Why we cannot wait another 2 years to see action on Privacy Act

By Alyssa Blackburn

Just last week another two large Australian businesses were hit by a cyber attack. Latitude Group Holdings confirmed that personal information of about 328,000 customers, including copies of drivers’ licenses were stolen. While IPH Ltd (an intellectual property services provider) discovered unauthorised access to their document management systems. Data and information theft is on the rise, with a recent report from Australia’s Information Commissioner showing that between July and December 2022, data breaches were up by 26%.

While data breaches have continued to rise, the Attorney-General’s Department has been reviewing the Privacy Act 1988 to better reflect the current privacy and cyber security threat landscape. This review has taken two years and is long overdue. Australia’s Privacy Act has been outdated for years and requires a complete overhaul to be made relevant and impactful in helping to keep Australians’ data and information secure.

Currently, the review is out for comment and contains 116 recommendations to bolster Australia’s privacy regimes. There are many remaining steps required to ensure the desired outcomes are actually reached, and businesses have the tools needed to implement the resulting recommendations or new requirements.

The review is an overdue first step, Australians need accelerated action

In the latter half of 2023, three of the biggest data breaches are thought to have impacted between 1 and 10 million people, which is a fairly large margin to consider.

The Privacy Act has not kept pace with the changing technology landscape, the significant increase in the amount of personal information being captured by organisations, or the rapid shift to hybrid workplaces and digital collaboration.

The good news about the review is that it has demonstrated a significant leap forward in how we think about privacy by simply recognising how far behind these changes are and how direly they are needed. The review also points out that small businesses, employee records, political and journalism exemptions need to be addressed in a proportionate and practical way. These are important steps forward in addressing how to effectively manage the information and data across our workplaces and economy.

The biggest challenge ahead, which cannot afford to be further deprioritised, is turning the reflections and recommendations of the review into tangible, comprehensive, and easy-to-follow actions. The government still needs to address the implementation of the review and the systemic changes required by businesses at all levels. For example, if the 116 proposals from the review are carried out, many small businesses would need to implement privacy processes and systems for the first time. Large organisations already covered under the Act will likely have to update their systems and processes to meet new requirements. For businesses of all sizes, there will need to be further changes as the definitions of personal information in the Act would change.

Realistically, if government and businesses wait another two years to implement these changes, they will only find themselves behind – again – when it comes to keeping their data secure due to the ongoing and fast pace at which we build and use technology.

Businesses will need a clear and guided path forward

While the aforementioned changes are much needed to ensure all Australian businesses are following best practice and keeping pace with the nature of information, records, and data management today, many businesses will see these changes as burdensome or confusing. The sheer volume of changes could itself become overwhelming for businesses, particularly small businesses with limited technical or operational resources. The worst case scenario would be for the proposals of the review to be carried forward and for businesses to then put their data privacy and security responsibilities in the ‘too hard basket’, only to be left with fines or warnings as well as ongoing vulnerabilities to breaches and attacks.

Furthermore, there is still a lack of clear policy or legislation regarding information retention, which has been one of the biggest issues leading to recent high-profile data breaches and cyber attacks. The Information Commissioner Angelene Falk said, ‘Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats. This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed’.

What she says is absolutely true, but it is also true that the retention policy landscape for most organisations is confusing at best. Organisations need accessible education on why retained data presents more liabilities the longer it is kept, and clear direction on how long information should be retained when it is no longer needed.

As we continue to see soaring volumes of scams, continuously increasing amounts of data being collected and kept by businesses, and growing expectations among consumers on businesses to appropriately and securely manage their data, organisations of all sizes and sectors need to move quickly. While the review into the Privacy Act is good news and the recommendations coming out of it are strong, this cannot be a ‘set and forget’ exercise. It should instead be a way for the government to draw a line in the sand and drastically change the way privacy policies and legislation are updated and followed on an ongoing basis from now on. We need change sooner than ever, and will continue to need changes as the way we work, live and play also evolve.

Alyssa Blackburn is Director of Information Management at AvePoint.