Australia’s Upcoming Data Privacy Changes — Implications for Different Industries

Since 2020, 63% of reporting organizations have experienced a data breach in connection with remote work practices and technologies. In Australia, this surge in data privacy lapses — either through error or malicious activity — has been among the worst in countries with significant reporting data. Moreover, the high incident rate of data breaches has continued through 2022, including several notable breaches of millions of personal records from single organizations:

• Optus: Approximately 10 million customer records including home addresses, driver's licenses, and passport numbers
• Medibank: Customer information from 9.7 million accounts in a ransomware seizure
• Latitude: About 7.9 million driver’s license numbers and 53,000 passport numbers

The generally accepted cause of this trend is fairly straightforward. During the first few months of the COVID-19 pandemic in 2020, businesses around the globe rapidly implemented remote work policies to comply with public health measures. As IT teams scrambled to adopt cloud technologies to enable remote work, data privacy vulnerabilities proliferated, leading to a 400% spike in global cybercrime.

Following these continued losses to cybercrime in 2022, the Australian government has decided to respond with significant updates to the country’s existing data privacy laws. This guide provides an overview of current Australian law, incoming changes in 2023, and steps organizations should take to comply with new requirements.

Australia’s Current Data Privacy Laws

The foundation of Australia's current data privacy laws is the Privacy Act 1988. The Privacy Act outlines standards for collecting, using, and disclosing personal information, ensuring organizations and agencies maintain data protection practices. Australia’s legislature amended the Privacy Act in 2014, adding a more explicit regulatory framework of 13 Australian Privacy Principles (APPs) that apply to data handling by Australian government agencies and private sector organizations.

The APPs are:

• Open and transparent management
• Anonymity and pseudonymity
• Collection of solicited personal information
• Dealing with unsolicited personal information 
• Notification of the collection
• Use or disclosure
• Direct marketing.
• Cross-border disclosure 
• Adoption, use, or disclosure
• Quality
• Security
• Access
• Correction

While the APPs worked relatively well as privacy protections before the widespread adoption of cloud technologies — which vastly multiply remote access points for data — the recent uptick in data breaches has revealed inadequacies for today’s challenges. In the words of Australia’s Minister of Home Affairs, Claire O’Neil, Australia is “behind the eight-ball” and must “step up (the) game in Australia in terms of policy, in terms of citizens, and in terms of how we think about this problem.” 

Upcoming Changes to Australian Law

In the wake of recent data breaches, the Australian government faced mounting public pressure to revisit its privacy frameworks. The Australian Competition and Consumer Commission's Digital Platforms Inquiry was commissioned to evaluate the Privacy Act of 1988. The aim was to ascertain its aptness for the contemporary data environment.

This scrutiny culminated in the introduction of the Privacy Bill in October 2022, which proposed key amendments:

• Enhanced penalties for grave or recurring data breaches, elevating the maximum fine from AU$2.2 million to the greater of AU$50 million, 30% of a company's turnover, or three times the value the company gained from the data misuse
• Broadening the Privacy Act's jurisdiction to encompass extra-territorially qualifying foreign organizations
• Augmenting the Office of the Australian Information Commissioner's (OAIC) authority, facilitating the OAIC to obtain data from organizations, evaluate data breach adherence, collaborate with other regulatory bodies, and levy penalties for non-compliance with its directives
  
  

Additionally, New South Wales implemented the Privacy and Personal Information Protection Amendment Act 2022, which will become effective in December 2023. This regional legislation, affecting areas like Sydney and Newcastle, targets only public sector agencies and state-owned enterprises. Its provisions introduce a mandatory data breach notification scheme. Breaches — defined as unauthorized access or exposure causing potential significant harm — must be assessed and reported within a 30-day window. 

Expected Changes

Anticipating future legislative directions, the Attorney General's review of the Privacy Act in early 2022 hints at broader data privacy transformations in Australia. This review produced the Privacy Act Discussion Paper, which outlines potential legislative changes:

• An expanded definition of personal information to capture data types like biometric and location data
• Rigorous consent protocols, necessitating clear disclosure about data usage and potential implications of consent in the context of new technologies not anticipated by previous data privacy legislation
• The introduction of a "right to erasure," granting individuals the right to request data deletion
• Enhanced clarity about the Privacy Act's relevance to emergent technologies, including AI and the Internet of Things
• A drive toward linguistic simplification of the Privacy Act to enhance public understanding and compliance
• Mechanisms for individuals to pursue financial redress in instances of data mishandling

How These Changes Will Affect Banking and Mortgage Brokering

The impending modifications in Australia's data privacy legislation stand to reshape the landscape for both banking and mortgage brokering sectors. As outlined by the Australian Banking Association (ABA), while the reforms aim to increase data security and consumer empowerment, there's a potential unintended consequence. Customers might experience "consent fatigue," stemming from banks having to continuously request permissions, even for routine transactions like payments. Such incessant permissions could slow innovation, making the design of new financial products more difficult and potentially stalling crucial fraud prevention efforts.

Banks

Banks rely heavily on customer data to perform their standard operations. Customer data is necessary for evaluating creditworthiness, optimizing payment procedures, and creating tailored digital banking services. The incoming regulations — especially stringent consent protocols, data retention limits, and the introduction of the "right to erasure"  which enables individuals to request that organizations destroy or de-identify information about them — could pose challenges. There's a genuine concern that these rules might inadvertently tie banks' hands when it comes to protecting customers at risk and effectively combating cyber threats. 

Mortgage Brokers

Mortgage brokers in Australia already operate under numerous regulatory acts. These include the Personal Properties Securities Act 2009, the National Credit Act 2010, and the long-standing Privacy Act 1988. While their primary mandate is to maintain the confidentiality of client data, the anticipated legal revisions may add challenging layers of complexity. Brokers could find themselves navigating a more bottlenecked loan application process. Additionally, the amplified data privacy requirements might deter foreign organizations from investing in Australian firms, potentially affecting the broader economic ecosystem.

Why Organizations Need Modernized Data Privacy Policies

To meet the requirements of Australia’s new data privacy laws, organizations should implement clear and concise privacy policies. Here are three reasons why:

• Legal compliance: A comprehensive privacy policy ensures adherence to new legislative requirements, safeguarding against substantial penalties.  
• Building trust: An explicit policy reinforces confidence among clients and stakeholders, signaling their personal information is protected by capable, up-to-date policies.
• Navigating changes effectively: As data protection regulations intensify, having a clear policy equips organizations to adeptly navigate these shifts, reducing potential legal vulnerabilities.

How Organizations Should Prepare for Incoming Legal Changes

To prepare for compliance with the impending changes, affected organizations should:

1. Review and Update Data Policies

Ensure data breach policies align with the new mandatory breach notification scheme and publicly disclose these policies. Maintain both internal and external records of all breaches.

2. Strengthen Consent Protocols

Adopt rigorous protocols to clearly disclose data usage intentions and the implications of granting consent.

3. Implement Erasure Protocols

Introduce mechanisms for individuals to request data deletion under the "right to erasure."

4. Educate on Emerging Technologies

Understand and establish guidelines on the Privacy Act's application to emergent technologies like AI and the Internet of Things.

5. Revise Communication Strategies

Simplify language around data privacy practices and policies, ensuring accessibility and comprehension for the public and stakeholders.

Prepare for Coming Legal Changes with FileInvite

Achieving compliance with Australia's new data privacy laws demands stringent measures to protect client data. However, financial service providers shouldn’t view this process as merely a box to check. Rather, it is an opportunity for financial services organizations to develop a proactive security posture toward preventing breaches of client data — a dynamic shift comparable to the requirements of the updated FTC Safeguards Rule in the U.S.

FileInvite offers a file sharing and document collection platform tailored to maintaining compliance with upcoming legal changes and integrating them seamlessly into efficient workflows. Key features include:

• Encrypted client data: Both at rest and in transit, FileInvite ensures data security aligns with the latest global standards.
• Audit history and logs: Maintain a comprehensive record of client interactions, messages, and file transfers, facilitating audit readiness without the hassle of sifting through emails.
• Access control: Define user permissions through open or password-protected client portals. Provide audit access to all requests, messages, and files as needed.
• SOC 2 Type 2 compliance: Certifies the service provider maintains the highest information security and data privacy controls.

To learn more and request a demo, visit FileInvite today.

Related Posts:

• The Role of AML and KYC in Preventing Financial Crimes
• 5 Ways to Improve Productivity in a Distributed Workforce
• What Is the FTC Safeguards Rule and Who Does It Impact?