Welcome changes to the Australian Privacy Act: what to do when private information becomes public property

Five percent of Australians, or approximately 970,000 people were exposed to a breach of their private information in 2016, according to data from the Attorney General’s Office with the annual cost of identity crime in Australia is topping $2.2b in both direct and indirect losses. Globally, in the first half of 2016, identity theft breaches were four times higher than the second most prevalent type – financial access.

With more and more of our personal details stored online by both people and organisations other than ourselves, there is a vital need for full disclosure if your personal details have been compromised.

On 13 February, a welcome amendment to Australia’s Privacy Act passed both houses of parliament and will become law once the bill receives Royal Assent. This amendment makes notification of data breaches to the Office of the Australian Information Commissioner (OAIC) mandatory in many cases. The Commissioner is then able to direct an agency or business to notify individuals about a serious data breach.

This is the first time in Australia that all entities who are covered under the Australian Privacy Principles have clear obligations to report on eligible data breaches, and to notify all individuals impacted by the breach. This can be a public statement by the company, if there are reasonable grounds to believe an eligible data breach has happened, or, in a less desirable situation, the company is directed by the OAIC to publically disclose the breach.

The amendments are intended to close some gaps in the current privacy regime that are becoming more and more damaging to individuals, especially if the breach is not immediately disclosed.

According to the KPMG Drawing the line report in December 2016, almost a quarter of Australians are extremely concerned about how companies handle and use personal data. Organisations can, and should, do much to improve this perception. As the amount of information about all of us stored in electronic form, and the number of routine transactions that are conducted online increases every day, it is imperative to act.  Organisations can best assure Australians they can be trusted with their personal data if they demonstrate strong cyber security processes, tell them what they intend to do with the data, or assure them data won’t be shared with third parties.

But the potential for damage goes wider than just personal data loss through identity theft and crime. Data breaches undermine trust in the local and global digital economy.

While the threat of data breaches becoming increasingly clear, many organisations are still not protecting themselves from cyber-attacks. The government cited the adverse publicity from a breach notification as a means of deterring poor information handling processes, and should increase the likelihood that adequate and reasonable measures are taken to secure it.

So it’s clear these amendments should act as an incentive to information holders to be absolutely sure that they are adequately securing and disposing of all personal information they collect.

Now is the time for all organisations to take stock of their current privacy and cyber breach processes to ensure they are setup to meet these new requirements. It’s also a timely reminder to keep an eye on global changes. For example, two of the biggest international markets for Australian companies, China and the EU, both have new laws relating to the protection and handling of personal information.

  • In the EU, the European General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and is arguably the most significant and far-reaching change to global privacy laws for more than 20 years. The GDPR transforms a number of existing requirements compared to the previous EU Data Protection Directive and introduces a raft of new ones. These changes are complex and are likely to require significant enhancements in the way organisations process personal information.
  • In China, the Cybersecurity Law was adopted by the National People’s Congress (NPC) in November 2016 after a year of legislative proceedings, and will come into effect on 1 June 2017. The law focuses on areas such as personal information protection, critical information infrastructure, network operators, preservation of sensitive information, the certification of security products and legal liabilities.

Prevention is always preferable to cure and the reputation loss alone can be irreparable. With thanks to Baden-Powell and the Scouting movement, “Be Prepared”.

 Gordon Archibald, Partner, Cyber, Stan Gallo, Partner, Forensic Technology, Jacinta Munro, Partner, Privacy and Compliance

KPMG Forensic


Add a comment