5 tips to Prepare for Privacy Law Reform

5 tips to prepare for Privacy Law Reform

Privacy legislation reform is ongoing, and businesses must be prepared to adapt to changing regulations. After an almost four-year review process, legislation amending the Privacy Act 1988 (Cth) (Privacy Act) will go before the Federal Parliament this month and changes to Queensland’s privacy legislation come into force in July 2025.

Changes to privacy laws are inevitable, however, preparedness for the change is within your control. We have outlined our recommendations to begin your preparedness journey.

What to expect from Privacy Law Reform

While we won’t know for sure what changes will be made to the federal Privacy Act until it’s tabled, broadly, the recommendations focus on strengthening the protection of Australians’ personal information. They also increase the Office of the Australian Information Commissioner’s (OAIC) regulatory powers and suggest that inadequate privacy safeguards will be met with severe penalties.

In its response to the 2022 Privacy Act Review Report, the Australian Government ‘agreed’ with 38 of the 116 recommendations, ‘agreed in-principle’ with 68, and ‘noted’ the remaining 10. GWI outlined more information on the recommendations and what they could mean for businesses and individuals in this blog post titled “Privacy Law Reform in the Digital Era”.

Changes to the federal privacy legislation may lead to further reforms at the state and territory level. Queensland Government agencies should already be preparing for reforms that will come into effect in July 2025. The Information Privacy and Other Legislation Amendment Act 2023 (IPOLA Act) was passed by Parliament on 29 November 2023. The IPOLA Act amends Queensland’s Information Privacy Act 2009 (IP Act), Right to Information Act 2009 (RTI Act) and related provisions in other legislation. These changes include:

• Introduction of a mandatory notification of data breach (MNDB) scheme applicable to all Queensland government agencies (delayed to 2026 for local government)
• Adjusted definition of personal information
• A single set of Queensland Privacy Principles (QPP)
• Creation of a single right of access and amendment in the RTI Act, including for documents containing personal information
• Broader control requirements for agencies, including a QPP Privacy Policy, Data Breach Policy, and publication scheme changes
• Introduction of a response period for agencies managing privacy complaints and reforms to the processing period for access and amendment applications
• Enhanced powers and functions for the Queensland Information Commissioner, including:
  • powers to investigate or act as an own motion in support of compliance with privacy principles and the MNDB scheme
  • power to refer documents to agencies during an RTI external review.

Our tips to prepare for privacy law reform

Take stock of what you’ve got

Gain better visibility of your collection, storage, use, disclosure, monitoring, and control of personal information within the context of the amended definition of personal information. Only retain personal information that is necessary for your business functions and activities and only keep information for the required period of time. Just because you can collect it, should you? Read more about managing information across its entire lifecycle in our blog post titled ‘Riding the next wave of information management‘.

Establish robust data governance frameworks

Ensure your data governance framework and associated processes are fit-for-purpose for your organisation, program or project. This includes establishing the necessary roles and responsibilities to develop and implement the changes. This is particularly relevant for Queensland agencies that will be required to publish a Data Breach Policy and maintain a register of eligible breaches. Queensland will also introduce specific requirements for privacy complaints, including a defined response period.

Mobilise your team

They should see privacy as an organisation-wide priority and understand the part they need to play in achieving it. Mobilise your team with the tools and information they need to ensure ongoing privacy compliance. Queensland’s Office of the Information Commissioner (OIC) has a number of useful IPOLA Guidelines for training and awareness, while the Office of the Australian Information Commissioner (OAIC) provides privacy guidance for organisations and Australian Government agencies.

Strengthen cyber security

Conduct a cyber security review to identify and mitigate risks and gaps in your current security environment. Also, consider implementing the Australian Signals Directorate (ASD) Essential Eight Framework or obtaining other relevant security certifications such as ISO 27001.

Privacy-by-design approach

Proactively anticipate and mitigate risks to personal information across all technologies, initiatives, activities and processes as default practice – not as a separate task. If personal information will be handled in a new or different way, you may need to conduct a Privacy Impact Assessment (PIA). PIAs are an essential step to understanding the privacy risks and potential mitigations associated with an activity or initiative.

Other considerations 

It is important to always keep the interest of individuals at the heart of planning, design and implementation. Possible reforms to the federal Privacy Act include expanded individual rights, therefore empowering individuals to have increased control over their personal information. Organisations and Australian Government agencies must consider how to respond to these expanded rights in practice.

Privacy compliance enables businesses to build trust and credibility with their customers and stakeholders. The most successful organisations recognise that privacy is a fundamental right – and reflect that in all they do.

Let GWI guide your organisation through the changes. We bring unique expertise in establishing governance frameworks, updating existing privacy and security policies, conducting Privacy Impact Assessments and upskilling teams to deliver ongoing success. Talk to us about how we can help.