fbpx

Understanding the Privacy Act Review: Its Impact on Nonprofits, Medical, and Education Sectors

In February 2023, the Privacy Act Review Report was released after two years of extensive consultation and review of the Privacy Act 1988 (Cth). It included proposed reforms aimed at strengthening the protection of personal information and the control individuals have over their information.

But what does this actually mean for you?

Building on our previous discussion in the ‘Essential 8 vs. Privacy Act article’, we explore the nuances of the Privacy Act Review and its implications, particularly for the nonprofit, medical, and education sectors.

In This Article

 

What is the Privacy Act?

The Privacy Act review, initiated in Australia, was designed to update privacy laws in light of technological advancements. It focuses on data handling, individual rights, organisational accountability, and regulatory enforcement, ensuring that privacy laws stay relevant.

 

Report Definitions: “Agreed” vs “Agreed in Principle”

“Agreed” Proposals

When the government agrees to a proposal, it means that they have committed to developing legislative provisions for these measures. This agreement is more definitive, indicating a clear intention to enact the proposed changes.

“Agreed in Principle”

This indicates a provisional agreement subject to further engagement and analysis. It means that while the government supports the idea behind the proposal, it requires more detailed examination, impact analysis, and consultation with regulated entities. This is to ensure a balanced approach, considering both privacy benefits and the potential economic and regulatory impacts on entities.

 

Timeline and Next Steps

The review process involved evaluating the pros, cons, and costs of various proposals. This led to the modification of some proposals, the discontinuation of others, and the introduction of new ones. Some proposals haven’t been subject to stakeholder feedback yet and will need further discussions before they can be implemented. Considering the comprehensive steps of consultation, impact assessment, and legislative development, it’s anticipated that the actual implementation of these changes might not take place until late 2024 or later.

 

How the Privacy Act Review Affects Non-Profits

Here is a collection of principles that could impact non-profits and potential use cases:

Agreed In FullAgreed In Principle
Protection of De-identified Information (Proposal 21.4): A domestic violence support centre safeguards de-identified client data.

New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): A mental health service provider could face penalties for mishandling client data.

Consent for Geolocation Tracking Data (Proposal 4.10): An app by a homeless support organisation gets explicit consent for tracking location data.

Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Organisations ensure the protection of sensitive data when sharing with international partners.

Sensitive Information: Support services dealing with genetic disorders must ensure robust consent processes and secure data handling.

Fair and Reasonable Information Handling: Charities must ensure the fair use of personal stories and data in campaigns.

Vulnerability Protections: Services supporting vulnerable groups like domestic violence survivors must handle data with additional care.

Organisational Accountability: A privacy officer is needed to ensure data protection and handle privacy inquiries or complaints.

 

How the Privacy Act Review Affects the Medical Industry

Here is a collection of principles that could impact medical and healthcare organisations and potential use cases:

Agreed In FullAgreed In Principle
Purpose Identification for Consent (Proposals 14.2 & 14.3): A clinic must transparently state why it’s collecting patient data, such as for treatment, billing, or sharing with specialists.

Amendment to Objects of the Act (Proposals 3.1 & 3.2): Healthcare providers must balance patient care with the individual’s right to privacy.

Protection of De-identified Information (Proposal 21.4): Hospitals protect de-identified patient data from potential misuse or re-identification.

Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Medical practices follow detailed guidelines for destroying or de-identifying patient health records.

New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): Clinics could face penalties for improper handling of patient data or administrative breaches.

Consent for Geolocation Tracking Data (Proposal 4.10): Healthcare apps require explicit consent from users before tracking their precise location data.

Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): In health crises, hospitals may need to disclose patient information to state authorities under emergency declarations.

Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Medical research institutes use standard contractual clauses when sharing patient data overseas.

Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Healthcare facilities must provide redress for harm caused by data breaches, including mitigating any potential damage.

Clarification of Personal Information: Hospitals must consider data like IP addresses from online consultations as personal information.

Sensitive Information: Genetic testing labs must implement heightened security measures, like encryption and strict access controls, for genomic data.

Small Business Exemption Removal: Small clinics will now need comprehensive privacy policies and data protection practices.

Fair and Reasonable Information Handling: Patient data used for research must be transparent and within ethical guidelines.

Enhanced Data Breach Obligations: Hospitals must report breaches within 72 hours to authorities and affected patients.

Organisational Accountability: A privacy officer in a healthcare provider must oversee data handling and staff training on privacy policies.

