Powering up privacy practices: A guide for businesses

Powering up privacy practices: A guide for businesses

In our increasingly digital world, privacy has become a critical concern. With data breaches and cyberattacks on the rise, it is essential to understand Australia’s Privacy Act 1988 (Privacy Act) and your responsibilities as a business under the legislation.

The Privacy Act is a critical legal framework in Australia, and its provisions continue to evolve. Organisations should stay informed about any updates or changes to ensure compliance. Knowing privacy laws and best practices is crucial for businesses when handling customer data and safeguarding personal information.

Recent developments in privacy legislation in Australia highlight the need for proactive measures. In this article, BDO’s Forensic Services experts explore the evolving privacy landscape, helping businesses to enhance their privacy practices and meet the requirements of the Privacy Act.

The Australian Privacy Act

The Privacy Act protects individuals’ privacy and regulates how the Australian Government and organisations manage personal information. It includes 13 Australian Privacy Principles (APP) that apply to private sector organisations and most Government agencies. These principles cover collecting, using, storing, and disclosing personal information. Individuals have rights under the Privacy Act, which we set out in more detail below.

Who has rights under the Privacy Act?

The Privacy Act plays a crucial role in safeguarding individuals’ personal information. By granting greater control over how their data is managed, it empowers individuals to:

  • Know why their personal information is collected, who will have access to it and how it will be used
  • Have the option to not disclose their identification or to use a pseudonym in certain circumstances
  • Ask for access to their personal information (including health information)
  • Stop receiving unwanted direct marketing
  • Ask an organisation to correct any stored incorrect personal information
  • Make a complaint about an organisation or agency that the Privacy Act covers if the individual thinks their personal information is being mishandled.

The evolving privacy landscape

In 2023, the Australian Government released its response to the Privacy Act Review Report. The report consisted of 116 proposals, and some of the critical new measures of this discussion paper include:

  • Automated decision-making: Privacy policies will now need to outline the types of personal information used in automated decisions that could significantly affect individuals’ rights
  • Security and data destruction obligations: Existing security and data obligations will be strengthened by clarifying the reasonable steps entities must take, including technical and organisational measures. The Office of the Australian Information Commissioner (OAIC) will provide guidance on what constitutes ‘reasonable steps’
  • New direct right of action: The government has agreed, in principle, to create a direct right of action for individuals. This allows them to seek compensation through court action when they have suffered loss or damage due to a severe breach of privacy
  • New tiers of penalties: New civil penalty provisions will include a greater range of penalties for privacy interferences, including for privacy interferences that do not meet the ‘serious’ threshold and new low-level civil penalties for administrative breaches
    • Additionally, the Information Commissioner will have additional powers to investigate civil penalty provisions and conduct public inquiries and reviews with approval or direction from the Attorney-General.

These reforms aim to enhance privacy protections, provide clarity to regulated entities, and strengthen enforcement mechanisms within Australia’s privacy landscape.

Australian Privacy Principles and guidelines

Both the APPs and the APP guidelines apply to any organisation or agency the Privacy Act covers. The Privacy Act covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations.

The APP guidelines set out the mandatory requirements of the APPs. Below we have included a summary of the APPs, however, more information can be found on the OAIC website.

  • Transparent management: Organisations should ensure they manage personal information openly and transparently.
  • Anonymity and pseudonymity: Organisations must give individuals the option of dealing anonymously or by pseudonyms where appropriate.
  • Minimal collection: Organisations should only collect necessary personal information and avoid unnecessary data gathering.
  • Unsolicited information: If an organisation receives unsolicited information, the organisation must assess whether they could have collected it. If not, the organisation should either destroy or de-identify the information.
  • Informing customers: When collecting personal information, organisations must inform customers about the purpose behind it.
  • Limited use and disclosure: Personal information should only be used or disclosed for the intended purpose (usually, this means only for the purpose for which it was collected).
  • Direct Marketing: An organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies.
  • Cross boarder disclosure: An organisation that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach any of the APPs.
  • Government related identifiers: Organisation must not adopt, use or disclose a government related identifier unless an exception applies.
  • Accuracy and relevance: Organisations must take reasonable steps to ensure the accuracy, relevance, and completeness of personal data.
  • Security measures: Organisations should protect personal information from misuse, interference, loss and unauthorised access, modification, or disclosure.
  • Access requests: Organisations must provide their customers with access to their personal information if they request it.
  • Correction of personal information: Organisations must take reasonable steps to correct personal information it holds, to ensure it is accurate, up-to-date, complete, relevant and not misleading.

These responsibilities collectively contribute to a robust privacy framework that benefits both individuals and organisations.

Privacy key themes

As part of Privacy Awareness Week 2024, the OAIC has focused on three key themes for Australian businesses to be aware of in 2024.

  • Transparency: Effective privacy practices begin with transparency. When a business collects information from individuals, it must be forthright and open about how that information will be managed.
    • Transparency applies both within and outside an organisation, ensuring that staff members understand the parameters and requirements they work within.
    • Most critically, individuals whose information is held must be fully informed about how their data will be used and give informed consent where required.
    • If an organisation is considering doing something new, such as developing or deploying a recent technology (such as generative AI, biometrics, or a new tool) or process, it must ensure its privacy requirements are front and centre.
  • Accountability: Privacy is a fundamental human right that Australians value highly. Implementing and maintaining strong privacy practices should be the foundation of a business.
    • Cultivating a robust privacy culture across an organisation fosters trust with customers and consumers whilst safeguarding them against harm.
    • Address problems and breaches promptly, openly, and thoughtfully. Outsourcing services or activities do not absolve responsibility; vigilance is essential when using third-party providers.
    • Empower staff to be vigilant custodians of privacy in day-to-day operations and ensure that privacy is firmly on the leadership agenda.
  • Security: Bolster the security of personal information within an organisation by employing the right tools and guarding against known and emerging threats.
    • Implement robust data governance processes to protect customers’ personal information.
    • Strengthen access security and information and communication security measures, including proactive detection and response to threats (such as the growing use of credential stuffing).
    • Implement multi-factor authentication, where a verification code is required on more than one device to bolster security.

Privacy tips for your business or organisation

  • Is your organisation holding information it does not need? Map the information life cycle and ensure appropriate review, retention and destruction schedules are in place.
  • Privacy impact assessments will help you adopt a privacy-by-design approach, including when considering modern technologies.
  • Key issues to watch for are access to customer accounts through credential stuffing and compromised staff access (i.e. where a threat actor gains access to a user’s credentials or finds another way to act on their behalf). Consider implementing multi-factor authentication, where a verification code is required on more than one device
  • If you suspect a data breach, be flexible and adaptive. Where possible, take the required steps simultaneously or in quick succession.
    • When an organisation or agency the Privacy Act 1988 covers has reasonable grounds to believe an eligible data breach has occurred, they must promptly notify any individual at risk of serious harm. They must also notify the OAIC.

How BDO can support your organisation with its privacy requirements

Privacy legislation is a complex and evolving regulatory landscape. BDO’s Forensic Services team offers a full suite of services to support organisations with their privacy requirements to maintain transparency, accountability and security, now and into the future.

Disclaimer

This article has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The article cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact the BDO member firms in Australia to discuss these matters in the context of your particular circumstances. BDO Australia Ltd and each BDO member firm in Australia, their partners and/or directors, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.