After the high-profile cyberattacks in recent times, Australian businesses are being reminded to take data security and privacy laws seriously.

The consequences of a hacking or ransomware event are far-reaching and can include thousands of dollars in recovery expenses, as well as damage to your business’s reputation. There is also the potential for a fine if your business does not take adequate steps to protect your customers or report a breach as required.

This article shares some of the key data security and privacy laws in Australia, and explains how the Federal Government is planning to overhaul them in 2023.

Privacy and data security laws in Australia

The Privacy Act 1988

The Privacy Act 1988 is a comprehensive law that regulates the handling of personal information by Australian government agencies and organisations. It includes thirteen Australian Privacy Principles (APPs) that set out standards for handling, using and disclosing personal information. Businesses must comply with the APPs when collecting, storing, and handling personal information.

It was recently announced that the Privacy Act will be updated in 2023, after the Attorney General said that Australia’s privacy laws are out of date and not fit for purpose in the digital age.

See: https://www.oaic.gov.au/privacy/the-privacy-act

The Notifiable Data Breaches (NDB) Scheme

If your business is hacked and you fail to report it, you could find yourself in trouble.

The Office of the Australian Information Commissioner’s NDB scheme is an amendment to the Privacy Act 1988 (Cth) that came into effect in 2018. It requires businesses with an annual turnover of more than $3 million to notify the OAIC and affected individuals if a data breach is likely to result in serious harm to the affected individuals. The scheme also applies to businesses that handle sensitive information, including health information, credit information, and tax file numbers even if under the threshold.

See: https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme

The Australian Cyber Security Centre (ACSC) Essential Eight

The ACSC Essential Eight is a set of cybersecurity guidelines that provide businesses with practical advice on how to protect their systems and data from cyber threats. The guidelines cover areas such as application whitelisting, patching applications, and restricting administrative privileges. While not mandatory, implementing the Essential Eight can help businesses improve their cybersecurity posture and protect their information from cyber attacks.

See: https://www.cyber.gov.au/acsc/view-all-content/essential-eight

Penalty updates for data security breaches

One of the Albanese Government’s first steps last year was to change the penalties for companies that fail to take adequate care of customer data.

As shared in a press release, The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:

• $50 million;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The update also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers.

This huge jump in the penalty amount highlights the importance of investing in cybersecurity measures for businesses of all sizes.

Data security reform in Australia

At the end of last year, the Attorney General’s department received a report reviewing the Privacy Act, following a public consultation initiated in October 2020. After conducting further reviews, it has been noted that Australia’s laws need to better align with global standards of information privacy protection.

There are now over 100 proposals to reform the Privacy Act, each of which are aimed at protecting people’s private information. These include:

• A broader definition of ‘personal information’
• A “fair and reasonable” test to underpin the collection, use and disclosure of personal information
• Companies having 72 hours to notify authorities about an eligible data breach
• Protecting people’s rights to have their personal information deleted by an entity
• Protecting people’s rights to object to their information being collected
• Greater transparency over the use of personal information in automated decision making
• The small business exemption no longer applying to businesses with a turnover of less than $3 million.

The Government is currently seeking submissions about the proposals for data security law reform, so it can take steps to amend the Privacy Act this year.

See: https://ministers.ag.gov.au/media-centre/landmark-privacy-act-review-report-released-16-02-2023

Stay informed, protect your business

Cybersecurity and the corresponding data security laws in Australia are a topic to keep your eye on in 2023. If you’d like more information about managing the risk of a cyber attack, we’re happy to have a discussion with you.

AFS & Associates are your partners in providing peace of mind. Get in touch with us and we can assist your organisation with IT risk management.