Why Australia needs data regulation with teeth

By Alyssa Blackburn

2022 has been a wake-up call for Australian organisations and the government alike when it comes to data protection. From Optus to Medibank and now Telstra, we’ve seen the frightening impact the leaking of personal data can have on individuals and organisations, and the very real implications to the economy and our safety more broadly. 

In response, the government has rightfully revisited the Privacy Act by increasing the maximum penalty for serious or repeated privacy breaches from $A2.22 million up to $A50 million. It also strengthened the powers of the Privacy Commissioner to resolve privacy breaches, seek information about notifiable data breaches, and publish or share information about its investigations with other regulators.

Whilst this is all very welcomed progress, an emphasis has to be put on the detail here. The maximum fine only applies to “serious or repeated” offences, and these terms are not specifically defined in the privacy act. This kind of ambiguity will make the amendments significantly harder to enforce and is unlikely to have the kind of impact required.

There’s still a lot more work to be done from a regulatory standpoint before we can feel safe in the knowledge that the government has made protecting the data of Australians a real priority. This includes a holistic overhaul of the way data is captured, managed, protected and retained. 

Expansion of the Privacy Act 

Whilst the increased penalties are welcomed, the act still has a long way to go until it truly protects Australia’s data. Australia’s Privacy Act and Australian Privacy Principles no longer reflect the nature of the modern workplace or modern consumer behaviour, nor does it address the complexity and sophistication of today’s security and threats landscape. 

Most importantly, it only applies to businesses with a turnover of up to $A3 million. As of 2020, 98.4% of Australian businesses were considered small businesses, and the vast majority (93%) of these businesses have a turnover of less than $A2 million. These organisations hold a vast amount of data and are ripe for targeting by cybercriminals. By not expanding the Privacy Act, we are leaving the data of millions of organisations open for the taking.

Another piece of the puzzle to remember is that the 2019 ACCC Digital Platforms Inquiry made a range of privacy-related recommendations. Aside from advocating for the strengthening of protections in the Privacy Act, it also called for broader reform of the Australian privacy law framework, the introduction of a privacy code of practice specifically for digital platforms and the introduction of a statutory tort for serious invasions of privacy. Much of this is yet to be progressed and is yet another example of stagnant leadership around data protection. 

Simplified data retention regulation

Even with boards and leadership teams taking data governance more seriously in the wake of recent breaches, current data retention regulations are either completely lacking or confusing and often contradictory, leaving organisations storing data for much longer than required. This is one of the main criticisms around the Optus breach, with customers who hadn’t engaged with the organisation in years, still finding their data was compromised. 

We need to see a shift towards regulating how much personal data is collected and how long it needs to be retained, as, in its current state, the regulation is highly confusing. If we limit what is considered necessary to collect and put clear rules around how long it should be kept, this will reduce the risk. This is easier said than done and requires multiple pieces of legislation to be amended, not just the Privacy Act. 

For example, certain types of data currently need to be held for over 10 years, while other types only need to be kept for two years. While government entities have clear timeframes for the retention of information, corporate entities often have to wade through multiple pieces of legislation only to find that not all their information is covered by a retention period.

There is also no limit on how long a company should maintain customer data, especially after somebody ceases to be a customer, meaning organisations will choose to implement a different timeframe, or not follow a policy at all. This creates the perfect storm for over-retention.  

In some cases, the extensive period of time set out in the regulation is unnecessary or counter-intuitive due to the added risk this creates for the business. In addition, confusion around the legislation, or lack thereof, can lead to businesses holding onto data ‘just in case’ or for longer than needed, making them more of a target, as well as increasing the severity and impact of breaches when they do occur.  

If the government wants organisations to improve their data governance, it needs to make it easy for them to do so. We need simple rules that take a targeted rather than a broad sweeping approach to what data is or isn’t retained so that organisations aren't unnecessarily holding onto personal customer information. 

Expansion of the Privacy Commissioner Role 

Whilst the review of the Privacy Act has given the Privacy Commissioner new powers, it’s not addressed the root of the issue - which is that more resources need to be assigned to the protection of data in Australia. 

Currently, there is an Information Commissioner and Privacy Commissioner, but this isn’t enough leadership to cater to today’s digitised workplaces and consumers. The fact that both commissioner roles are currently held by the same person shows that the government is not putting enough resources into these important issues and that the protection of consumer data more specifically is slipping through the cracks. 

The threats against organisations are growing by the day, and it’s near impossible, especially for SMBs, to stay across the latest threats, technology and risk mitigation strategies. Ideally, we would have individual commissioners dedicated separately to information, data, and privacy to ensure the right support and tools are in place to help local businesses and consumers keep their data secure, while also holding enterprises accountable. 

Until now, there has been little incentive for Australian organisations to invest in strong data governance. Fines, even at the recently increased level, are a relative drop in the ocean to most large organisations. What we really need is simple, expanded legislation and for the government to invest more in enforcement and education around data regulation and threats. Until then, it seems Australian organisations will continue to only act once it’s too late. 

Alyssa Blackburn is Director, Information Management at AvePoint