Understanding the Australia Privacy Act in 2023

Recent changes to Australia’s Privacy Act have significantly increased regulators’ powers, granting them the ability to issue some of the largest data breach fines in the world. This guide teaches you everything you need to know about the Act and what actions you may need to take to ensure you are compliant.

Australia Privacy Act Changes in Summary:

• Australia's Privacy Act has recently been amended to increase regulators' powers and fines for data breaches.
• Organizations may be liable for fines of up to AU $50m or 30% of adjusted quarterly turnover for breaches.
• All organizations processing data of Australian nationals will be subject to the Act even where information is processed in a different country, similar to the extraterritorial scope of the EU’s GDPR.
• Compliance with the Act includes taking reasonable steps to protect personal information, such as data encryption and strong key management.

Why was the act created?

The Privacy Act in Australia is designed to protect an individual’s privacy and personal information, regardless of where it is processed.

Its scope covers the following types of organisations:

• The Australian Government
• Organisations contracted to the Australian Government
• Businesses headquartered in Australia, and foreign businesses operating in the country, with turnover greater than AU $3m
• Health service providers (hospitals, doctors surgeries, therapists, gyms, childcare, schools)
• Personal data brokers
• Credit reporting bodies
• Fair Work organisations &
• Accredited Consumer Data Rights organisations

Organisations processing data of Australian nationals will be subject to the Act even where information is processed in a different country, similar to the extraterritorial scope of the EU’s GDPR. Recent amendments to the Australian Privacy Act mean those in breach of the Act may be liable for fines of up to AU $50m, or 30% of adjusted quarterly turnover, depending on the severity of the breach (for comparison, the penalty for a GDPR breach can be the greater of up to 4% of global turnover or €20m.)

Australia Privacy Act Principles

There are 13 Australian Privacy Principles (APPs):

1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure of personal information
9. Adoption, use, or disclosure of government-related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information

While all APPs are important to be compliant, this paper focuses on APP 11 - Security of Personal Information, which says that:

“An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.”

How does the privacy act classify sensitive data?

Before we deep dive into APP-11, it is important to understand that not all information is equally important when it comes to privacy and the potential impact an unwanted disclosure of information may have on an individual. As such, the OAIC determined different classifications of personal information. Sensitive Information is the most critical and covers information or an opinion about an individual’s:

• Race or Ethnic Origin
• Political beliefs and affiliations
• Religious beliefs or affiliations
• Philosophical beliefs
• Membership of a trade union,
• Sexual orientation or practices
• Criminal Records &
• Health, Genetic and Biometric Information

App 11 - Security Of Personal Information states that organizations must take reasonable steps to prevent unauthorized disclosure of Personal Information. The phrase “reasonable steps” is key here as organizations vary widely by sector, size, complexity, revenue, technical capability, volume, and types of information processed.

It is expected that every organization understands their context considering the Privacy Act and further understands the risk they pose to the individual based on the information they store, process, or transmit, particularly when the information is deemed Sensitive.

Controls employed to protect sensitive information are layered and include:

• Data, network, and account segmentation (separate your sensitive data from less sensitive data, and ensure the right people have access).
• Strong passwords
• Multi-factor authentication
• Fine-grained and regularly reviewed authorization
• Data encryption with robust key management.

There is often a belief that implementing encryption and key management is complex, time-consuming, difficult to maintain and firmly in the realm of specialist security teams. At Evervault, we have developed a platform to make field-level encryption accessible and simple for developer and engineering teams to implement and manage.

Evervault has developed this guide on preparing for an encryption implementation, highlighting the key steps required. At the end of the guide, an organization will be in a strong position to understand how to implement encryption, address key data security and privacy requirements, and reduce the impact of a data breach should it occur.

How to Handle Changes to the Australia Privacy Act

The Office for Australia’s Information Commissioner has published a set of guides to help companies work toward privacy compliance obligations. You can check them out here to see which one is the most relevant to you.

The one constant across the vast majority of regulations is that the application of encryption is key to protecting sensitive information and the rights and freedoms of the individuals whose data you are protecting. But, implementing encryption is not a silver bullet to achieving compliance with privacy regulations. There are often several other procedural and technical controls that need to be addressed, which typically have to be derived for several jurisdictions.

We’ve written a guide to the best practices for preparing your data for encryption to help you through the steps. You can also sign up for your free Evervault account to encrypt data today.