Legal Update Alert! Changes to Privacy Law & Increase of Fines
O*NO! With all the hustle of the holiday season and new year, you may have missed the new changes made to the Australian privacy laws in December 2022. These changes come in response to the current increase in data breaches experienced across Australia, such as the high-profile Optus data breach. To avoid hefty fines and reputational damage to your agency – these are amendments you need to keep an eye out for.
Increase in fines for serious/repeated interferences in privacy
The penalties for serious or repeated interferences with privacy have been increased under the Privacy Act.
What constitutes a serious or repeated interference with someone’s privacy? Well, according to the law these are two different concepts/actions, and for either of them you may be found liable for the penalties. In some cases, you might be found doing actions that are both serious and repeated.
A serious interference is what a reasonable person would consider to be a ‘serious’ interference – therefore, as the standards of society and people change over time, so too does what we consider ‘serious.’ An example of this includes the number of people affected or whether sensitive information was involved.
A repeated interference means that you or your organisation have interfered with the privacy of an individual or multiple people on two or more occasions – whether it be because of the same actions or different ones.
Previously the penalty for a breach of this, for body corporates was $2.22 million. Now, these have been increased to the greater of either:
$50 million;
Triple the value of any benefit obtained from the contravention; or
30% of the adjusted turnover over a relevant period
For an individual the penalty for a serious and/or repeated interferences in someone’s privacy has now increased to a maximum fine of $2.5 million. Previously this was only at $440,000.
Other changes made that may affect your agency:
The commissioner now has the power to publicly disclose information if it is in the public interest to do so. In an age of increasing privacy concerns from the community, this could have serious reputational consequences for your agency. To avoid this, ensure you are handling peoples personal data with care.
When an entity faces a data breach that is notifiable, they are required to prepare a statement for the Commissioner. Now, this statement must also contain the particular kinds of information that were involved in the data breach. For example, previously it was enough to mention that ‘contact information’ had been breached. Now, the particular kind of contact information must be mentioned (eg. phone number, home address).
You can now also be assessed for your ability to comply with the notifiable data breach scheme. Following this, you can also be penalised with infringement notices if you fail to provide information when you are required to. This fine is approximately $16,500 for a person and $82,500 for a body corporate.
The commissioner can now also share information with other authorities such as enforcement bodies, other complaint bodies, an authority of the government, state, and/or territory.
Your next steps
For further information or help with your privacy practices or a current privacy matter, contact O*NO Legal at [email protected] or by clicking here. You can also set up and manage your agency’s privacy needs by joining the REAL Membership where you will have access to our real estate specific privacy templates including Data Breach Response Plans and Collection Notices that are updated to comply with legal changes as they happen.
Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS - congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment.