Preparing your customers for the Privacy Act Reform: A guide against becoming the next data breach headline

Australia is on the brink of significant changes with the impending Privacy Act Reform. The role of partners in further enhancing privacy measures is now paramount, and end-customers are looking to the channel for guidance.

Attorney-General Mark Dreyfus MP said, ‘’Australians increasingly rely on digital technologies for work, education, healthcare and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.”

As your value-added distributor servicing more than 8,000 IT partners and resellers Australia-wide, we have put together this guide to explore anticipated changes, impact on responsibility for IT providers and Dicker Data’s recommended action items. 

Background

The Privacy Act, enacted in 1988, has served as the cornerstone of privacy regulations in Australia. Recognising the rapid advancements in technology and the growing concerns surrounding data privacy, the Australian Government Attorney-General’s Department undertook a three-year comprehensive review of the Privacy Act. 

Conclusion

Australia's privacy laws require a significant overhaul to align with the demands of the digital age, following a move seen in many other countries. The report emphasised strong expectation for the government to strengthen and modernise privacy laws and bolster the protection of every Australian’s personal information by ensuring the handling of personal information is reasonable, aligns with community expectations, and is adequately shielded from unauthorised access and misuse.   

The reform will give businesses greater clarity on how to protect personal information and enhance public trust in the digital economy across all sectors in Australia. Attorney-General Mark Dreyfus MP said “The government will work with the small-business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses. These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.” 

The next stage is for the Attorney-General’s Department to conduct an impact analysis and work with the community, businesses, media organisations, and government agencies to inform the development of legislation and guidance material in this term of Parliament.  

What does this mean for small and medium-sized businesses (SMBs)? Here's a look at what's changing: 

Currently, businesses with annual turnover of $3 million or less are exempt from the Privacy Act, limiting their exposure to penalties faced by larger businesses for mishandling sensitive data. However, with the new reform, the government believes small businesses can now handle sensitive data akin to their larger counterparts. 

This shift acknowledges that even the smallest enterprises have the potential to harm individuals by misusing or exposing personal information.

In the wake of significant privacy breaches across Australia, SMBs and larger organisations have made news headlines, pressuring businesses to prioritise data privacy. Research by Zoho revealed a quarter of Australia’s 2.5 million SMBs revealed they would not survive the financial and reputational damage of a privacy breach.  The time to act is now, so your customers are not the next media headline. 

The government, while acknowledging the need to remove the small business exemption, asserts that this won't happen without consultation, support, and a transition period. Recognising the evolving digital risks, the government aims to bridge compliance gaps, create educational materials, and ensure a smooth transition for small businesses adjusting to new privacy obligations.

The Australian Government said “At the time the Privacy Act was extended to the private sector, it was considered that most small businesses posed a low risk to privacy and that compliance costs would disproportionately and unreasonably burden small businesses. However, feedback on the report highlighted the community expects that if they provide their personal information to a small business it will be kept safe and not used in harmful ways. It is expected that the removal of the small business exemption should also be subject to an appropriate transition period to ensure small businesses are in a position to comply with new obligations.”  

The privacy reforms will complement other reforms being progressed by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.  

The Privacy Reforms will be progressed under the following focus areas: 

• Bring the Privacy Act into the digital age – recognising the importance of flexibility and the public interest in protection by exploring how to apply the Act to a broader range of information and entities that handle private information.
• Uplift protections – by holding entities accountable for handling an individual’s information in line with community expectations. Strengthen requirements for secure information handling and timely disposal. Reforms to the Notifiable Data Breaches scheme aim to minimise harms from breaches and instill organisational accountability for privacy-by-design. Introduce targeted protections for high-risk activities and vulnerable groups, including children.
• Increase clarity and simplicity for entities and individuals – handling personal information on behalf of others. The reforms offer greater flexibility in code-making, reducing inconsistency across legal frameworks. Simplify requirements for transferring personal information overseas, especially to countries with substantially similar privacy laws.
• Improve control and transparency for individuals over their personal information – with improved notice and consent mechanisms. The reform will explore new rights and avenues for seeking redress, including a direct right of action for individuals to apply to courts under the Privacy Act and a statutory tort for serious invasions of privacy.
• Strengthen enforcement - powers for the OAIC (Office of the Australian Information Commissioner), broaden the scope of court orders in civil penalty proceedings, and empower courts to consider relief applications directly from individuals. Conduct a strategic review of the OAIC, assess resource needs, and explore an industry funding model and litigation funds to boost the effectiveness of Australia's privacy regulator.

