BY Stephen Cavey | 7 December 2020
The Australian Federal Privacy Act 1988 (also known as the Privacy Act) and its Australian Privacy Principles (APP) were introduced in an effort to guard the privacy of individuals and promote responsible handling of personally identifiable information (PII). The Privacy Act allows individuals to see how their PII is going to be used and who it will be disclosed to. It also gives individuals the right to ask for access to their PII, appeal for corrections to their information and even request to halt direct marketing.
Australian data protection mimics other compliance laws in many ways, but there are a few key items to note. The Privacy Act has a broad definition of consent under their data protection laws, differentiating itself from other compliance laws such as the GDPR. The Privacy Act refers to two types of consent – “express” and “implied” consent. Moreso, the Privacy Act needs to be upheld beyond just businesses. Individuals, partnerships, unincorporated associates, non-profit organizations, and trusts may also be held accountable to abide by the Act and its principles.
Furthermore, the Office of the Australian Information Commissioner (OAIC) can proactively investigate companies to see if they meet compliance instead of standing idle for complaints to guide action.
Most Australian states and territories also have their own data protection legislation applicable to them, including:
The Privacy Act and APP apply to private sector entities with an annual revenue of at least $3 million AUD, and all Commonwealth Government and Australian Capital Territory Government agencies. They may also apply to small businesses (annual revenue under $3 million AUD) such as, but not limited to, private-sector health service providers, businesses that conduct transactions with PII, and credit reporting bodies.
Additionally, Australian data privacy laws apply to registered political parties, and state/territory authorities or instrumentalities. Generally, the Privacy Act applies to medium to large sized organizations carrying out business in Australia, which includes actively collecting personal information in Australia or from Australian residents, or, an entity that promotes an offshore website to Australian residents.
The Australian Government is currently implementing the CDR, which came into force February 2020. This recent law gives consumers the privilege to see what data has been collected on them and the right to securely share data points with reliable third-parties.
The CDR is first being applied to the banking sector. Under provisions of CDR, the ‘big 4’ in Australian banks (Westpac Banking Corporation, Australia and New Zealand Banking Group Limited, National Australia Bank and The Commonwealth Bank of Australia) are obliged to share consumer data amongst themselves and possibly third parties. Sharing of information is intended to promote data transparency but also enhance competition and the spirit of innovation among service providers.
The CDR is expected to eventually extend past the banking sector. It will be applied to the retail energy sector, followed by the telecommunication industry. More industries will be introduced to the CDR over time and small businesses are generally going to be exempt from many of the CDR requirements. In the event of a data breach, the CDR gives organizations 30 days to assess the gravity of a breach before reporting it.
Compliance with Australian data protection laws begins with knowing where your personal and sensitive data resides. You need to go through an in-depth discovery process by leveraging a data discovery solution. Once you have a full understanding of what personal and sensitive data your organization is storing, you can start taking steps to ensure its protection and fulfill customer trust. Ground Labs Enterprise Recon makes PII scanning efficient and simple by finding and remediating data regardless of where it is stored within your network.
Ready to take your first step to prepare your organization for Australian data protection laws? Discover Ground Lab’s PII tools and solutions by scheduling a demo with a data discovery expert today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.