After significant data breaches in Australia in 2022, and the big increase in penalties and consequences, the Office of the Australian Information Commissioner (OAIC) has released its detailed recommendations to further enhance Australia’s privacy legislation.

Purpose of proposals

The proposals detailed in the OAIC’s recommendations aim to promote a more effective privacy regime that promotes innovation and growth by:

  • protecting consumers from privacy risks and harm;
  • giving more control to consumers of their personal information;
  • enhancing the framework for personal information handling;
  • enabling more efficient and direct avenues of redress for individuals; and
  • providing consistency to minimise friction when personal information flows globally.

Who do the proposals apply to

Senior managers, privacy officers, IT departments and employees handling personal information, need to be aware that these changes are likely to be introduced. Once finalised and passed, the likely significant changes will necessitate amendment to the business’ privacy compliance and data protection systems, policies, procedures and documents.

Key outcomes of the proposals

The OAIC has expressed that the proposals attempt to clarify what personal information should be protected and who should protect it. They plan to achieve this by:

  • recognising the public interest of protecting individual’s privacy;
  • clarifying what information should be protected under the Privacy Act;
  • ensuring de-identified information is protected from misuse;
  • requiring risks associated with holding and using information relating to individuals to be considered and protections applied accordingly;
  • regulating the ‘targeting’ of individuals based on information which relates to them but that may not uniquely identify them;
  • enabling Privacy Codes to be made in certain circumstances;
  • ensuring risks to privacy resulting from the small business, employee records, political and journalism exemptions are addressed in a proportionate and practical way; and
  • strengthening the notifiable data breach scheme and streamlining it with other mandatory reporting schemes.

How businesses can prepare

Businesses should conduct checks and take appropriate action ahead of the proposed changes. Some of the checks they should be address is whether:

  • their privacy practices are fair and not harmful;
  • their privacy practices are transparent;
  • consumers are informed and have choice and control regarding the collection of data;
  • they are collecting on the extent and scope of data that is directly or reasonably necessary for their business functions and activities (and not just ‘nice to have’);
  • they know the data flow of the information in their business (who they share personal information with etc);
  • they are adequately and securely storing personal data (whether held in paper or digital format);
  • they are adequately and securely returning, de-identifying or disposing of personal information when it is no longer needed.

Businesses will also need to review and update their existing suite of privacy and data protection compliance documents.