Strengthening privacy and addressing cyber security
As business activities and consumer consumption are increasingly occurring online, it’s no surprise that privacy is growing in importance. In their daily interactions, consumers and businesses trust that their information will be treated appropriately, and their data sufficiently protected. As the online exchange of information and data has increased, so have the threats to privacy.
To address the risks associated with conducting activities online, Federal Government departments are reviewing existing privacy legislation and proposing new legislation to advance privacy reform and fight cyber security threats.
Specifically, the Attorney General’s Department is currently reviewing the Privacy Act 1988 (the Privacy Act) to ensure privacy settings empower consumers, protect their data and best serve the Australian economy. This includes proposing a three-tiered approach to civil penalties and an increase of the maximum penalty from $2.1m to $10m. Further, there is a new bill before Parliament as part of the Government’s Ransomware Action Plan, which includes additional reporting requirements for some businesses.
To help ensure your privacy compliance as an Australian business, keep reading to find out more about the Privacy Act review and the proposed changes to cyber security incident reporting.
Review of the Privacy Act 1988
On 12 December 2019, in response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry, the Attorney-General announced that the Australian Government would conduct a review of the Privacy Act 1988 to consider whether it remains fit for purpose.
The review commenced in October 2020 with the release of the review’s Terms of Reference and an Issues Paper outlining current privacy laws and seeking feedback on potential issues. Subsequently, the Attorney-General’s Department released a Discussion Paper to seek feedback on the proposals for the privacy reform. The consultation period for the Discussion Paper ended on 10 January 2022.
The Discussion Paper covers several topics, including:
The scope and application of the Act
The protections contained in the Australian Privacy Principles (APPs)
How the Act is regulated and enforced
In response to submissions received on the Issues Paper, the Discussion Paper outlines the following key proposals, among others:
1. Scope and application of the Act
Amend the objects of section 2A of the Act to clarify the scope and introduce the concept of public interest in relation to the protection of the privacy of individuals in the context of entities carrying out their functions.
Redefine ‘personal information’, including a non-exhaustive list of the types of information covered by the definition and the requirement for personal information to be anonymous before it is no longer protected by the Act. This list includes technical personal information such as:
- An identifier such as a name,
- An identification number,
- Location data,
- An online identifier, or
- One or more factors specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity or characteristics of that person.
Amend the Act to allow the Information Commissioner (IC) to make an APP code as directed or approved by the Attorney-General, where it is in the public interest to do so without first seeking an industry code developer and finding an appropriate industry representative to develop the code is unlikely.
Amend Part VIA of the Act to allow more targeted Emergency Declarations (made by the Prime Minister or the Minister in a national emergency) by prescribing their application in relation to: a) entities, or classes of entities, b) classes of personal information, and c) acts and practices, or types of acts and practices. It also proposes to permit organisations to disclose personal information to state and territory authorities when an Emergency Declaration is in force.
2. Protections in the APPs
Introduce an express requirement in APP 5 (notification of the collection of personal information) that privacy notices must be clear, current and understandable, and strengthen the requirement for when an APP 5 collection notice is required.
Define ‘consent’ to the collection, use and disclosure of personal information as being voluntary, informed, current, specific, and an unambiguous indication through clear action.
Additional protections for collection, use and disclosure of personal information:
- Collection, use or disclosure of personal information under APP 3 (collection of solicited personal information) and APP 6 (use or disclosure of personal information) must be fair and reasonable in the circumstances.
- Include an additional requirement in APP 3.6 such that where an entity does not collect information directly from an individual, it must take reasonable steps to satisfy itself that the information was originally collected from the individual in accordance with APP 3.
- Definitions for ‘primary purpose’ and ‘secondary purpose’
Options to manage privacy risk for restricted and prohibited acts and practices (e.g. collection, use or disclosure of information on a large scale)
Introduce pro-privacy default settings on a sectoral or other specified basis.
Amend the Act to require consent to be provided by a parent or guardian where a child is under the age of 16.
An individual may object or withdraw their consent at any time to the collection, use or disclosure of their personal information, after which an entity must take reasonable steps to stop collecting, using or disclosing the individual’s personal information and inform the individual of the consequences.
Other proposals in relation to erasure of personal information, direct marketing, automated decision making, accessing and correcting personal information, security and destruction of personal information, organisation accountability, and cross border data flows.
3. Regulation and enforcement
Create tiers of civil penalty provisions to give the Office of the Australian Information Commissioner (OAIC) more options so they can better target regulatory responses. This includes increasing the maximum penalty from $2.1m to $10m for serious and/or repeated interference with privacy, more closely aligned with the Australian Consumer Law.
Clarify what is a ‘serious’ or ‘repeated’ interference with privacy in determining whether a civil penalty provision applies. It is proposed that section 13G of the Act should more clearly capture breaches involving:
- Highly sensitive information,
- Those adversely affecting large groups of individuals,
- Those impacting vulnerable individuals,
- Repeated or willful misconduct, and
- Serious failures to take proper steps to protect personal data.
