Australia is expected to implement substantial changes to its Privacy Act in 2024, following recommendations from the Attorney-General’s Department Privacy Act Review Report 2022. Of the 116 proposals, the Government Response indicates that the Government agrees with 38 of the proposals, agrees in principle with 68 of the principles, and notes the remainder.
This means that the Government will likely implement privacy reforms in tranches, focusing initially on the items it has indicated it agrees with.
These changes aim to modernise data privacy regulations, making them fit for the digital age and addressing issues such as artificial intelligence (AI), automated decision-making, and protecting minors online. Businesses need to stay informed and take proactive steps to ensure compliance with the new requirements.
Below is a breakdown of the expected changes and what businesses should do to prepare.
Key Changes Expected in the Privacy Act 2024
- Security and destruction of personal information There are concerns driven by the amount of data being handled, technological advancements, and cyber-attacks. Almost half of the respondents to the 2023 ACAP survey had been directly impacted by a data breach in the 12 months prior to completing the survey, and three-quarters of those said they had experienced some form of harm as a result. The existing security obligations should be enhanced by specifying that ‘reasonable steps’ include both technical and organisational measures
- Civil Penalty Regime Overhaul The 2024 updates will introduce a tiered civil penalty regime. This will categorise breaches into low, medium, and high tiers, allowing more targeted enforcement. The changes could lead to more severe penalties for high-risk data breaches, potentially resulting in higher financial penalties for non-compliance
- Automated Decision-Making Regulations The new legislation will require companies to disclose how personal data is used in substantially automated decisions that have legal or significant effects on individuals. Businesses will need to provide meaningful information about how these decisions are made, adding a layer of transparency to the process. This could include decisions on denial of consequential services or support, such as financial and lending services, housing, insurance, education enrolment, criminal justice, employment opportunities and health care services, or access to basic necessities such as food and water.
- Children’s Online Privacy Code A new privacy code aimed at online services likely to be accessed by individuals under 18 years old is expected to be implemented. This code will ensure stronger protection for minors, adding requirements for data collection and consent when handling personal information of children, and restricting harmful marketing
- Expanded Data Subject Rights Data subject rights will be expanded beyond the right to access and correct data. Individuals may also gain the right to erasure and to de-index online information, creating a broader scope of control over their personal information
How can Compu-Stor help?
Many organisations are unaware of the personal data held in paper-based records and may inadvertently be reintroducing personally identifiable information into their business via unauthorised access or scanning copies. This information can be hard, if not impossible, to govern.
- Our secure storage facilities are ISO 27001 certified with full perimeter fencing and 24/7 monitoring to manage unauthorised access
- Our professional scanning services can facilitate the redaction/obscuring of key information such as Tax File Numbers when digitising, managing the risk at the source
- We provide advice through our consulting services and can provide categorisation and sentencing of records, enabling businesses to destroy the record once eligible
- Our secure destruction services include onsite bins, box destruction, and media. Records are destroyed beyond reconstruction, with a certificate on completion
What Businesses Should Do to Prepare
- Conduct a Data Audit Conduct a thorough audit of the personal data your business collects, processes, and stores physically and electronically. Identify any unnecessary data that can be destroyed, ensure you have clear consent for all the information you hold, and increase security
- Review and Update Privacy Policies Businesses should start reviewing their existing privacy policies to ensure they comply with the new disclosure requirements. This means outlining how personal data is used, especially for any AI or automated decision-making processes that could have legal or significant impacts
- Prepare for More Stringent Data Breach Penalties With a tiered penalty system coming into effect, businesses should ensure they have robust data breach response plans in place. This includes conducting regular risk assessments, enhancing cybersecurity measures, and training employees to handle personal information securely.
- Strengthen Consent and Parental Controls Companies offering online services that may be accessed by children will need to strengthen their parental consent mechanisms and ensure their data collection practices align with the upcoming Children’s Online Privacy Code. This could involve integrating stricter verification methods or limiting data collection from minors altogether.
- Implement Tools for Data Subject Requests With the expansion of data subject rights, businesses must have systems in place to handle data deletion requests, requests for access, and the potential right to de-index data. Establish a formal process to manage these requests efficiently.
You can find the official government resources relating to the 2024 reform by following this link:
privacy regulations.
Compu-Stor provides a full range of secure and compliant records management and digital transformation solutions across Australia, working for both Government and Businesses.
For more information on how we can help,
please contact Compu-Stor at 1300 559 778 or
**@co********.au