The Australian Privacy Principles (APPs), passed as part of the Privacy Act 1988, make up the foundation of Australia’s personal data protection laws. Framed as a set of values, the APPs outline broad requirements for data processing in Australia which have been further developed by a patchwork of sector-specific regulations. However, the Commonwealth Government has recently announced that a sweeping reform to the country’s data privacy and cybersecurity laws would be a priority in the near future. With the first Minister of Cybersecurity appointed in July 2022, the government is mobilizing to enact broad reforms to the personal data protection laws outlined below. Following some serious data breach incidents such as Optus, the legislators are concentrating on bringing in broader review and reforms to the Privacy Act.
The main regulatory body that oversees the enforcement of the Privacy Act is the Office of the Australian Information Commissioner (OAIC). Organizations should also follow the activity of other sector-specific regulatory bodies such as the Australian Prudential Regulation Authority (APRA), which imposes additional information security requirements on the financial institutions, insurance companies, and credit unions under its jurisdiction.
Here are the highlights of personal data protection in Australia:
The Australian Privacy Principles require that users consent to the collection of sensitive information, defined as identifying information pertaining to the age, race, religion, or political affiliation of the subject. There are no such requirements for non-sensitive information, but as a principle only necessary information should be collected.
Consumer Data Right (CDR) data is a designation that currently only applies to certain data in the banking sector, including product information, transaction data, and personal details. However, this designation is designed to be used by any sector, and is expected to be expanded to energy, telecommunications, and other industries. In order to transfer data designated as CDR data, data recipients must obtain consent and become accredited before they receive data. Additionally, data holders must obtain consent for one time usage or for a period of up to a year.
Under the Australian Privacy Principles, there are no broad requirements for data residency or cross-border data transfers in Australia. However, several industries impose sector-specific restrictions on cross-border data transfers, including healthcare data. Additionally, credit-reporting bodies are only allowed to disclose information to entities with an Australian link. When making disclosures to international entities, credit-reporting bodies must notify the data subject and remain liable for any information breaches.
As a principle, encryption is recommended and organizations are expected to take reasonable steps to maintain information security. Under the Notifiable Data Breach (NDB) scheme, companies are required to notify the Commissioner and data subjects if there is a data breach that is likely to cause serious harm to the data subject, unless the entity has taken action to remedy the breach early enough to prevent harm.
For financial data, the Australian Prudential Regulation Authority (APRA) requires that companies under its jurisdiction classify sensitive and critical data and maintain security capabilities proportional to the threats posed to this data. A company must notify APRA within 72 hours of any security breaches that may have had a material impact on stakeholders. These information security requirements extend to third parties, so APRA regulated entities should conduct an audit of the information security practices of third party collaborators.
Currently, the maximum penalty for breaches of the Privacy Act 1988 is 2,220,000 Australian dollars, but that is expected to increase as Australia strengthens its data security laws. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is proposing to increase the maximum penalties to whichever is the greater of:
While Australia’s personal data laws are generally tolerant, there are often additional expectations in specific sectors and for certain industry regulators. Since the Australian Privacy Principles are much older than most other omnibus data protection laws, many industries have moved to update their requirements to prepare for the shift to a data-driven economy. In some cases, the broad principles outlined in the APPs are clarified by the action of the regulatory body and standard practices in specific sectors.
As Australia looks to bolster its cybersecurity requirements, companies should ensure that their security capabilities are proportional to the risks to their data. It is important to confirm the privacy practices of third party collaborators when sending data to overseas entities, since organizations are responsible for ensuring that the Australian Privacy Principles are not breached for any data sent abroad. For APRA-regulated financial entities, third parties should be closely vetted to ensure that they maintain sufficient security capabilities.
While the scope of the reforms to Australia’s privacy laws remain uncertain, it’s likely that an overhaul is on the horizon. The reforms proposed in an ongoing review of the Privacy Act 1988 mirrored provisions of the GDPR and CCPA and it seems like Australia will continue moving toward the international standard for personal data protection. With uncertainty ahead, achieving GDPR compliance would be a prudent step for entities operating in Australia.