High Privacy Risk Activities: New patient data systems require Privacy Impact Assessments before use.

Automated Decision-Making (ADM) Policies: Telehealth apps using ADM must clearly disclose how decisions impact patient care.

Direct Marketing, Targeting, and Trading: Pharmaceutical companies must comply with strict rules for marketing based on healthcare professionals’ data.

Children’s Privacy: Paediatric services must ensure digital platforms comply with new rules on children’s data.

Vulnerability Protections: Hospitals need extra data protection measures for patients with mental health issues eg: encryption

Simplification of Terms and Obligations: Healthcare IT providers need clear distinctions in their roles as data processors or controllers.

Overseas Data Flow Regulations: Research firms must use standard contractual clauses for international data sharing.

Expanded Individual Rights: Patients can ask hospitals to delete or explain the use of their medical records.

 

How the Privacy Act Review Affects the Education Sector

Here is a collection of principles that could impact the education sector and potential use cases:

Agreed In FullAgreed In Principle
Purpose Identification for Consent (Proposals 14.2 & 14.3): A high school clearly states why it’s collecting personal information, like health records or educational support services.

Amendment to Objects of the Act (Proposals 3.1 & 3.2): A primary school ensures the protection of student and parent information, aligning educational needs with privacy rights.

Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Schools adhere to guidelines on securely destroying or de-identifying records, such as counselling notes.

Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): Schools may disclose student information to authorities in emergencies under specific conditions.

Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Schools are required to identify, mitigate, and provide remedies for any harm caused by a data breach.

Clarification of Personal Information: Schools handling online learning data must treat technical details, such as login information, as personal information.

Small Business Exemption Removal: Small tutoring services must ensure compliance with the Privacy Act, including data protection and breach notification.

Enhanced Data Breach Obligations: Schools must rapidly inform parents and authorities of any data breaches, adhering to the 72-hour notification rule.

High Privacy Risk Activities: Schools implementing student tracking systems must evaluate privacy risks beforehand.

Automated Decision-Making (ADM) Policies: Learning platforms using ADM for student paths need transparent data use policies.

Direct Marketing, Targeting, and Trading: Educational apps must adhere to new regulations on targeted advertising to students.

Children’s Privacy: Schools need to safeguard children’s data on educational platforms, avoiding improper collection or use.

Simplification of Terms and Obligations: Educational software companies must understand their data handling roles when providing services to schools.

Overseas Data Flow Regulations: Universities collaborating internationally must ensure appropriate data transfer agreements.

Expanded Individual Rights: Parents and students can request schools to delete or detail the use of their personal data.

 

Where to from here?

Understanding these changes and preparing for their implementation is crucial for non-profits, healthcare providers, and educational institutions. The Privacy Act also plays a vital role in cyber security, but it’s not often discussed as part of a robust cyber security strategy,

Unlike others who solely focus on the Australian Cyber Security Centre’s Essential 8 framework, our cyber security solution, CyberShield, goes above and beyond that framework. CyberShield is a unique offering focused on compliance and governance measures, coupled with robust security tools and managed IT Services. The solution is also tailored according to your industry requirements.

Discuss your industry requirements with our experts and book a consultation with the ADITS team today. Whether you’re in Brisbane, Townsville, or anywhere across Queensland, we’re here to provide tailored IT and cyber security solutions to meet your unique needs. Let’s work together to secure your organisation’s future.

CONTACT US

 

C-Suite & Board Training: Because it all starts at the top!

Take your first step towards a stronger, more secure and compliant business by registering your interest for our half-day certified C-Suite & Board training. We’ll cover:

  • Data security and privacy compliance
  • Potential risks to your business and how to address them
  • Personal liabilities
  • Reporting
  • Crisis management recommendations
  • Best practices for policies and procedures
  • And more!

 

Register Your Interest

Navigating Cyber Security Compliance and Regulations: Essential 8 vs. Privacy Act

The ASD Cyber Threat Report 2022-2023 released mid-November 2023 highlights alarming results. It reveals that:

  • The number of cybercrime reports has increased by 23%
  • The average cybercrime cost per report is up 14%

Cybercriminals were described as adversaries who show “persistence and tenacity” and “constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.”

As an authorised Australian Government framework, the Essential Eight were of course among the measures suggested in the report to be implemented. We’ll start off by reviewing the Essential Eight and then delve into a framework that is less talked about but is actually mandatory for most Australian organisations – the Privacy Act.

