[AU] Privacy Law Reform: How The Proposed Changes Affect In-house Counsel Obligations | LegalVison

Introduction

This tutorial provides a comprehensive overview of the proposed changes to Australia’s Privacy Law and their implications for in-house counsel. It discusses key updates expected in 2024, including changes to the definition of personal information, data retention requirements, and stricter rules for reporting data breaches. By understanding these changes, legal professionals can better prepare their organizations for compliance.

Chapter 1: Privacy Law Updates

• Background Context

  • Recent high-profile data breaches in Australia have prompted the government to revise privacy laws to enhance consumer protection.
  • The Attorney General's Department proposed 188 changes to the Privacy Act, with 38 agreed upon in principle.

• Key Takeaways

  • Privacy and data protection are top concerns for in-house counsel.
  • Organizations should operate under the assumption they are considered AP entities to ensure compliance.

Chapter 2: Changes to Personal Information Definition

• Current Definition

  • Personal information currently includes any information or opinion about an identifiable individual.

• Expected Changes

  • The definition will broaden to include information that relates to a person regardless of whether their name is known.
  • Sensitive information may now include genomic data and information inferred from non-sensitive data.

• Action Items

  • Review current data handling practices to ensure compliance with the new definitions.
  • Implement robust data minimization and de-identification measures.

Chapter 3: Clarified Data Retention Requirements

• Current Obligations

  • Entities must take reasonable steps to protect personal information and destroy it when no longer needed.

• Proposed Changes

  • Greater clarity will be provided on what constitutes “reasonable steps” for data security and destruction.
  • Media organizations will also need to comply with these requirements.

• Action Items

  • Conduct a privacy audit to assess the types of personal information held and the duration of retention.
  • Establish clear policies to minimize data retention in line with regulatory expectations.

Chapter 4: Enhanced Privacy Protections for Individuals

• New Rights for Consumers

  • Consumers may gain the right to request the deletion of their personal information.
  • Individuals will have enhanced transparency regarding how their information is used.

• Action Items

  • Prepare to implement processes for responding to deletion requests.
  • Designate a privacy officer to handle access and erasure requests efficiently.

Chapter 5: Collection and Use of Personal Information

• Current Requirements

  • Businesses must not collect personal information unless it is reasonably necessary.

• Expected Changes

  • The standard will shift from "reasonably necessary" to a "fair and reasonable" test, requiring a more subjective assessment.

• Action Items

  • Review existing policies around data collection to ensure compliance with the new standards.
  • Establish due diligence processes to verify the lawful collection of information from third parties.

Chapter 6: Tighter Timeframes for Reporting Data Breaches

• Current Reporting Requirements

  • Businesses have 30 days to assess and report a data breach.

• Proposed Changes

  • The timeframe will likely shorten to 72 hours for notifying the Privacy Commissioner and affected individuals.

• Action Items

  • Develop and implement a data breach response plan to comply with new reporting timelines.
  • Ensure regular training and updates for the team on breach response procedures.

Chapter 7: Steps You Can Take

• Immediate Actions

  • Conduct an audit of data and privacy processes to identify gaps and ensure compliance.
  • Plan for the necessary changes in response to the new privacy requirements.

• Public Relations Strategy

  • Build a positive public relationship to mitigate reputational damage in case of a data breach.

• Compliance Documentation

  • Update privacy policies and collection notices, and prepare a data breach response plan.
  • Train staff on privacy obligations and best practices for handling personal information.

Conclusion

Understanding the proposed changes to Australia’s Privacy Laws is crucial for in-house counsel to ensure compliance and protect their organizations. By taking proactive steps, such as conducting audits, updating policies, and training staff, organizations can navigate the upcoming changes effectively. Stay informed and prepared to implement these changes as they are finalized in 2024.