Recent changes to Australia’s Privacy Act have significantly increased regulators’ powers, granting them the ability to issue some of the largest data breach fines in the world. This guide teaches you everything you need to know about the Act and what actions you may need to take to ensure you are compliant.
- Australia's Privacy Act has recently been amended to increase regulators' powers and fines for data breaches.
- Organizations may be liable for fines of up to AU $50m or 30% of adjusted quarterly turnover for breaches.
- All organizations processing data of Australian nationals will be subject to the Act even where information is processed in a different country, similar to the extraterritorial scope of the EU’s GDPR.
- Compliance with the Act includes taking reasonable steps to protect personal information, such as data encryption and strong key management.
Why was the act created?
The Privacy Act in Australia is designed to protect an individual’s privacy and personal information, regardless of where it is processed.
Who does it affect?
Its scope covers the following types of organisations:
- The Australian Government
- Organisations contracted to the Australian Government
- Businesses headquartered in Australia, and foreign businesses operating in the country, with turnover greater than AU $3m
- Health service providers (hospitals, doctors surgeries, therapists, gyms, childcare, schools)
- Personal data brokers
- Credit reporting bodies
- Fair Work organisations &
- Accredited Consumer Data Rights organisations
Organisations processing data of Australian nationals will be subject to the Act even where information is processed in a different country, similar to the extraterritorial scope of the EU’s GDPR. Recent amendments to the Australian Privacy Act mean those in breach of the Act may be liable for fines of up to AU $50m, or 30% of adjusted quarterly turnover, depending on the severity of the breach (for comparison, the penalty for a GDPR breach can be the greater of up to 4% of global turnover or €20m.)
What does the act say?
“An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. “
How does the privacy act classify sensitive data?
Before we deep dive into APP-11, it is important to understand that not all information is equally important when it comes to privacy and the potential impact an unwanted disclosure of information may have on an individual. As such, the OAIC determined different classifications of personal information. Sensitive Information is the most critical and covers information or an opinion about an individual’s:
- Race or Ethnic Origin
- Political beliefs and affiliations
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a trade union,
- Sexual orientation or practices
- Criminal Records &
- Health, Genetic and Biometric Information
App 11 - Security Of Personal Information states that organisations must take reasonable steps to prevent unauthorised disclosure of Personal Information. The phrase “reasonable steps” is key here as organisations vary widely by sector, size, complexity, revenue, technical capability, volume and types of information processed.
It is expected that every organisation understands their context considering the Privacy Act and further understands the risk they pose to the individual based on the information they store, process or transmit, particularly when the information is deemed Sensitive.
Controls employed to protect sensitive information are layered and include data, network and account segmentation (separate your sensitive data from less sensitive data, and ensure the right people have access). For those with a legitimate need, ensure that getting access to the systems and data is by means of unique user accounts with strong passwords. Other controls include multi-factor authentication, fine-grained and regularly reviewed authorisation and, critically, data encryption with robust key management.
There is often a belief that implementing encryption and key management is complex, time-consuming, difficult to maintain and firmly in the realm of specialist security teams. At Evervault, we have developed a platform to make field level encryption accessible and simple for developer and engineering teams to implement and manage.
Evervault has developed this guide on preparing for an encryption implementation, highlighting the key steps required. At the end of the guide, an organisation will be in a strong position to understand how to implement encryption, address key data security and privacy requirements, and reduce the impact of a data breach should it occur.
How to address this problem?
The Office for Australia’s Information Commissioner has published a set of guides to help companies work toward privacy compliance obligations. You can check them out here to see which one is the most relevant to you. The one constant across the vast majority of regulations is that the application of encryption is key to protecting sensitive information and the rights and freedoms of the individuals whose data you are protecting. But, implementing encryption is not a silver bullet to achieving compliance with privacy regulations. There are often several other procedural and technical controls that need to be addressed, which typically have to be derived for several jurisdictions. We’ve written a guide to the best practices for preparing your data for encryption to help you through the steps. You can also sign up for your free Evervault account to encrypt data today.