The Review of the Privacy Act report was provided to the Federal Attorney-General in December 2022, and he has committed to bringing forward the reforms from the review.
Updates include significantly increased fines:
- the maximum penalty for a serious or repeated breach by a body corporate will increase (from a maximum of $2.22M) to whichever is the greater out of $50 million, 30% of turnover, or three times the benefit obtained from the breach.
- for individuals (ie sole traders), partnerships and other unincorporated entities, the penalty will increase from the current maximum of $440,000 to $2.5 million.
In view of the highly publicised hacks in Australia in the second half of last year, unfortunately we are now more of a target than ever.
What won’t change is the reputational damage organisations suffer when a data breach occurs. That cost to reputation, in many cases will completely outweigh fines imposed by the regulator.
A further change likely, is close consideration of the privacy impacts and more accountability (ie PIAs, see below) for the introduction of new technologies or changes to programs to your environment.
So, is your program plan in place for 2023? We recommend the following inclusions for an effective program:
1. Ensure your privacy team is adequately resourced.
If you don’t have the staff, or your staff don’t have the time or expertise to cover the work, don’t spend the next 6 months trying to hire in a market that is currently tight for privacy professionals. Outsource the privacy tasks – there are a number of advantages to doing this.
2. Ensure your privacy team are supporting staff to run a Privacy Impact Assessment (PIA), on all new programs in your organisation.
The term “program” is broad and can include a new process, software program, service delivery program, cloud service etc. etc. The PIA is an in-depth look at where the risks are and how to manage those risks before implementing your new initiative.
3. Ensure you have a tested and up to date Data Breach Plan in place to deal with an incident.
There’s a question about this on the Vic Privacy Commissioner’s (OVIC) template for the PIA, and that’s because it’s essential. Over the past several years we’ve heard about “not if, when” organisations will suffer a breach. We hope that doesn’t happen but as they say, hope is not a strategy. The Data Breach Plan will support you to be on the front foot in the event of an incident, and will also help to lift capability internally.
4. If your team don’t have the time or expertise to entirely cover the work required for your privacy program, call us on 1300 264 946.
We can assist with our outsourced privacy program which includes delivering PIAs, and developing a Data Breach Plan for you, in addition to providing a privacy resource for staff to contact.
5. Lastly, celebrate International Privacy Day with us at an IAPP (International Association of Privacy Professionals) event and help your privacy team improve their privacy networks and knowledge.
I’ve just been appointed as a Chair at the Sydney Chapter of KnowledgeNet and we are running an event on 2nd February. Please join us, it’d be great to meet you.