Additional powers for the IC in relation to investigations of civil penalty provisions – from in Part 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act).
Amend the Act to provide the IC the power to undertake public inquiries and reviews into specified matters
Amend paragraph 52(1)(b)(ii) and 52(1A)(c) to require an APP entity to identify, mitigate and redress actual or reasonably foreseeable loss in relation to the interference of an individual’s privacy.
Give the Federal Court the power to make any order it sees fit after a section 13G civil penalty provision (for serious and repeated interferences with privacy) has been established.
Other proposals to introduce an industry funding model incorporating a cost recovery and statutory levy, amend the annual reporting requirements in the Australian Information Commissioner Act 2010 to increase transparency, alternative regulatory models, create a direct right of action for complainants, options on introducing a statutory tort of privacy, and amendments to the Notifiable Data Breaches (NDB) scheme in relation to data breach statements.
- In relation to the amendments to the NDB scheme, it is proposed that subsections 26WK(3) and 26WR(4) are amended such that a statement about an eligible data breach must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals affected.
Interaction with the Online Privacy Bill
The consultation period for the review of the Privacy Act ran concurrently with the consultation on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill). This bill addresses the heightened privacy challenges in relation to social media and other online platforms. It introduces the concept of a binding online privacy code for social media and certain other online platforms, and increases penalties and enforcement measures.
The Online Privacy Bill is expected to strengthen the Privacy Act as part of Australia’s broader privacy law framework.
Proposed changes to cyber security incident reporting
The Federal Government has released a Ransomware Action Plan containing a series of proposals to tackle the increasing threat of ransomware attacks. In the year to 30 June 2021, ransomware attacks increased by 15%, as reported by the Australian Cyber Security Centre. Before we explore the Government’s proposals, let’s look at how ransomware attacks are impacting Australian businesses.
Ransomware is a type of malicious software that once it enters an electronic device, it makes the computer or its files unusable. Cybercriminals use ransomware to deny the user access to their files or devices until a ransom payment is made to regain access. Ransomware can hurt an individual or person’s reputation and can cost money to resolve. Globally, it is estimated that there is a ransomware attack on a business every 11 seconds. In the last 24 months, there has been an increase in number of larger organisations experiencing ransomware.
The Government’s Ransomware Action Plan outlines initiatives for the short to medium term, aimed to deliver on three objectives:
Prepare and Prevent - building Australia’s resilience to ransomware attacks.
Respond and Recover - strengthening responses to ransomware attacks by ensuring support is available to victims.
Disrupt and Deter - disrupting cybercriminals through deterrence and offensive action by strengthening Australia’s criminal law regime and increasing the risk of ransomware gangs being caught.
In addition to several current initiatives to address ransomware, the Plan proposes measures to strengthen and/or introduce laws to criminalise ransomware, supported by operational activity to target criminals seeking to disrupt and profit from Australian businesses and individuals. Measures include:
Introducing a specific mandatory ransomware incident reporting to the Australian Government
Introducing a stand-alone offence for all forms of cyber extortion
Introducing a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure (as captured under the Security of Critical Infrastructure Act 2018)
Modernising legislation to ensure that cybercriminals are held to account for their actions, and enable law enforcement to track and seize or freeze ransomware payments in cryptocurrency
Establishing a multi-agency taskforce Operation Orcus, led by the Australian Federal Police
Raising awareness and providing advice for critical infrastructure, large businesses and small to medium enterprises on ransomware payments
Collaborating with international counterparts to strengthen shared capabilities to detect, investigate, disrupt and prosecute malicious cybercriminals
Actively calling out those who support, facilitate or provide safe havens to cybercriminals
Expanding on the first measure, the Ransomware Action Plan proposes mandatory reporting of ransomware incidents by businesses with turnover greater than $10million per year. This measure is likely to have a major impact on many organisations across the Australian financial services industry, with additional reporting obligations to comply with. Little detail is provided on what this reporting will entail, including how an “incident” is defined. Currently, organisations can voluntarily report ransomware incidents to the Australian Cyber Security Centre.
How we can help
The proposed amendments to the Privacy Act and potentially increased reporting requirements are expected to heighten the already complex regulatory environment surrounding privacy and cyber security. As an organisation looking to remain compliant and do the right thing by those you deal with, we know that this may be adding more tasks to your never-ending risk and compliance to do list.
That’s why we are here to help. At Hall Advisory, we assist our clients with the following privacy-related services:
Development and enhancement of privacy policies and procedures.
Tailored face-to-face privacy compliance training.
Tailored scenario testing and dry runs with Executives and Boards to facilitate ransomware attack preparedness.
Independent reviews of privacy compliance.
If you need support in any of these areas, contact us for a confidential, no-obligation consultation.