Preparing for change

With impending Privacy Act reforms on the horizon, Australian SMBs must proactively evaluate their data handling practices and privacy policies. IT partners can help their customers prepare for change by conducting comprehensive privacy audits, implementing robust consent mechanisms, and bolstering cybersecurity measures. These are essential steps in adapting to the upcoming regulatory changes and as a value-added distributor with a diverse portfolio of leading vendor solutions Dicker Data is well-placed to support partners.

The Privacy Act Review Report highlighted nearly nine out of 10 respondents expressed a desire for increased government legislation to safeguard their personal information.

As Australia’s leading ITC distributor representing the world’s leading vendors, Dicker Data’s partners have an entire network and solutions portfolio that address how to best tackle the different layers of privacy – this is an opportunity to start preparing you and your customers for reform. 

Dicker Data's checklist on how partners can prepare for change: 

✔️ Understand the Australian Privacy Principles (APPs) and devise a compliance plan by assessing the collection, storage, and secure destruction of personal information

✔️ Conduct a thorough risk assessment to identify potential vulnerabilities using tools like Microsoft’s Compliance Manage

✔️ Develop and implement a comprehensive information security policy aligning with new reform requirements, leveraging solutions like the Veritas Data Compliance and Governance Portfolio

✔️ Monitor and respond to notifiable data breaches (NDB) by regularly monitoring computing systems and understanding reporting requirements

✔️ Ensure all employees are trained and aware of their security policy and their responsibilities

✔️ Implement strong access controls, authentication measures, and encryption of sensitive personal data

✔️ Regularly monitor and audit information security systems, establishing robust detection and incident response plans for data breaches

✔️ Ensure that all third-party service providers handling personal data are compliant with Privacy Act Reform

✔️ Appoint a Data Protection Officer to oversee compliance and to act as a point of contact for data protection authorities

✔️ Strengthen cybersecurity with a unified strategy, emphasising the need of multi-vendor solutions and layered security to address modern, complex and diverse customer environment and unique security and privacy requirements

✔️ Implement backup and recovery solutions for data protection, considering both onsite and remote options

✔️ Utilise multi-cloud management tools for understanding data storage, protections, and sensitivity levels in diverse cloud environments

✔️ Address data protection challenges in multi-vendor ecosystems with automated data management strategies

✔️ Implement data management strategies to automate the process of regulatory compliance, ensuring they remain up to date

✔️ Embrace a hybrid approach for integration in both on-premises and cloud environments, facilitating data interchange, business agility, and compliance

The right privacy model will depend on the customers and vendors the partner works with. Dicker Data work closely with partners to ensure end-customer have bespoke privacy strategies that align with unique environments. Now is the time to think about where customer security and privacy practices sit vs where you they need to be ahead of the reform. 

How to initiate conversation with your partners? 

The threat landscape continues to evolve, so SMBs need to be ongoingly proactive. This framework forms an end-to-end solution where IT professionals develop/understand what their core competencies are and build on their offerings by leveraging Dicker Data's Distribution resources and forming partnerships with complementary vendors. 

The conversation starts now - you can ask your customers: 

1. Are you aware of the Privacy Act Reform?
2. Are you aware of your obligations under the proposed changes to the Privacy Act?
3. When was the last time you reviewed your privacy policy?
4. How do you plan to review security measures currently in place and their relevancy and effectiveness in line with the reform?
5. When was the last time you reviewed data that is no longer necessary to hold?
6. When was the last time you cleaned out or destroyed data that is no longer necessary to hold? 

Dicker Data can help build/recommend strategies and solutions that can help identify, secure and safeguard critical business data to meet new regulations. Would you like to discuss your Privacy Act readiness or Data Compliance and Governance with our data specialist? Contact sales@dickerdata.com.au

Stay tuned for updates on the finalisation and implementation of the Privacy Act reform, as it shapes the future of privacy and data protection in Australia.