The Federal Government’s long-awaited reform of Australian privacy law came into effect recently, aimed at strengthening the protection of personal data. The new regime imposes stricter requirements on how businesses handle personal information – including implications on the choice of software systems and how they are used.
This legislation, known as the Privacy and Other Legislation Amendment Bill 2024 (POLA), is expected to be the first tranche of a reform process that started eight years ago – in other words, brace for more change!
While much has been written about the many legal changes introduced by POLA, here is a guide to some of the technology implications for businesses.
Key technology impacts of the reform
- Reasonable steps: Businesses are now required to put in place ‘technical and organisational measures’ as part of the reasonable steps to protect personal data from misuse, interference, and loss, as well as unauthorised access, changing or sharing.
- Use of AI in software: To prevent the misuse of personal data and ensure transparency in automated decision-making, the use of AI in software is now more strictly regulated.
- Disclosing data overseas: The reform regulates how Australian businesses can share data with overseas recipients, ensuring compliance with local privacy standards even when data is transferred internationally.
Disclosing data overseas
In some good news for businesses, disclosing personal information to overseas recipients could get easier with a ‘whitelist’ approach for countries with similar levels of protection as Australia. The POLA reform allows the Minister to nominate countries to the whitelist, which is expected to reduce the compliance burden on businesses disclosing data to those countries.
For example, this could apply where a business is sharing data with an offshore business partner as part of their processes.
Increasing enforcement and higher penalties
The amendments have also introduced a statutory tort of serious invasions of privacy. This means that for the first time, individuals could have a right to sue for damages in case of a serious invasion of privacy. Together with the regulator’s new enforcement powers, which include the prospect of very significant penalties, business can expect a tightening of enforcement around privacy.
The privacy regulator (OAIC) has in recent years taken legal action against a medical pathology business and Medibank in relation to privacy breaches resulting from cyber attacks. This is in addition to a finding that Bunnings breached privacy by using facial recognition technology in stores. All of this points to the Privacy Commissioner’s intent to hold businesses to higher standards around privacy.
Essential considerations when selecting software
If your business is embarking on new business software or considering replacement of an outdated system, there are critical steps to get on the right path:
- Include privacy requirements as part of your selection process
- Check that the software you’re choosing has robust security controls such as encryption, access controls, audit logs and that the software vendor conducts regular vulnerability assessments
- Just as importantly, the implementation partner must configure the software securely, such as by enabling security features and restricting access to sensitive data
- When evaluating software options with AI capabilities, consider how the software can flag automated decisions and whether these can be adequately explained in a privacy statement
- Review the software vendor’s privacy policy, data handling practices, compliance with security standards and incident response plans.
- Understand where data is stored, in what scenarios it could be accessed from overseas, and check safeguards for cross-border data transfers. For example, if your software provider’s support team is based offshore, could they access private information in your system while providing support to users?
- Consider your ongoing ability to monitor/validate your chosen software provider’s security and privacy compliance – e.g. do they submit to regular independent audits? Are they certified to a recognised standard?
- Request contractual commitments for ongoing information security and privacy compliance
These go alongside other ‘reasonable steps’ businesses should take such as: stringent technical security controls; monitoring; having an incident response plan; ongoing user education; careful collection; retention and disposal of data, among others. All of these should be governed by a framework with clear roles and responsibilities, policies and procedures and strong management oversight.
Many middle market businesses rely on their IT service provider to keep their systems secure, and here it’s critical to understand their capabilities, ensure responsibilities are clearly defined in the service agreement, and hold them accountable via regular reporting and reviews.
Data retention periods
Understanding how long you need to retain data is crucial. The new legislation specifies that personal data should only be kept for as long as necessary to fulfill the purpose for which it was collected.
Implementing safe data destruction
Properly removing unnecessary data from systems is vital to comply with the new standards. Here’s how to implement safe data destruction:
- Regular audits: Conduct regular audits to identify and remove outdated or unnecessary data
- Secure deletion methods: Use secure deletion methods to ensure data is permanently erased
- Compliance documentation: Maintain documentation of data destruction processes to demonstrate compliance
If you have any questions about selecting or implementing new business software or choosing an IT provider, reach out to your Pitcher Partners representative.
