The response in September 2023 by the Australian government outlined reforms to the existing Privacy Act 1988 from the Office of the Australian Information Commissioner (OAIC). These reforms aim to bring Australian privacy laws up to date with the digital age and give citizens more control over their personal information which may affect your businesses starting in 2024.


Entities covered by the Privacy Act 1988 Australia

  • Small business
  • Employee records
  • Political entities
  • Journalism


The key changes target:

  • Stronger consent and control: Australians would have a clearer right to opt-out of direct marketing and more control over how their data is used for targeted advertising.
  • Expanded data security obligations: Organisations will need to demonstrate stronger data security measures to protect personal information.
  • Removing the small business exemption: Previously exempt businesses with a turnover under $3 million will now be subject to the Privacy Act.
  • Increased enforcement powers: The Office of the Australian Information Commissioner (OAIC) will have greater ability to take action against privacy breaches.


Australian Cyber Security Strategy


Reforming Australia's privacy framework will complement other reforms being progressed by the Government, including the 2023-2030 Australian Cyber Security Strategy, Digital ID, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.


It has been proposed that entities should be required to comply with a set of baseline privacy outcomes, aligned with relevant outcomes of the Government's 2023-2030 Australian Cyber Security Strategy.


The Australian government agrees on Proposal 28.1 to 'Undertake further work to better facilitate the reporting processes for notifiable data breaches to assist both the OAIC and entities with multiple reporting obligations.'


Notifiable Data Breaches Scheme Review and Government Response


Most Australians see data breaches as a major privacy risk and the Notifiable Data Breaches (NDB) scheme effectively helps individuals protect against serious harm from data breaches.

There is an expectation for better preparedness and rapid response from entities during data breaches and the Government agrees-in-principal and Proposes:


  • Faster notification: Notify the Information Commissioner within 72 hours of identifying an eligible data breach.
  • Improved communication: Notify affected individuals as soon as practicable, and may come in stages if all the information isn’t available at once.
  • Stronger breach response: Businesses will need to have a plan in place to respond to breaches, including reducing any harm to affected individuals.
  • Information sharing: The government may allow businesses to share information with certain organizations (like banks) to help reduce the risk of harm from a breach.
  • Streamlined reporting: The government is looking at ways to reduce the burden of reporting breaches for businesses with multiple reporting obligations.


Strengthening Privacy Protections and Simplifying Compliance


Individuals currently have limited ways to take action when their privacy has been breached, including in cases of serious invasions of privacy not covered by the Privacy Act. This gap in protection underscores the necessity for more robust mechanisms to safeguard personal information and provide adequate recourse for affected individuals.


The Notifiable Data Breaches (NDB) scheme should be both strengthened and streamlined with other mandatory reporting schemes. By simplifying the reporting process, organizations can more effectively comply with privacy regulations, ensuring better protection of personal data.


Automated server hardening is particularly important in light of the call for stronger privacy enforcement and streamlined reporting requirements. Automated hardening helps organizations proactively secure their servers and systems, reducing the risk of data breaches and potential privacy violations. This proactive approach to security not only helps in meeting regulatory compliance but also ensures continuous protection by maintaining up-to-date defence mechanisms.


More information can be found HERE, about the Government Response, Privacy Act Review Report.

You might be interested