 

The Essential 8 is a Good Foundation (But Not the Finish Line)

The Essential Eight is a set of controls prescribed by the Australian Cyber Security Centre (ACSC) to protect organisations from cyber threats and attempts to compromise the personal information of their customers and stakeholders.

The eight strategies are:

  • Application control – restricting the use of unapproved software
  • Patching applications – updating software to fix vulnerabilities
  • Configuring Microsoft Office macro settings – disabling/limiting macros from running malicious code
  • User application hardening – disabling exploitable features (e.g., web browser plug-ins)
  • Restricting administrative privileges – limiting the number of users who can perform high-risk actions
  • Patching operating systems – updating the system software to fix security vulnerabilities
  • Multi-factor authentication – requiring an additional security layer to verify a user’s identity
  • Daily backups – creating copies of important data and storing them securely

The ACSC has developed a security model from 0 to 3 for each of these strategies. An organisation with a maturity level 0 has not achieved any of the requirements. A level 3 means the organisation has achieved a high level of maturity. A common misconception is that organisations must achieve level 3 to be compliant. On the contrary, organisations can adopt the maturity level they need, depending on their vulnerabilities to cyber threats.

The Essential Eight cyber security risk mitigation are baseline strategies, and implementing them is the minimum expected from organisations. They are foundational and highly recommended, but your cyber security efforts should not stop there.

 

The Privacy Act: Mandatory for Data Protection

In its latest report, the Australian Signals Directorate (ASD) urges businesses to ensure resistance to cyber threats and go beyond the Essential Eight.

Say hello to the Privacy Act 1988.

Whilst the Essential Eight is one of the most well-known frameworks in Australia, its strategies are actually not mandatory. In contrary, the Privacy Act is less mentioned but most Australian organisations handling personal information must comply with it.

The organisations covered by the Privacy Act have an annual turnover greater than $3 million* OR are:

  • An Australian Government agency;
  • Private sector health service providers including private hospitals, therapists, gyms and child care centres;
  • Not-for-profit organisations;
  • Businesses that sell or purchase personal information;
  • A credit reporting body;
  • A contracted service provider for an Australian Government contract;
  • A business that holds accreditation under the Consumer Data Right System; and
  • A business that is related to a business that is covered by the Privacy Act.

*Note: Following the Privacy Act review in September 2023, one of the ‘Agreed in Principle’ proposals was the abolishment of the small business ($3m) exemption. Learn more.

 

The Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs) that organisations must comply with, so you should be careful of the financial risks if you were to be assessed by the government. Meanwhile, whilst the Essential Eight are not mandatory, being non-compliant with some of those steps could lead to legal actions under the Privacy Act.

In short, the Essential Eight and the Privacy Act are both vital to IT security and data protection – but let’s look at the Privacy Act in more detail. The law regulates how personal information is handled by organisations and agencies. Below is an overview of the APPs which set the standards, rights, and obligations for collecting, using, disclosing, storing, securing, and accessing personal information.

PrincipleTitleSummary
APP 1Open & Transparent Management of Personal InformationAPP entities must have a privacy policy and handle personal information lawfully and fairly.
APP 2Anonymity & PseudonymityIndividuals must have the option to not identify themselves or use a pseudonym when dealing with APP entities, unless impracticable or unlawful.
APP 3Collection of Solicited Personal InformationAPP entities must only collect personal information that is reasonably necessary or directly related to their functions or activities and do so by lawful and fair means.
APP 4Dealing With Unsolicited Personal InformationAPP entities must determine whether they could have collected the personal information under APP 3 and, if not, destroy or de-identify it as soon as practicable.
APP 5Notification of the Collection of Personal InformationAn APP entity that collects personal information must tell an individual about certain matters under certain circumstances.
APP 6Use or Disclosure of Personal InformationAPP entities must only use or disclose personal information for the purpose for which it was collected unless the individual consents or an exception applies.
APP 7Direct MarketingAn organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8Cross-Border Disclosure of Personal InformationOutlines what an APP entity must do to protect personal information before it is disclosed overseas.
APP 9Adoption, Use or Disclosure of Government Related IdentifiersAPP entities must not adopt, use or disclose a government-related identifier of an individual, unless the identifier is prescribed by law, or an exception applies.
APP 10Quality of Personal InformationAn APP entity must take reasonable steps to ensure that the personal information they collect, use, or disclose is accurate, up-to-date, complete, and relevant.
APP 11Security of Personal InformationAPP entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and to destroy or de-identify personal information when it is no longer needed.
APP 12Access to Personal InformationAn APP entity must give individuals access to their personal information on request, unless an exception applies, such as when giving access would pose a serious threat to someone’s life or health.
APP 13Correction of Personal InformationOutlines the reasonable steps an APP entity must follow to correct personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, either on their own initiative or at the request of the individual.

