Privacy Commissioner Angelene Falk addresses IAPP Conference on 28 November 2023 with some big messages
Privacy Commissioner Angelene Falk delivered a keynote address at the Annual IAPP Australia and New Zealand Privacy Summit, where she provided an overview of her office’s priorities for the next year, including security, technology and a focus on law reform. The Commissioner emphasised the need for further development of private sector privacy practices ending her speech with a warning for business: “If you haven’t been investing in privacy do it now.”
These comments follow the Government’s response to the Privacy Act Review Report which indicated that reform is imminent. Importantly, the Government has flagged it will move towards stronger privacy principles, upgrading our existing law to more closely align with the European Union General Data Protection Regulation (GDPR) which is widely recognised as the gold standard for privacy law. While it is preferable to maintain the Australian ‘principles based’ approach as opposed to the more ‘prescriptive’ approach adopted by the GDPR, a move towards greater accountability for organisations is welcomed.
Commissioner Falk also emphasised the need for organisations to consider the proportionality of data collection and the risks of overcollection. To address the issue of data overcollection, the Privacy Commissioner spoke to the move towards a fair and reasonable test. While this test has not been placed in the ‘agree’ category of reforms which are likely to be introduced in 2024, it has been placed on the ‘agree in principle’ for further consultation and is flagged as a step that will significantly increase accountability for organisations and place the individual at the centre of the decision-making process. Commentators agree that whatever form this new test takes, it will significantly raise the bar in terms of organisations justifying the collection of data.
For businesses not taking privacy seriously, the Commissioner reiterated the notable increase in fines for offending organisations legislated at the end of last year. She also indicated the increase in funding provided to her office has allowed for high-level enforcement against those businesses who are not uplifting their privacy practices.
Commissioner Falk referred to the recent case of Australian Clinical Labs Limited brought in the Federal Court. She stressed the depth of evidence, including witness interviews of senior staff, and that the case had taken only 11 months to reach the Federal Court. This is a clear warning for businesses to lift their game or risk enforcement action.
Cyber security
The Commissioner also raised the issue of security and in particular the inter-relationship between good privacy practice and cyber security. She stated that privacy is at the heart of cyber security and that there is mutual reinforcement when the two practices are being well managed. The Commissioner said she is looking towards greater enforcement of APP 11 in relation to taking ‘reasonable steps’ for security including technical and organisational measures.
What now?
The upshot of this keynote address to the privacy profession was that senior levels of organisations need to give appropriate time and budget to foundational privacy issues, not only for privacy compliance, but for cyber security and that the two are integral to and mutually enhance one another. In that respect, good privacy practices cannot be ignored.
The spectre of increased enforcement activity and increased fines means that a reassessment of current strategy is required for all organisations. The Commissioner was quite strong in saying even organisations that are doing privacy well, will need to continually lift their game.
It is time to put this in your budget for 2024 so that you are spending on prevention rather than rectification which is in the end a much more efficient investment.