Greetings privacy professionals,
Well, 2018 continues to be a blockbuster year for privacy in Australia. We're only halfway through the year, and we've already seen:
• A new Australian Notifiable Data Breaches scheme.
• A new Australian Government Agencies Privacy Code for Commonwealth Government entities.
• A variation of the existing Privacy (Credit Reporting) Code 2014.
• The extraterritorial effects of the EU General Data Protection Regulation.
Many Australian privacy professionals spent much of the first few months of the year preparing for these reforms. But any hiatus was short lived. Since then, we have seen a flurry of further reform proposals, and many of us have been tirelessly assisting organizations affected by suspected or known notifiable data breaches.
The Australian Notifiable Data Breaches scheme has been raising some interesting themes — including how best to ensure delivery of consistent information to individuals affected by a data breach involving multiple organizations (where under the scheme each can have notification obligations). The recent PageUp data incident saw this addressed through an unprecedented joint statement by the Office of the Australian Information Commissioner, iDCare and the Australian Cyber Security Centre.
Clearly, Australian organizations are struggling with data protection compliance. The results aren't too surprising given the recent introduction of both the NDB scheme and the GDPR within such a short time frame. These data security obligations may soon be more onerous for the financial services industry. The Australian Prudential Regulation Authority has released a new draft prudential standard on information security management that will require "material information security incidents" to be reported to APRA.
Turning to New Zealand, the privacy commissioner is calling for greater powers. In particular, the power to issue fines. No doubt, strong penalty regimes assist to drive compliance. But I'm sure the introduction of the breach notification scheme in that same bill will assist in this plight. Recently, it seems organizations (and particularly boards and senior management) are increasingly as concerned about the media scrutiny and reputational consequences of a notified data breach as compared to a financial penalty.
The NZ privacy commissioner also has plenty of views on proposed developments to privacy law in New Zealand. Similar to the scheme recently introduced in Australia, the proposed law would force organizations to disclose serious data breaches to the commissioner. As set out above, one of the interesting issues to come out of the Australian NDB scheme is the process of managing multiple organizations affected by the same incident as they assess and notify the breach. Contracts entered into well before the scheme commenced are often silent on the handling of such data beach scenarios. This leaves the risk that rather than working together to form consistent communications, the parties send different communications. That's food for thought for those with the opportunity to update contract terms ahead of the proposed New Zealand scheme.
Finally, it's also worthwhile mentioning that this year marks 30 years since the introduction of the Australian Privacy Act.
Goodbye from Australia for now.
If you want to comment on this post, you need to login.