Data breaches in Australia have cost companies millions in the last year. While global data breaches in the last quarter of 2022 dropped by 70.8%, data breaches in Australia increased by 1550%. This is the highest quarterly increase in data breaches in Australia for this decade. The Australian government already has stringent privacy laws and regulations in place but these statistics have triggered a need for the government to update its data privacy laws.
Current Australian data privacy laws
According to the Privacy Act of 1988, public and private organizations in Australia that collect personal information abide by the following criteria:
- Personal information must be collected for lawful purposes and used/ disclosed only for the purpose it was originally collected for.
- All personal information collected must meet high data quality standards.
- Personal information must be collected with the individual’s consent.
- Anyone who has shared their personal information must be able to access and correct their information.
- Organizations sharing personal information outside Australia must protect data according to standards comparable to domestic standards.
- Identifiers assigned to individuals must not be disclosed unless authorized by law.
- Individuals have the right to maintain anonymously
- All organizations must have clear and concise privacy policies
- Data privacy breaches can be reported to the Australian Information Commissioner (OAIC).
New Australian Data Privacy Laws
The Australian government announced the introduction of a new Privacy Bill in October 2022. Some of the improvements suggested in the bill are:
- The maximum penalty for serious data breaches is to be increased to 50 million AUD, three times the profit made by the company from misusing this information or 30% of the company's turnover. In comparison, the fine for data breaches as per Europe’s GDPR is 10 million euros or 2% of the company’s global turnover for the previous year.
- Include qualified foreign organizations to expand the scope of the Australian privacy act.
- Increased power for the Office of the Australian Information Commissioner to
- Seek information to ensure data breach compliance
- Share information
- Issue infringement notices for non-compliance with OAIC requests
New South Wales Revised Privacy and Personal Information Protection Amendment Act 2022
The New South Wales New Privacy and Personal Information Protection Amendment Act 2022 comes into effect in December 2023. Though it does not apply to all Australian cities, it could influence future policies in the country.
The salient points of this act are:
- The act only covers public sector agencies and state-owned corporations
- New data breach notification scheme
- The OAIC and affected individuals must be notified of serious harm caused by data breaches within 30 days
- A data breach is defined as unauthorized access/ disclosure/ compromise of personal information that could cause serious harm.
- The severity of data breaches depends on information sensitivity, the possibility of information being protected by encryption, the likelihood of it being used for malicious intent and the type of harm it could cause.
- Notifications are not required if the organization can mitigate the breach sufficiently and keep it from recurring or if notifying the individual/ organization can put them at risk.
- New transparency laws to come into effect mandating
- Public publishing of data breach policies
- Creating an internal record with
- Records of any data breaches
- Type of breach
- Notification process details
- Measures taken to mitigate the breach
- The estimated cost of each data breach
- Creating a public notification record on the organization’s website with
- All data breach records for the past 12 months
- When these breaches occurred
- Type of information accessed
Additional Recommendations for Australian data privacy laws
The New South Wales New Privacy and Personal Information Protection Amendment Act 2022 is only the first of many data reform regulations expected in Australia. Some of the recommendations included in the Attorney General’s 2022 formal review of the Privacy Act are:
- Include additional types of data such as biometric data, location data and online identifiers in the category of personal information.
- Anyone collecting personal data must share its intended use and by whom it will be accessed.
- The consequences of giving consent when submitting data must be clearly explained.
- Explicit consent must be given for sensitive information.
- Individuals must retain the right to withdraw consent.
- Individuals maintain the right to erase their information from private and public records.
- Privacy Act language to be simplified to make it easier to understand.
- Financial compensation to be worked out in cases where personal identifiable information has been mishandled.
New legislation may also be introduced to ensure data privacy connected with new technology such as Artificial Intelligence and the Internet of Things.
Complying with the New Privacy Regulations in Australia
The increased fine for data breaches is not the only reason why companies must make efforts to protect personal data shared with them, it should also be for the good will of the customers who are willing to share the required information in exchange for personalized service, they expect data collectors to safeguard their information. A data breach affects the brand’s credibility and lowers the brand image.
The first step towards improving data security is to improve data quality. Rather than manage siloed data sets, all data must be brought together to create a single point of reference across the organization.
All data entering the database must be verified to ensure that it is accurate, valid, unique, complete and correctly formatted. The use of data verification tools for personal information such as phone numbers, addresses and email addresses can be very helpful. These tools automate the verification process to make it quicker and eliminate the risk of human error. In addition to verification at the time of data entry, the database must also be periodically scanned to identify and remove decayed data.
Data within a database must also be classified and tagged correctly to make it easier to track. Building a high-quality, well-organized database keeps all the personal information stored with you safe to protect your customers and the brand.