Privacy reform - key takeaways for directors
12 November 2024Advances in technology have made it easier for organisations to collect large volumes of data (including personal information) and to extract insights and value from that data. However, there is a growing responsibility on directors and boards to ensure that their organisations do so in a regulatory compliant manner and with appropriate governance oversight.
To discharge their duty of care and diligence directors need to be aware of key areas of regulation that apply to the company, its operations and key risks. This was highlighted in a recent Practice Statement by the Australian Institute of Company Directors (AICD).[1] Those regulations no doubt extend to privacy laws.
This article highlights some of the key changes proposed by the Privacy and Other Legislation Amendment Bill 2024 (the Bill) and the implications for directors.
Relevant privacy reforms
While recent changes proposed by the Bill may have fallen short of implementing many of the changes proposed by the Privacy Act Review Report, they still highlight the need for directors to take an increasing role in monitoring and ensuring a company’s compliance with privacy laws. In particular:
- Adopt operational measures – businesses must take operational as well as technical measures to comply with their obligations to: (1) take reasonable steps to protect personal information it holds from misuse, loss and unauthorised access (Australian Privacy Principle (APP) 11.1); and (2) to destroy or de-identify information it no longer needs (APP 11.2).
Examples of operational measures include training employees on data protection and developing standard operating procedures and policies for security personal information.
The proposed amendment makes it clear that ensuring privacy compliance is not only IT’s responsibility, but a broader responsibility of an organisation, and one that needs to be embedded into an organisation’s structures and governance.
- Broader enforcement options – The Bill introduces a new tiered approach to civil penalties and infringement notices. This includes new tiers and civil penalties for interferences with privacy not deemed ‘serious’ and for certain breaches of a more administrative nature.
The aim of the amendments is to address the gap where the Australian Information Commissioner can only seek civil penalties for the most serious or egregious interferences with privacy. It represents a material broadening of the scope of conduct captured by the civil penalty provisions and foreshadows and increased focus by regulators on enforcing privacy compliance.
- Expanded enforcement and review powers – introduction of a range of new enforcement powers, including enhanced powers for the Office of the Australian Information Commissioner (OAIC) in relation to investigations into breaches of civil penalty provisions and expanded powers for the Federal Court of Australia (FCA) and Federal Circuit and Family Court of Australia (FCFCOA) to make a range of additional orders (e.g. for compensation).
The aim of the amendments is to ensure the OAIC has a robust regulatory framework to monitor compliance and enforcement protections in the Privacy Act 1988 (Cth) and to give greater flexibility to the FCA and FCFCOA to make other appropriate orders, including orders to take steps to minimise further impacts to individuals impacted by the interference with privacy.
The above amendments all point to an increased regulator focus on privacy compliance and an enhanced ability and willingness to enforce such compliance. They are also just the initial tranche of reforms, with further changes foreshadowed in the Privacy Act Review Report, including those relating to maximum data retention periods for holding personal information; tighter requirements for notifying data breaches; and the requirement to appoint a senior employee with responsibility for privacy, yet to make their way into this tranche of reforms.
Key takeaways
With further reforms likely, directors should take the opportunity to ensure that their organisation’s leadership and governance arrangements create a culture and operating environment that values and safeguards personal information. Practically, this may mean:
- revisiting existing data collection and handling processes to ensure compliance and to safeguard against future changes and increased regulatory scrutiny
- having in place a clear data and privacy performance framework to allow the board to exercise oversight and control over how the organisation uses and manages its data. This includes ensuring that the board is regularly briefed on the risks associated with the handling of data, in particular personal information
- appointing key personnel responsible for oversight of privacy (e.g. a privacy officer) and ensuring that they report into the Board, and
- reviewing technical and organisational measures currently in place to protect personal information that the organisation holds.
Further reading
You can also refer to our previous article which sets out in further detail the recently proposed privacy law changes and our article which looks at considerations for directors in relation to AI governance.
[1] Australian Institute of Company Directors, AICD Practice Statement: Director’s oversight of company compliance obligations (October 2024).