1 minute read
Australia mulls Europeanstyle “right to be forgotten” privacy laws
The amendments are being put forward in the wake of the well-publicised data breaches in 2022 after Attorney General, Mark Dreyfus brought in: “...substantial increases to penalties which I hope has sent a message to corporate Australia that they have to take more care about the privacy of Australians.”
The Bill introducing the new penalties moved quickly through Parliament as public and media outrage grew over the Optus and Medibank data breaches. The attention these data breaches brought (over the hundreds of data breaches reported last year alone in Australia), highlighted how existing legislation and penalties may not be “encouraging” companies to take data privacy seriously. The penalties were also not in line with public expectation, particularly those members of the public that had to change driver’s licenses, passports, passwords and bank details as a result.
Under the legislation, penalties will increase from a maximum of $2.22m for the most serious repeat offenders, to the greater of:
• $50 million;
• Three times the value of any benefit obtained through the misuse of the information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.
In addition to the significantly increased penalties, the legislation also provides the Australian Information Commissioner with greater powers to investigate, resolve and share information about data breaches to help protect citizens.
Since the day the very first computers were used for business purposes, data has been seen as an asset by most companies. However, many companies don’t stop to ask the most basic of privacy questions: do we need to record and retain this information?
Apart from implementing cyber security training and having robust, regularly reviewed cyber security defences in place, hire members are encouraged to promote a healthy data security culture. A great place to start is to remember that a lot of the information you collect as a business, is not yours. It belongs to someone else and you are holding a copy, securely, only if it is necessary in order to conduct your business activities. I am pretty sure I can find roughly 10 million people (the number of Australians affected by the Optus and Medibank breaches) who would agree with this statement.
Here is a quick reminder of what a good data collection policy looks like:
1. For what purpose do we need to collect the information?
2. Does the information need to be retained beyond its initial use?
3. How will it be stored securely?
4. Who needs access to the information? (access should be restricted to only those that require the information in carrying out their jobs).
5. How will data be identified and deleted, once the need no longer exists?
