Australia Privacy Act 1988 reforms & GDPR
The Australian Government is reviewing the Privacy Act 1988. The proposed reforms could affect organisations of all shapes and sizes. If you’re in charge of your organisation’s data, it’s worth finding out about:
On October 30, 2020, Australia’s federal government announced its review of the Privacy Act 1988, which regulates how Australia’s organizations manage personal data. The review is considering updating the Act’s regulatory powers and removing exemptions for certain entities.
Attorney-General Christian Porter, whose department is conducting the review, said:
“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored.
“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”
The OAIC and its proposals
In December 2020, the Office of the Australian Information Commissioner (OAIC) published its recommendations for the Privacy Act review in a 150-page document (PDF). It wants Australia to be more in line with the rest of the world’s regulations, such as the EU’s General Data Protection Regulation (GDPR). Indeed, the paper refers to GDPR 80 times.
The OAIC wants to:
- encourage global interoperability
- enable privacy self-management
- ensure organisational accountability
- align privacy regulation with community expectations
The agency recommends introducing a “strong, fair and flexible privacy framework that prevents harm, protects fundamental human rights, and builds public trust to support a successful economy”
Issues under review
The review is looking at:
- the definition of personal information
- changing existing exemptions for small businesses and political parties
- the storing of employee records to comply with the Act
- allowing individuals to take privacy violators to court
- creating a privacy tort, which would allow individuals to sue for violations of their privacy
One particularly important reform being considered is the introduction of a “right to be erased”. This is like the “right to be forgotten” under GDPR.
Implications for your business
The OAIC recommends that all businesses and political parties should have to comply with the Privacy Act to protect individuals' personal information. (Businesses with annual revenue under AU$3 million are currently exempt, as are political parties.)
If the government accepts the OAIC’s proposals and implements them, all businesses in Australia will face much more stringent regulations, like those in Europe face with GDPR.
So, if you operate a business in Australia, you’ll need to review how you handle personal information, and your compliance with the Privacy Act.
There are two basic things you will need to do to comply with the proposed reforms:
- Ensure that your business stores all personal data securely
- Be prepared to deal with “right to erasure” requests from individuals who can legally demand that you destroy any personal information your business holds on them
You can address both of the above by reviewing and, if necessary, improving how your organisation archives its emails. Your email archive is one of your biggest repositories of personal information.
Importance of compliant email archiving
Emails contain employee data ranging from CVs and contact details to performance reviews, plus customer and supplier correspondence including personal details. And, under Australia’s regulations on email retention, your organisation is likely to have stored seven years’ worth of email.
So, it’s important to make sure your archiving solution can comply with any new privacy regulations.
This is where Cryoserver can help. Our email archiving solution, which is used by many businesses in Australia and New Zealand, is designed to meet any standard of privacy compliance in the world (as our parent company’s name promises: Forensic & Compliance Systems).
We already keep organisations across Europe compliant with GDPR, and we can do the same for yours, whatever the Privacy Act reforms have in store.
How Cryoserver can help you
Our solution stores copies of every email and attachment sent or received in a secure, tamper-evident, encrypted archive. So, if your business experiences a data loss or a cyber-attack with your Office 365 or on-premise mail server, all your email is protected. Also, you control access to all emails stored in the archive.
Right to erasure
Equally important is your ability to fulfil right-to-erasure requests, which could be necessary with the Privacy Act reforms. This will require you to delete any personal identifiable information you hold on an individual. Fortunately, Cryoserver will enable you to find and remove all the relevant data from your emails and attachments quickly and compliantly. You will even have audited proof that you’ve met the requirement.
SAR and FOI requests
Individuals have always been able to request a copy of all the data held on them by an organisation via a SAR (Subject Access Request), or FOI (Freedom of Information) request in the public sector. The Privacy Act reforms being proposed could make it easier for Australian citizens to do this. Cryoserver has been helping both public sector organisations and private companies fulfil these requests for over 15 years.
Privacy by design
When we developed Cryoserver, key considerations were the privacy and rights of end users. This is our “Privacy by design” philosophy, which is at the core of the solution. It leads to enhanced privacy options for organisations and individual employees. It enables role-based access to archived emails, audit trails at all levels, and preservation of audit trails – all overseen by employees you assign to be your archive custodians or what we call “Data Guardians”. The unalterable nature of Cryoserver creates an evidential repository, which is admissible in court. The software is designed to protect your employees’ human rights.Blog