Important changes to the Privacy Act, including significantly increased penalties – so start getting ready now
Get ready for the Privacy Act changes by reviewing the level of data security you have, and your current data collection processes.
Amendments to the Privacy Act will shortly come into force, significantly increasing the penalties for serious or repeated privacy breaches and giving the Privacy Commissioner a greater range of compliance powers.
Higher penalties for privacy breaches, plus new offences
The amendments set out in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalty that may be imposed for a serious or repeated privacy breach, as set out below:
Current penalty: $444,000
Current penalty: $2.5 million
New penalty: $2.22 million
New penalty: Either:
- $50 million;
- three times the value of any benefit, directly or indirectly obtained, that is reasonably attributable to the privacy breach; or
- 30% of the entity's adjusted turnover in the relevant period,
whichever is highest
The amendments will also:
- create a criminal offence for a body corporate to engage in a system of conduct or pattern of behaviour that results in multiple failures to give information, answer a question or produce a document or record when required (punishable by up to $66,600);
- increase the penalty that may be imposed for a failure to comply with a notice issued by the Privacy Commissioner, from $4,440 for individuals and $22,200 for bodies corporate, to $13,320 for individuals and $66,600 for bodies corporate (noting that a breach of this kind will no longer be a criminal offence). To enable the Privacy Commissioner to deal with these breaches more efficiently, the amendments also propose that the Privacy Commissioner be given the power to issue infringement notices.
New remedies and powers for the Privacy Commissioner
The amendments set out in the Bill also provide a specific power, where the Privacy Commissioner determines that an entity has breached an individual's privacy, for the Privacy Commissioner to require the entity to:
- engage a suitably qualified independent adviser to conduct a review of the entity’s acts or practices, the steps the entity has taken to ensure the privacy breach is not repeated or continued, and any other matter specified by the Commissioner that is relevant to the entity's acts or practices or to the complaint and
- publish a statement about the conduct that constituted the privacy breach, including what the conduct was and what steps the entity has taken to ensure it is not repeated.
The Act also grants additional powers to the Privacy Commissioner to:
- obtain information regarding a notifiable data breach;
- share information with other Commonwealth enforcement or complaint authorities, State or Territory authorities with functions of protecting the privacy of individuals, or foreign government authorities with functions of protecting the privacy of individuals; and
- disclose information where it is in the public interest to do so.
Getting ready for stronger privacy enforcement
This is just a snapshot of the changes. We will explore in more depth the impact these amendments are likely to have on the entities who are subject to the Privacy Act, and the exercise of the Privacy Commissioner’s compliance powers, in future articles.
For now, however, over and above actually reviewing the level of data security you have, start by reviewing your current data collection processes:
- determine the nature of personal information you collect or are proposing to collect and its level of sensitivity;
- for all personal information (but particularly the personal information that has a high level of sensitivity) consider whether it needs to be collected or whether practices can be changed so that it no longer needs to be collected. Could workarounds be implemented so this type of data does not need to be collected?
- critically review how long the personal information needs to be retained and put in processes (for which specific people are accountable) for it to be destroyed or de-identified – concentrating in particular on the data that is the most sensitive.