The Privacy and Personal Information Protection Act (PPIP) 1998 is currently going through reforms aimed at augmenting the protection of personal information and the control individuals have over their information. The changes to the act intend to strengthen privacy protection, support digital innovation, and enhance Australia’s reputation as a trusted trading partner. However, the reforms signify considerable changes for organisations in order for them to align with the Australian Privacy Principles (APPs).
WHAT YOU NEED TO KNOW
The APPs set out the obligations of organisations that collect, store, use and disclose personal information.
The federal privacy law currently applies to Australian Government agencies, businesses with an annual turnover of more than $3 million, and some other organisations.
- There is a current maximum penalty of $2.1 million for serious or repeated breaches of privacy.
- There is a newly proposed draft bill in that the maximum penalty of $2.1 million for serious or repeated breaches of privacy will increase to not more than the greater of $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the entity's annual Australian turnover.
Federal law requires these organisations to:
- Collection - Only collect personal information that is necessary for the organisation's functions or activities
- Use and disclosure - Use and disclose personal information only for the purpose for which it was collected, or a related purpose that the individual would reasonably expect
- Data quality - Take reasonable steps to ensure that personal information collected is accurate, up to date and complete
- Data security - Take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure
- Openness - Have a clearly expressed and up-to-date privacy policy outlining how the organisation manages personal information
- Access and correction - Provide individuals with access to their personal information and allow them to correct it if it is inaccurate, out-of-date or incomplete
- Identifiers - Do not adopt, use or disclose a government-related identifier unless it is required or authorised by law
- Anonymity - Allow individuals to interact anonymously, if it is practical to do so
- Transborder data flows - Take reasonable steps to ensure that personal information is protected when it is sent overseas
- Sensitive information - Obtain consent to collect sensitive information, such as health information, and only use or disclose it for a specific purpose
State and territory-based Privacy law, and changes:
Most (not all) state and territories in Australia have their own privacy laws, which apply to state and local government agencies, and some private sector organisations. These laws vary between states and territories but generally cover similar principles to the federal privacy law. It is important to note that in the event of a conflict between state and federal laws, the federal law will prevail. WA and SA don’t have specific privacy legislation and so The Privacy Act applies to them.
Here is a quick snapshot of the Privacy Laws from each State/Territory and its key requirements:
- Privacy and Personal Information Protection Act 1998 (NSW) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Information Privacy Act 2009 (QLD) - Only collect personal information necessary for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Privacy and Data Protection Act 2014 (VIC) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
- Information Act 2002 (NT) - Collect personal information only for lawful purposes, allow individuals to access their personal information, take reasonable steps to protect personal information, only disclose personal information with consent or as required by law.
NSW KEY-CALLOUTS:
In NSW, The PPIP Amendment Bill proposes the following key changes to the PPIP Act:
- The introduction of a MDBN scheme. The scheme will require public sector agencies to notify the NSW Privacy Commissioner and affected individuals of data breaches involving their personal or health information which are likely to result in serious harm.
- New governance requirements for public sector agencies, including obligations to prepare and publish a data breach policy, keep a register of breach notifications, establish and maintain an internal register of eligible data breaches and update Privacy Management Plans to include references to MDBN scheme obligations.
- Enhanced regulatory powers for the NSW Information Commissioner in relation to enforcement of the MDBN scheme.
- Extending the application of the PPIP Act to state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988 (Cth), being:
- Transport Asset Holding Entity of NSW
- Forestry Corporation of NSW
- Hunter Water
- Port Authority of NSW
- Sydney Water
- Landcom
- Water NSW
Affected state-owned corporations may therefore need to implement internal processes to ensure they can comply with the PPIP Act as a whole, in addition to the MDBN scheme.
WHAT DOES THIS MEAN FOR YOUR ORGANISATION?
Once the changes come into effect, all agencies will be required to observe mandatory notification provisions under Part 6A of the PPIP Act. Under the MNDB Scheme, agencies will be required to:
- Urgently take all reasonable steps to contain a data breach.
- Initiate an assessment within 30 days when an eligible data breach is suspected.
- Make all reasonable attempts to mitigate damage by the suspected breach during the assessment period.
- Decide whether a beach is an eligible data breach or whether there are reasonable grounds to believe the breach is an eligible data breach.
- Notify the Privacy Commission and affected individuals of the eligible data breach.
The MNDB scheme will also require agencies to adhere to other data management requirements, including maintaining an internal data breach incident register and providing a publicly accessible data breach policy.
HOW TO PREPARE FOR THE MNDB SCHEME
There are several steps that agencies should take over the coming months in order to prepare for the MNDB scheme, including:
- Establishing Roles and Responsibilities - clear roles and responsibilities should be set out for managing a breach or suspected breach. This may include creating a data breach response team or appointing a specific staff member to lead the response.
- Review and Update Your Privacy Management Plan - agencies should review and update their plan to ensure it complies with the new section 33(2)(c1) of the act. This plan should include provisions relating to procedures and practices that ensure compliance.
- Preparing and Publishing a Data Breach Policy - agencies should prepare and publish a data breach policy to comply with section 59ZD of the act. The policy should outline how the agency will respond to a data breach, the steps it will follow if a breach occurs, and clearly outline the roles and responsibilities of staff who will be managing the breach.
- Reviewing and Updating Policies and Procedures - agencies should review and update any relevant policies and procedures so that they comply with the obligations set out under the MNDB scheme.
- Maintaining an Incident Register - under section 59ZE of the act, an internal incident register should be established and maintained to record specified information relating to eligible breaches.
- Maintaining a Public Notification Register - agencies are required to keep a public register of any notifications that fall under section 59N(2) of the act. The information should be available for at least 12 months from publication.
HOW INFOTRUST CAN HELP
As the Privacy Act will be extended to all Australian companies, preparing to comply with the PPIP Act is critical. Infotrust is perfectly placed to help you prepare for alignment with the PPIP Act, provide expert advice, and guide you through any questions you may have. Contact us today.
Stay tuned for another blog where I will be summarising the Bill proposed to change the federal Privacy Act.