12 September 2024

It’s time to uplift privacy: why organisations need to act now following new law reforms

Jordan Wilson-Otto
Principal
Melanie Marks
Director

elevenM’s Melanie Marks and Jordan Wilson-Otto on why organisations can’t afford to put compliance on hold waiting for the rest of the privacy law reform to land.

No-one likes doing work twice. If you’ve ever renovated a house, you might relate to the tendency to put off minor repairs and maintenance to package everything up into one big project. Why fix that cracked plaster downstairs when we’re getting new walls in 12 months — could be cheaper to wait and do them all at once!

After *five years* of consultation and waiting, this week saw the introduction of a privacy reform bill addressing some of the recommendations for reform that we have all been waiting for. However, the bill has omitted many policy changes and lacks the grunt we were waiting for. It seems that much of the hard stuff has been parked.

Key reforms proposed in today’s bill include a new statutory tort for serious privacy breaches, transparency requirements for automated decisions, a more flexible penalty regime and greater investigatory and code making powers for the OAIC. The bill also makes it easier for the Information Commissioner (with approval from the Attorney General) to make new privacy codes and introduces a new Children’s Online Privacy Code. All significant changes, but it is clear that the second tranche will be the one that brings the impetus for uplift of operational processes.

The government says that other material changes to the Privacy Act will be delayed until after the federal election, due by May 2025.  These include delay of the ‘fair and reasonable test’, possible removal of the small business exemption, the right to erasure and stronger consent requirements — all have been put off to sometime after the next federal election.

Many privacy programs have languished over the last 12-18 months as organisations waited for certainty in the form of new privacy legislation. The two-stage approach announced this week may cause them to think they can afford to put off uplifting their privacy program for even longer. As privacy professionals, this puts us all in an awkward spot. How much focus should our clients be putting on improving compliance today, when there could be so much more change on the horizon? The answer is: a lot.

Whilst organisations have been watching and waiting, deferring action, cyber threats have continued to increase in likelihood and impact; regulatory powers and fines for breaches have grown, and consumer sentiment is becoming increasingly less sympathetic to organisations that misuse personal information or — through poor governance — subject themselves to substantial data breaches. Put simply, the risks ain’t going away and in fact they’re getting bigger.

Under current laws, your organisation must know what personal information it holds and have controls in place to ensure it uses and discloses it only for purposes that have been allowed. It must secure information well, keep it current and provide access to the people to whom it relates. If you can’t — hand on heart — say your organisation has these things sorted, then you are currently in breach of our laws.

First and second tranche changes will build on what you should already have in place. This means that sitting on your hands and waiting for more reform rather than getting the house in order now will make the ultimate renovation more painful.

Privacy program uplift takes time, commitment, and resources. The delay in more comprehensive privacy laws is frustrating, but it would be foolish to waste this grace period sitting around or assuming that there’s nothing to do until then. With 70% of Australians rating privacy as extremely or very important when choosing a product or service (according to the Australian Community Attitudes to Privacy Survey 2023), a new Privacy Commissioner focused on enforcement against privacy harms with hefty penalties now up her sleeve, and many businesses pushing a data agenda, good information management has never been more important. Consumers, stakeholders, shareholders and regulators won’t accept bad practices while we wait for the next tranche of laws and your job will be way harder in the long run.

Contact us

If you’re interested in learning more about how to uplift your privacy programget in touch.