Staying on top of the 2024 Privacy Act reforms

Data breaches and cybersecurity threats are rising in Australia. The Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports in the 2022-2023 financial year, marking an increase of nearly 13% from the previous year. In the news, the MediSecure and Ticket Master data breaches affected 13 million and 500 million customers respectively, compromising identifiable information such as names, credit card numbers, email addresses, dates of birth, and Medicare card numbers.

In an effort to strengthen the country’s privacy framework, the government implemented the Privacy and Other Legislation Amendment Bill 2024 (Bill) to reform the Australian Privacy Act 1988 (the Privacy Act) in September 2024. In addition to recommending cybersecurity frameworks such as Essential Eight, the Australian Government has updated the Privacy Act to respond to modern privacy challenges and make it more adaptable to the evolving digital landscape.

In this blog, we summarise the changes to the 2024 Privacy Act, what they mean for your business, and how to prepare for compliance.

What is Australia’s Privacy Act, and what changes took effect in 2024?

The Privacy Act is the principal legislation that governs the handling of personal information by Australian Government agencies and a significant portion of private sector organisations. Its purpose is to promote and protect individuals' privacy and regulate how personal information is collected, used, stored, and disclosed.

The Bill has 116 recommendations for reform but has so far implemented 23 of the 25 ‘agreed’ legislative proposals. Some of the key changes enforced by the Bill include the following:

1. The Office of the Australian Information Commissioner (OAIC) has been given increased powers to enforce privacy regulations and conduct public inquiries with greater scrutiny.
2. The Bill introduces a statutory tort for serious privacy invasions that allows individuals to seek legal recourse against organisations where a data breach occurred.
3. New civil penalty provisions for breaches of the Privacy Act, including “mid-tier” and “low-tier” penalties for less severe violations, have been introduced.
4. Privacy policies must now include details about automated decision-making processes.
5. Criminalising doxing. Doxing is when an individual maliciously publishes private or identifiable information online. The new Bill makes it a criminal offence, and individuals engaging in it could face criminal charges and potential imprisonment.
6. Overseas data transfers. A whitelist of overseas jurisdictions has been created, allowing personal information to be transferred without restriction.
7. The Children’s Online Privacy Code has increased protection of children’s privacy under 18 years old.

What do these changes mean for your business?

1. Ongoing compliance costs. The new Bill removes the $3 million annual turnover exemption, extending the Privacy Act’s jurisdiction to many small businesses for the first time. Small to mid-sized businesses must develop or enhance their privacy policies, data security measures, and compliance programs, which will likely involve initial setup costs and ongoing expenses to maintain compliance.
2. Data breach notifications. The strengthened requirements for notifying individuals and the OAIC about data breaches means that organisations must have robust incident response plans. This includes the ability to identify, assess, and report breaches quickly.
3. Significant penalties. The Bill introduces several significant penalties for non-compliance as follows:
   1. Civil penalties. The OAIC can seek a maximum penalty of up to AUD 50 million for organisations with serious or repeated privacy breaches.
   2. Infringement Notices. For specific Australian Privacy Principles (APP) and other obligations, the OAIC can issue infringement notices without court proceedings and carry fines of up to AUD 63,000 for corporate bodies and AUD 12,600 for individuals.
4. Potential lawsuits. Establishing a statutory tort for serious invasions of privacy in the new Bill allows individuals to seek legal recourse, which means businesses could face lawsuits for privacy breaches, adding another layer of legal risk.
5. Greater scrutiny. The expanded powers of the OAIC to enforce privacy regulations and conduct public inquiries mean that businesses will be under greater scrutiny, which could lead to more frequent audits and investigations.
6. Fortifying data protection. Small businesses must ensure their data protection measures are strong enough to prevent breaches and data theft. This may require upgrading IT infrastructure, using encryption technologies, and conducting regular security audits to meet the new regulatory standards.

How do you prepare for compliance?

Navigating the Privacy Act can be overwhelming for any organisation, but here are some tips to help you prepare for compliance.

Engage Information Protection specialists.

Information Protection is a crucial part of compliance and risk reduction. It can be a complex area to navigate with both retention and disposal considerations for your organisation. Speak with a specialist like Professional Advantage who can help build your roadmap to streamline your Information Management Practices.

Automate Disposal.

The Privacy Act states that we must dispose of data as soon as it's no longer needed. Professional Advantage can assist you in automating content disposal without the need for user decision-making. While information protection is important, deleted data doesn’t exist—therefore, a breach can’t occur.

Consider a holistic view of Security and Compliance.

Turning to a cybersecurity specialist who understands your content management and compliance challenges can help you fast-track and streamline your Privacy Act compliance efforts. Professional Advantage can assist you with specialist tools, frameworks, and existing design patterns intended to make it easy for you to work with your existing collaboration platforms like Microsoft 365 and ensure that your broader security posture is aligned with security frameworks that your leadership teams and executives can understand and take confidence from.