Australia’s Privacy Act: What it means for IT teams

It can sometimes seem like an overwhelming majority of Australians are happy to surrender their privacy to access the delights of Facebook, LinkedIn, Instagram, Snapchat, Twitter, YouTube, and Tinder. But regardless of their personal preferences and online behaviour, this nation’s stringent Privacy Act obliges organisations to tread carefully when it comes to collecting, storing, and updating the personal data of Australians. This requires IT staff to adapt to new data protection conditions constantly.

Understanding the law

While national privacy laws began cropping up three decades ago, Australia has since been pushed into further citizen privacy protections since the EU implemented the GDPR (General Data Protection Regulation) in 2018.

There’s a hodgepodge of state and territory legislation that impacts privacy requirements—but it’s Australia’s Privacy Act (legislated in 1988) that largely determines what kind of privacy protections Australians do and don’t enjoy. To summarise the Privacy Act, citizens can expect their sensitive information to be treated delicately by any organisation that has it. Sensitive information can include any data related to an individual’s health, race, financial situation, sexual orientation, or criminal history, or their political, religious, or philosophical beliefs.

There are also Australian Privacy Principles, which mandate that sensitive information may only be collected with consent and when necessary. Once collected, this information should only be available to those with a valid reason to access it, and it must be kept secure and be correctable if inaccurate.

The Privacy Act has also been beefed up more recently in light of the digital revolution. On February 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect, dictating that any organisation that fails to adequately safeguard sensitive information will face substantial fines rather than simply receiving a slap on the wrist.

Implementing next-level protections

Ask yourself a few questions. Does your organisation have sensitive information about its staff or customers? Tax file numbers? Bank account or credit card details? Addresses and phone numbers? Browsing histories?

If so, how confident are you that your data protection measures can withstand the kind of data breaches recently endured by well-resourced behemoths?

There’s no such thing as impregnable data protection. But, as the Office of the Australian Information Commissioner (OAIC) recommends, organisations can put a framework in place that maximises the chances that personal information will be treated respectfully and remain private.

Here is a four-step framework to guide data protections within your organization:
1. Embed a culture of privacy that enables compliance.
For example, appoint a staff member as the Privacy Officer. Also, make sure all staff—especially IT staff—understand the importance of respecting and protecting sensitive information.

2. Establish robust and effective privacy practices, procedures, and systems.
Start by analysing the information life cycle. Then, consider whether third parties, such as contractors and service providers, have adequate data security in place.

3. Evaluate privacy practices, procedures, and systems to ensure continued effectiveness.
Don’t set and forget; be proactive in identifying emerging threats.

4. Enhance responses to privacy issues.
Don’t just do the bare legal minimum. Instead, use online alert services as part of a broader privacy protection strategy. The Australian Cyber Security Centre recommends several tools, including Stay Smart Online.

In addition to these steps, it’s important to note that maintaining effective data security is easier in organisations that invest in quality equipment. For example, secure printers with upgradeable firmware can detect and self-heal from malware, preventing malicious actors from accessing data via vulnerable network endpoints.

Adapting to the new world of privacy

Until relatively recently, most Australian citizens didn’t give much thought to data security issues. And if they did have their privacy violated due to the actions or inaction of an organisation, it wasn’t easy for them to seek redress. That nonchalant perspective on the part of the general public has now subsided, according to findings from Roy Morgan, and organisations and their IT teams need to adapt to changed attitudes and circumstances.
If it hasn’t done so already, your organisation should proritise GDPR compliance. As the OAIC points out, Australia’s Privacy Act and the EU’s GDPR share certain common requirements, notably that organisations must:

  • have a privacy-by-design approach to compliance
  • demonstrate compliance with privacy principles and obligation
  • implement transparent information-handling practices

For IT leaders worried about how compliant their organisation is, putting systems in place to ensure those three boxes can be ticked is an excellent starting point. As always, it’s also a good idea to invest in the best possible office equipment to ensure weak cybersecurity doesn’t attract bad actors.

Privacy breaches can go very wrong, very fast. But smart IT leaders focus on preventing privacy issues from blowing up rather than hoping they’ll be able to manage the fallout if things go pear-shaped.