The Changing Face of Australian Privacy

Around the world, countries are revisiting their privacy frameworks to keep up with the complexities introduced by AI and other digital innovations. And in Australia, the Privacy Act is undergoing significant reforms to strengthen data protection and uphold privacy rights in a rapidly changing environment.

Navigating privacy in the age of AI

As AI continues to transform industries, it also brings some big questions around data privacy. These systems thrive on data — lots of it. But while that data helps AI make smarter decisions, it also raises eyebrows when it comes to how personal information is collected and used.

In fact, over 70% of organisations are already using AI to guide key decisions. That’s a lot of data floating around, and with it comes some real concerns, like data breaches, unauthorised usage, or even AI-driven biases.

Fortunately, AI also offers opportunities to strengthen privacy protections. From smart encryption to tools that anonymise data and keep companies compliant, technology can play a key role in safeguarding sensitive information. 

And as these technologies evolve, privacy laws are playing catch-up. Take the EU’s Data Protection Directive from 1995, for example. It set the global standard for privacy for its time, but with today’s rapid technological advancements, regulations like these need regular updates to keep pace with our increasingly AI-driven world.

Understanding the Australian Privacy Act

The original Australian Privacy Act 1988 provides a comprehensive framework for the collection, use, disclosure, and management of personal information. Key components include:

• Australian Privacy Principles (APPs): These 13 principles guide the handling of personal information, emphasising transparency, anonymity, data quality, data security, and access.
• Office of the Australian Information Commissioner (OAIC): This regulatory body enforces the Privacy Act and oversees privacy practices in Australia.
• Notifiable Data Breaches (NDB) Scheme: This scheme mandates organisations to notify affected individuals and the OAIC when a data breach poses a serious risk.
• Individual Rights: The Privacy Act grants individuals the right to access and correct their personal information.
• Compliance and Penalties: Non-compliance can lead to significant penalties, including fines and legal action.

Significant reforms to the Privacy Act 1988 are expected within the next twelve to eighteen months. These updates are driven by escalating security threats, with one-third of Australian consumers experiencing a data breach in the past year alone. 

Additionally, 86% of Australians are calling for stricter rules and regulations regarding data management, underscoring the need for stronger privacy protections.

The upcoming reforms are designed to strengthen the current framework, adapting to new challenges and making sure personal data is well-protected. As these changes roll out, it’s important for both organisations and individuals to stay informed and ready to navigate this shifting privacy landscape.

Proposed changes to the Australian Privacy Act

In February 2023, the Attorney General’s Department released a Privacy Act Review Report with 116 recommendations aimed at aligning Australia’s privacy laws with international standards, such as the General Data Protection Regulation (GDPR). The government agreed to many of these recommendations, with legislative changes on the horizon. Key areas of reform included:

• Broadening definitions of personal and sensitive information: The Privacy Act’s definitions will expand to include new categories, such as genomic data and possibly precise geolocation tracking. Organisations will need to update their data handling practices to comply with these new definitions.
• Increased obligations for data collectors: Organisations will face heightened responsibilities, including: 1) disclosing the types of personal information used in automated decisions and providing individuals with the right to request details on how these decisions are made, and 2) conducting Privacy Impact Assessments (PIAs) for high-risk activities to evaluate potential privacy impacts.
• Expansion of individual rights: Proposed reforms will extend individual rights, including the ‘right-to-be-forgotten’ (RTBF), which allows for the deletion of personal data. Additionally, individuals may gain a direct right of action to sue for privacy violations.
• Removing small business exemption: The government plans to eliminate the small business exemption, recognising the need for privacy protections across all sectors. With 80% of survey participants believing organisations should compensate data breach victims, it’s clear that breaches must be taken seriously.

What organisations can learn from the Australian Privacy Act

As privacy regulations evolve, how can your organisation prepare for upcoming changes while maintaining trusted customer relationships?

A key step is managing the technologies that drive these changes, especially cloud services, which are essential for handling vast amounts of data. Adopting a shared responsibility model — widely recognised as best practice by leading cloud providers — can help ensure compliance and security.

Under this model, cloud providers are responsible for securing the infrastructure, while customers are responsible for protecting the data within their cloud environment. Consider these 5 steps to navigate privacy and security within your organisation.

Step 1: Understand your data footprint

To enhance security and streamline compliance, classify data by sensitivity. This allows for the implementation of targeted security measures, making sure your organisation’s most valuable assets are protected. With Data Detect, organisations can quickly find and classify sensitive information to meet data protection laws.

Step 2: Audit and update access controls

Regularly review and adjust access permissions to minimise data exposure, reduce breach risks, and ensure that only authorised users access sensitive information. Through tools such as Security Centre, you can manage security controls, including access and permissions, all within a single view.  

Step 3: De-identify data in your testing environment

Avoid using real data during testing by anonymising or pseudonymising sensitive information to reduce the risk of breaches. Data Mask helps anonymise data in Sandboxes to protect sensitive information. 

Step 4: Monitor data to proactively mitigate risk

Implement monitoring, logging, and alerting systems to protect sensitive data, detect anomalies, and respond to security incidents in real time. Tracking user activity helps ensure compliance and proactively mitigate risks. Consider Event Monitoring to set up security policies, monitor user activity, and detect potential threats. 

Step 5: Provide controls for consent and preference management

Respect customer preferences, comply with privacy laws, and mitigate risks by managing consent, fulfilling data subject requests, and practicing data minimisation. Privacy Centre can manage and track data requests, and automatically fulfil right-to-be-forgotten (RTBF) and access requests.

Adapting to a new regulatory landscape

Salesforce integrates robust security measures across all operations, offering solutions tailored to the needs of our most security-conscious clients. We provide tools and resources to support compliance with privacy regulations specific to different regions, including Australia and Europe. By aligning with these principles, organisations can navigate the evolving privacy landscape and safeguard their operations effectively.