The International Association of Privacy Professionals (IAPP) opened its 2023 ANZ Summit in Sydney on 28 November with a keynote address from the Office of the Australian Information Commissioner (OAIC) who is also the Privacy Commissioner - Angelene Falk. Commissioner Falk sang from a familiar hymn sheet with a simple message about accountability - that organisations need to embed strong privacy practices, to make it a core part of their DNA. And if they haven't invested in privacy yet, they need to start now - and to speak to boards, executives and management in earnest about funding their privacy programs. And why, you ask?
The Commonwealth Government has agreed to implement a significant number of proposed reforms (38) to the Privacy Act, 1988 - and there are plans to introduce the agreed reforms in 2024. As to 68 recommendations that were 'Agreed-in-Principle,' there will be targeted consultations in relatively short order, with in-principle reforms soon to follow. In light of the Government's Response to the Privacy Act Review, the Commissioner's address provided some clear expectations for both the private and public sectors. The five key points that jumped out to me were the following:
- Link cybersecurity to privacy practices - To quote Commissioner Falk "You can't be breached for what you don't hold." Data minimisation has been a consistent theme for the OAIC and that organisations should identify and destroy personal information they no longer require.
- Data inventories & systemic reviews are essential - To paraphrase the Commissioner - You can't protect data assets unless you know what you have. And that message should be communicated loudly and clearly to executives, along with developing technological solutions to assist in those inventories, reviews and establishing destruction schedules.
- Privacy impact assessments (PIAs) must be part of organisations' DNA - The same applies to privacy-by-design principles and regularly updating data breach response plans.
- The OAIC's flexing its investigatory muscles - The Commissioner flagged that, in a recent data breach investigation, the OAIC interviewed 50+ witnesses, including the organisation's CEO, CISO, and forensic experts. The message was clear - if an organisation isn't compliant, they should expect regulatory action to follow.
- Civil penalties are coming. And soon - One of the first 'cabs off the rank' for the (38) agreed privacy reforms will be the introduction of new, low-level civil penalties for administrative breaches of the Privacy Act, along with expanding the OAIC's powers to issue infringement notices and set penalties.
The last point will (most likely) be the one to 'stick' in the minds of many Australian directors, executives and those in the higher echelons of the public sector. And the reason is relatively straightforward - the OAIC will have expanded powers to investigate and discover all manner of information from witnesses or compel the production of documents. Combine that with the OAIC's power to issue low-level administrative fines that don't require a tribunal or court's blessing - then the prospect of hefty fines will become very real.
These fines will likely put an end to questions and the internal debate within organisations about whether they 'really need to bother' with data minimisation and destruction techniques. It becomes much less of a question when the options range from risking an Optus-style data breach to a snap OAIC investigation accompanied by on-the-spot fines. And consider the prospect of fines being levied for each instance that an organisation held personal information where it was unnecessary? If each instance merited only a few dollars, that could quickly add up to millions for many organisations.
The simple take-away is that organisations have a quickly narrowing window of opportunity to act before the privacy reforms land. The first step is to start planning - and to take practical steps to identify 'at risk' data. While those tasks may fill many organisations with dread - it shouldn't. Not if there's a willingness and commitment to work through issues. At Synergy Law, that's where we excel. Beyond providing outstanding policy and governance uplift services, we can help organisations 'move the dial' with practical, cost-effective solutions that will help minimise the risk of data breaches, regulatory fines, reputational impacts and damage to staff morale.