number of data breaches for the period.

The top three types of malicious attacks were:

• ransomware;
• compromised or stolen credentials (method unknown); and
• phishing (compromised credentials).

The remainder of the other data breaches were made up of:

• brute-force attacks (compromised credentials);
• hacking; and
• malware.

Data breaches caused by human error constituted 25% of the total data breaches that occurred. Interestingly, almost half of all the human error breaches involved errors made when sending emails – 42% involved personal information being emailed to the wrong recipient and a further 6% failed to use ‘bcc’ when emailing.

Another interesting observation is the number of breaches being reported also increased significantly. There were 497 breaches for this period compared to 393 breaches from January to June 2022.

What does this mean for you?

It is more important than ever that Australian Government agencies are able to demonstrate that they are taking reasonable steps to protect the personal information they hold. Implementation of the practical steps described above will assist agencies to demonstrate this.

For further advice about the steps that your agency can take to enhance its compliance with APP 11 (protection of personal information), and to ensure it is well-placed to promptly and effectively respond to any actual or suspected data breach, please contact us.

Privacy Awareness Week 2023

Privacy Awareness Week (or PAW) will be held this year from Monday, 1 May to Sunday, 7 May 2023. It is an annual event to raise awareness of privacy issues and the importance of protecting personal information. This year’s theme is Back to Basics, noting that the OAIC has stated:

Privacy is fundamental to our existence. But how do we best protect it in today’s digital world?

The OAIC runs PAW in conjunction with state and territory privacy regulators and the Asia Pacific Privacy Authorities forum – visit their website for more information about the OAIC’s PAW initiatives. Like Maddocks, you can also sign up as a PAW 2023 supporter, which will give you access to the OAIC’s toolkit – this contains a range of resources to assist entities to raise awareness of good privacy practices.

Maddocks is also currently developing a range of additional resources for PAW, including a series of short video clips about topical privacy issues, which we can make available to Australian Government agencies. To incorporate them into your agency’s PAW activities, get in touch with our team for more information.