Australia’s peak body for innovation technology, the Australian Information Industry Association (AIIA), is calling on the Albanese Government to release an exposure draft of proposed changes to the Privacy Act before the end of the year, in the wake of recent high-profile data breaches of personal information.
The process of updating the Privacy Act has been in train for almost two years. The AIIA is calling on the Government to now move to releasing an exposure draft before the end of the year for consultation to ensure citizen data and trust is protected and maintained.
The AIIA believes that the Privacy Act is the appropriate legislative vehicle to deal with current data and privacy concerns and can resolve many of the questions the public is rightfully asking around retention of private data and identification documents.
When major data breaches or personal information becomes public, it is justified to ask whether current laws are adequate, and assessments need to be made around data breaches versus cyber security attacks. The former can and should be dealt with by Privacy Act reforms. The new cyber security reforms for critical infrastructure only passed this year and are still being implemented by industry.
In a submission to the Privacy Act review discussion paper in December last year, the AIIA called on reforms to the Act to keep up-to-date with modern technology and changes in citizen expectations around privacy.
In particular, the AIIA asked for the exemption for SMEs to be removed, noting that a small business can create digital services that can host private financial data yet not be liable under the Act for any breaches and lax controls. This view has been supported in comments this week by Information and Privacy Commissioner Angelene Falk.
AIIA CEO Simon Bush said: “The security of sensitive citizen data must be a priority wherever it lies. The time has come for small businesses to fall under the Privacy Act and we would support measures to ensure SMEs can fully comply, including additional time for compliance and education.”
The AIIA also advocates for the harmonisation of domestic data breach schemes and operational consistency with high global standards such as the General Data Protection Regulation (GDPR), including the data controller–data processor distinction.
“Bringing the concept of controllers and processors to Australia would reduce confusion, mitigate compliance burdens and, importantly, ensure the organisation that requests the personal data and controls the access rights is ultimately responsible,” Mr Bush said.
The AIIA also notes that contravening the Australian Privacy Principles (APP) are already grounds for enforcement action by the Commissioner and individual pursuit of remedies.
The AIIA also calls on the Government to clarify data retention requirements and monitor the feasibility and effect of APP 11.2.
“Where data is no longer being used and is no longer required to be retained for law enforcement purposes, it should be removed or de-identified in a way that can be attested to by companies and embedded into their lifecycles,” Mr Bush said.
Australian data governance practices ought to be world-standard and focused on security culture and an uplift in capability.
“Penalties and legislative regimes have their place but must work alongside privacy-by-design, cyber security uplift and a mindset change at the company level,” Mr Bush said. “Forward-thinking businesses holding personal information are increasingly viewing data not just as an asset, but as a liability.”
“Higher-order issues around best-practice data governance are at play here. Data is difficult to hold and, as responsible stewards of citizens’ data, the Australian technology sector is mindful of its heavy responsibilities. Tech companies are committed to applying best-practice cyber security requirements and helping other sectors do the same,” Mr Bush concluded.
