Privacy Policy - don’t get caught out like Medibank and Optus

New legislation provides even more reasons to review your privacy policy. At Kells, our commercial team are able to assist with reviewing or updating an organisations’ privacy policy or provide feedback on compliance with the Privacy Act.

High profile data breaches with Medibank and Optus have recently brought privacy to the forefront of many individuals’ and businesses’ minds.

However, an arguably even more important reason that organisations should be considering and reviewing their privacy policies and processes is the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (‘Bill’).

The Bill, which has been implemented to, ‘promote the right to privacy by strengthening the protection of the law against unlawful interferences with privacy’[1], has been passed by parliament, and will come into effect once it receives royal assent.

Increased penalties

Under the Bill, the maximum penalty for serious or repeated privacy breaches by a company regulated by the Privacy Act 1988 (Cth) (‘Privacy Act’) increases from the current penalty of $2.22 million, to the greater of:

• $50 million;
• three times the value of any benefit obtained through the misuse of information; or
• 30% of the company's adjusted turnover in the relevant period.

In addition, the penalty for serious or repeated breaches by other entities regulated by the Privacy Act will increase from $444,000 to $2.5 million.

Enhanced enforcement powers

The Bill also amends the enforcement powers of the Australian Office of the Information Commissioner (‘Commissioner’), to provide the Commissioner with new or expanded powers.

This includes increasing the application of the Privacy Act to ensure that foreign organisations that carry on business in Australia are required to meet the obligations under the Act even if those organisations do not collect or hold Australians’ information directly from a source in Australia.

The Bill also expands the Commissioner’s information sharing powers, particularly with the Australian Communications and Media Authority.

What should organisations do?

If they have done not done so recently, organisations should take the time to review their privacy policies and the way they handle information.

As Kells have previously discussed, if an organisation is classified as a ‘Small Business’ under the Privacy Act[2], they are exempt from complying with a number of obligations under the Privacy Act. However, regardless of this, it is still best practice and beneficial to organisations to seek to comply with all the terms of the Privacy Act to try and reduce the risk of a date breach occurring.

Get in touch with our experienced commercial team on advice on your privacy policy.

[1] Privacy Legislation Amendment (Enforcement and other measures) Bill 2022 Explanatory Memorandum

[2] Privacy Act s 6D

Photo 80313091 / Privacy Policy © Rawpixelimages | Dreamstime.com