By Luke Coley
Published on November 16, 2023
Potential changes to the Australian Privacy Act on the heels of increasing cyber attacks promise to bolster existing data protection requirements. But these updates would create a significant burden on how organisations collect, manage, and dispose of personal data. And the recommendations include additional penalties and the right of individuals to seek compensation for serious impact.
Here’s how these potential changes to the Privacy Act could affect Australian Government agencies and other organisations, and how a data catalog is the best first step to prepare. (With regard to “catalog”: sorry, we have an affinity for the U.S. spelling of our product category, but here’s an extra u and an e to make up for it).
In just the first half of 2023, there have been nearly 50 “major” cyber breaches to organisations in Australia, according to Weber Insurance Services. That’s in addition to the thousands of smaller, yet still damaging, breaches in Australia each year. And no organisation is immune as criminals target everything from high schools and state health ministries to government entities and more government entities.
But whilst the Australian Privacy Act was designed to promote and protect the privacy of individuals and regulate how Australian Government agencies and organisations handle personal information, it was originally enacted in 1988 and needs updating.
The Privacy Act Review, released in early 2023, provides extensive recommendations to bring the Privacy Act into the modern world of cloud-based technologies and rampant cybercrime. It also brings Australia’s rules more in line with the veritable template for modern privacy regulations: the European Union’s General Data Protection Regulation (GDPR).
So what can Australian Government agencies and organisations expect if recommendations go into effect? Many see these changes as a major shift in how personal data must be managed and tracked, requiring a radically different approach to how organisations fundamentally search for and discover data already being collected, stored, and processed. It would also increase Australian organisations’ need for robust data privacy, risk, and compliance efforts.
Data breaches can currently result in penalties, operational disruptions, and a loss of customer or constituency trust, all of which combine to impact overall business and financial performance. A recent cyber attack is expected to cost Melbourne-based Latitude Financial as much as AU$105 million in related costs and remediation, a figure which does not include potential fines.
But even as existing rules, regulations, and potential financial fallout add complexity to an organisation’s data governance efforts, those charged with managing data at Australian entities and organisations must take these new recommendations seriously.
Here are the top 5 potential impacts of recommendations from the Privacy Act Review based on opinions from privacy experts and security professionals.
Proposed Privacy Act Update | Impact to Organisations |
---|---|
Broadening the definition of personal information to include all data that “relates to” an individual instead of simply “about” an individual. | This would significantly expand the scope and amount of data agencies and organisations would need to track and manage and communicate to individuals in their notices to comply with an updated act. |
Capturing data flows across entities and vendors with language to cover those that also control and process personal data. The current act only applies to entities that “hold” data. | Proposed updates would expand the scope of the act’s obligations to include details of the data lifecycle across these data controllers and processors. |
Adding the rights to be deleted and object to types of personal data processing. Individuals only have the right to access personal data and request corrections to inaccurate data. | Recommended changes would allow individuals to request the source of the information, details of any processing and de-indexing of information, as well as the erasure of personal data by the entity. Finding that data and metadata would be a challenge for many organisations. |
Requiring a “Privacy Impact Assessment” (PIA) before taking actions that are “likely to have a significant impact on the privacy of individuals.” | These assessments, which analyse the potential impact(s) that personal information processing in a project could have on individuals, would require organisations to discover and classify sensitive data at scale. |
Restructuring penalties and adding statutory tort accommodations. The maximum penalty would increase from AU$2.22 million to AU$50 million for serious and repeated privacy breaches. | While these changes would not burden existing compliance and data protection efforts, they would increase the risk and financial exposure for organisations that do not have deep and broad data protection, data governance, and data compliance capabilities. |
The policy updates proposed by the Privacy Act Review stand to bring the Privacy Act into the modern era of cloud computing and consumer protection expectations. But they could also significantly burden already taxing data privacy, risk, and compliance efforts. What’s clear is that simple data search and discovery is foundational to those efforts today and even more so if these recommendations are enacted.
How can leaders respond? Organisations can get ahead of any potential changes, and better comply with today’s existing regulations, in just a few steps.
Implement a data catalog to easily find, understand, and govern data while centralising data's context, rules, policies, definitions, and relationships in a single source of reference. Identifying personal information, understanding how it was processed, and ensuring proper management and potential deletion of 100% of that data is crucial, and a data catalog is key.
Improve data governance to actively manage risk and compliance, gain complete visibility into how policies are mapped to data, and ease compliance with today’s and tomorrow’s regulations. Effective governance ensures workers know and follow policies and provides detailed metrics to identify areas of potential improvement.
Discover and classify personal information at scale by linking data to related policies and applying role-based access to all personal data where necessary. Guide people towards the proper use of data in their natural workflow.
Better understand data lineage to answer complex customer, constituency, and agency questions with an easy-to-understand view of data relationships and how and where personal information is used. Modern data lineage solutions also provide context to changes in personal information and other data, such as through ETL/ELT transformations.
Consider how local regulations impact sensitive data, data sovereignty, and cross-border data movement via the cloud. A good framework for managing sensitive data in the cloud can be found in the EDM Council’s Cloud Data Management Capability (CDMC), which used a test case built by Snowflake, leveraging an Alation data catalog, and assessed by KPMG to prove the validity of the framework.
Use artificial intelligence to enable organisations to save time, scale data initiatives more quickly, democratise trusted data, and more. AI helps organisations automatically populate data catalogs, document new data assets, and suggest appropriate data stewards across personal information and other data.
If enacted, these potential changes to the Privacy Act will radically shift how Australian Government agencies and Australian organisations manage personal information. The first step we recommend, as noted above, is to implement a data catalog.
For more information about the Australian Privacy Act, following are answers to a few common questions.
The European Union’s General Data Protection Regulation (GDPR) gives EU citizens more control of their personal information no matter where the data collector is located, even if data is collected by an organisation outside the EU. The Australian Privacy Act applies to Australian Government agencies and large Australian organisations.
The GDPR also targets personal data where the Australian Privacy Act targets personal information, a nuance that applies the latter to even opinions about individuals. Another nuance is that the GDPR gives citizens the power to control their personal data while the Australian Privacy Act puts more responsibility on the organisations.
Aside from terminology and geographical focus, the GDPR went into effect in 2018 as opposed to 1988 for the Privacy Act. Hence, the GDPR offers a more modern framework that reflects today’s technologies and privacy expectations.
The Australian Privacy Act is sometimes viewed as equivalent to GDPR, but the above points show how these regulations differ. If the recommendations in the Privacy Act Review are enacted, Australian Government agencies and large Australian organisations will need to comply with more modern and stringent regulations that are similar to those in the GDPR.
The top 5 most significant potential impacts of the Privacy Act Review include broadening the definition of personal information, capturing data flows across entities and vendors, adding the rights to be deleted and object to types of personal data processing, requiring a “Privacy Impact Assessment,” and restructuring penalties and adding statutory tort accommodations.
The above table shows how these changes to the Privacy Act could impact Australian Government agencies and Australian organisations.
The Australian Privacy Act is primarily administered by the Office of the Australian Information Commissioner (OAIC).
Curious to learn more about how you can respond to the new challenges regarding data privacy? Visit our Customer Stories page to read how organisations like Cbus Superannuation Fund, Virgin Australia, Endeavour Energy, HBF Health Ltd., and others use Alation to address data privacy regulations and improve data compliance across the business.