Privacy Act changes bring tougher penalties for data breaches
As part of a wider review of the Privacy Act 1988 (Cth), the recently passed Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 ('the Amendment Act'), brings increased penalties for serious or repeated privacy breaches and allows for broader regulatory powers for the Office of the Australian Information Commissioner ('OAIC') to resolve breaches.
Recent data breaches in Australia, including the high-profile cases of Optus and MediBank, have brought to light the need for more effective safeguards and privacy controls used by organisations. The Amendment Act has been introduced to help address this problem and to push businesses to do better when it comes to their privacy, security, and information handling practices.
What are the major changes?
The most significant change is the maximum penalty for serious or repeated data breaches, which has increased considerably to reflect the seriousness of privacy compliance and cybersecurity. The amended penalties are:
- For individuals other than a body corporate, $2.5 million (up from $444,000)
- For a body corporate, the greater of $50 million, three times the value of benefits obtained or attributable to the breach (if quantifiable in court), or 30% of the corporations adjusted turnover in the relevant period (up from $2.2 million).
The Amendment Act also grants expanded regulatory powers to the OAIC to allow them to better oversee organisation's procedures for handling data breaches. The OAIC can now:
- Issue infringement notices for minor instances of non-compliance without relying on criminal prosecution.
- Require entities to undertake an independent review of practices that are subject to complaints and review the steps taken.
- Conduct assessments of an entity's compliance with the Notifiable Data Breaches Scheme even if a data breach has not occurred.
- Obtain and share information or documentation regarding a breach with the public or enforcement bodies, if deemed in their interest.
The regulations outlined in the Amendment Act apply to all organisations that trade in Australia, not just those that collect or hold private information. The Amendment Act tightens restrictions for overseas companies, by removing the Australian Link requirement under the Australian Privacy Principles. This has made it difficult for overseas companies to avoid complying with Australian privacy laws, simply by being based overseas.
What should businesses do?
To ensure innocent individuals do not experience the costs associated with data leaks, all companies (small and large) need to have up-to-date data and privacy policies and procedure, particularly now with these changes in place.
This involves reviewing processes involved in the collection, storage, processing, sharing and destruction of information and data. It will also be important to conduct an audit of all data and controls to ensure all associated third-party risks are being managed effectively. Specifically, it is important to consider:
- Obtaining cyber insurance
- The company's level of exposure for legislative breaches, if not insured.
How Coverforce can help
The right insurance cover can help to minimise your loss in the event of a Privacy Breach. A Cyber Liability and Privacy Protection Insurance Policy may be suitable for your business. Contact an experienced insurance broker at your local Coverforce Office today for expert risk advice or for more information.
The information provided in this article is of a general nature only and has been prepared without taking into account your individual objectives, financial situation or needs. If you require advice that is tailored to your specific business or individual circumstances, please contact Coverforce directly.
Find this article helpful? Click on one of the links below to share the content.