Privacy Amendment Bill receives Royal Assent
The Privacy and Other Legislation Amendment Bill 2024 (Bill) received royal assent on 10 December 2024. The changes expand enforcement and investigative powers and introduce new tiered penalty provisions, which significantly increase the ability to investigate and penalise companies that mismanage personal information. These changes are now in force.
The relevant APP obligations are administrative in nature and are easily identified (and pursued). Breaches will be dealt with in four ways:
Pursued under one of the ‘interferences with privacy’, which carry the largest penalties.
Treated as standalone breaches under the new section of the Privacy Act, which will attract smaller penalties.
By way of the Information Commissioner issuing an infringement notice, which will attract the smallest penalty.
By way of a discretionary compliance notice which provides an entity with practical and measurable steps to comply with their obligations. Compliance with a notice can protect an entity from certain civil penalty orders.
Relevant APP obligations include APP 1.3 Requirement to have APP privacy policy, APP 1.4 Contents of APP privacy policy, APP 2.1 Individuals may choose not to identify themselves in dealing with entities, APP 6.5 Written notice of certain uses or disclosures, APP 7.2(c) Simple means for individuals to opt out of direct marketing communications, APP 7.3(d) Requirement to draw attention to ability to opt out of direct marketing communications, APP 7.7(a) Giving effect to request in reasonable period, APP 7.7(b) Notification of source of information and APP 13.5 Dealing with requests.
Recommended Action: Review compliance of business policies and practices with the Privacy Act.
For example, APP 11 (security of personal information) requires an APP entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The Bill will add a new APP 11.3, which provides that ‘reasonable steps’ in APP 11.1 includes ‘technical and organisational measures’. The Bill’s Explanatory Memorandum provides examples of technical measures, including protecting information through physical measures, software and hardware, encryption, strong passwords and building locks, whilst organisational measures include steps and processes that an entity should implement, such as employee training on data protection.