Snapshot: After another year in the spotlight, privacy and data protection is set to be an area to watch in 2016
There is no doubt that Australia's privacy laws, both Commonwealth and State, continued to be tested in 2015.
Public interest in the balance of privacy regulation versus personal freedom is not likely to wane in the coming 12 months. Cyber-security and how organisations deal with data breaches remains one of the most pressing issues.
Following several high profile privacy breaches in 2015 all businesses were again reminded that having a data breach response plan in place is essential.
You can read more about a popular toy brand's woes here and how two major retail chains were swept up in data breaches here.
2015 saw the Commonwealth Privacy Commissioner issue his first two enforceable undertakings: one to telecommunications company TeleChoice (read more here) and the other against another telco provider, Optus (click here to read our article on this).
Both the Commonwealth Privacy Commissioner and the NSW Privacy Commissioner issued guidance on Privacy governance, see here and here.
And there was movement at a legislative level with the Privacy and Personal Information Protection Amendment (Exemptions Consolidation) Bill 2015 passing through both houses of the NSW Parliament. This Bill incorporates into the Privacy and Personal Information Protection Act 1998 (NSW) a number of public interest directions made by the NSW Privacy Commissioner.
Two of the main changes are to:
- allow public sector agencies to disclose personal information to interstate persons/bodies or Commonwealth agencies for certain purposes
- extend the meaning of investigative agency to include certain additional public sector agencies with investigative functions or that conduct investigations on behalf of other public sector agencies with investigative functions.
What's next for privacy and data protection?
The issue of mandatory notification of serious data breaches has been put under the spotlight with the release late last year of a discussion paper, consultation draft explanatory memorandum and exposure draft by the Commonwealth Attorney-General.
The draft legislation provides that notification is required when an entity has reasonable grounds to believe that a serious data breach has occurred.
However, in the event that an entity is uncertain they will have a period of 30 days in which to assess whether there are reasonable grounds to consider a serious data breach has occurred and to then make notification if it has.
In terms of when these proposed changes are likely to come into effect, the first hurdle is for the legislation to retain its form after the consultation period, open until 4 March 2016, ends.
To find out more about the proposed changes, read our recent article 'Mandatory data breach notification exposure draft legislation – Privacy Act amendments' here.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