Over the last few years, we’ve seen an influx of cybercrime which prompted a lengthy review of the Privacy Act. In September 2023, a report was released over 100 new principles and while some were agreed in full, there were many only “agreed in principle”. One in particular was the proposal to remove the exemption for small businesses.

 

Discover How This Impacts Your Organisation

How the Privacy Act Review Affects Non-Profits

How the Privacy Act Review Affects the Medical Industry

How the Privacy Act Review Affects the Education Sector

See Privacy Act Report

 

The Essential 8 and The Privacy Act: Parallel Paths to Protection

The frameworks of the Essential Eight and The Privacy Act both aim to enhance the cyber resilience and privacy protection of Australian entities. Here’s how they compare:

The Essential 8The Privacy Act
What is it?A recommended set of eight strategies to mitigate cyber security threats and incidents.A comprehensive law that regulates the handling of personal information.
What’s the purpose?To help organisations prevent or minimise the damage caused by cyberattacks.To help organisations comply with their legal obligations and ethical responsibilities when handling personal information.
How do organisations benefit from it?Reduction of cyber-attack risk and protection of sensitive data.Prevention of data breaches and improvement in customer trust.
What are the consequences of non-compliance?No penalties but can increase the risk of threats and compromise sensitive data.Companies:

1. AU$50 million, or;

2. Three times the value of benefits obtained or attributable to the breach (if quantifiable) or;

3. 30% of the corporation’s ‘adjusted turnover’ during the ‘breach turnover period’ (if the court cannot determine the value of the benefit obtained)

Individuals:

Was $440,000 but was increased to $2.5 million on December 13th 2022.

What’s involved?Assessing an organisation’s current level of compliance, based on a four-tier maturity model, then implementing the strategies and moving toward optimal protection at maturity level 3.Understanding an organisation’s obligations under the APPs, then implementing privacy policies and practices, guided by resources and tools from the OAIC.
Who’s covered? Recommended for all organisations, but not mandatory for Australian businesses.Mandatory for organisations with an annual turnover of more than $3 million*. Some small businesses are also covered if they store person identifiable information and meet other criteria.

*This is expected to change following the Privacy Act Review.

Is it mandatory?Not mandatory for Australian businesses, but highly recommended.

 

Mandatory for Australian businesses that meet the criteria of APP entities.

 

 

What Your Cyber Security Strategy Should Look Like

In the end, your organisation should aim for the level of cyber protection that is best suited and ensure full compliance with laws and regulations. You can approach it with a combination of the 8 mitigation strategies and the 13 principles.

ADITS CyberShield solution takes cyber protection to a whole new level where security is at the core of everything we do. Our offering includes managed services and compliance & governance measures as well as security measures and monitoring to ensure your business is industry compliant. Whether you’re based in Brisbane, Townsville, or elsewhere, ADITS has you covered with tailored solutions to safeguard your organisation.

 

Your Cyber Security Journey

Compliance does not automatically translate to strong cyber security. Likewise, cyber security is not “set and forget”. It is a continuing process that needs your attention and effort if you want to ensure that your systems and data are always protected.

Understanding the Essential Eight and the Privacy Act is important. Since cyber security is complex and ever-evolving, it’s also vital to keep up-to-date with cyber security solutions, trends, and best practices. Though cyber security may seem mostly technical, it is in fact a business matter.

Executives and board members are personally liable in the event of a breach so instilling a cyber security culture throughout the organisation should be a priority.

With this in mind, ADITS is launching a half-day certified C-Suite training workshop where we’ll go through:

  • Data security and privacy compliance
  • Potential risks to your business and how to address them
  • Personal liabilities
  • Reporting
  • Crisis management recommendations
  • Best practices for policies and procedures

Register Your Interest For Our C-Suite & Board Training

ADITS are Elevating Standards with Triple ISO Certification

ADITS are excited to announce a significant milestone in our pursuit for excellence – achieving three ISO certifications: ISO 9001 for Quality Management, ISO 14001 for Environmental Management, and the 2022 version of ISO 27001 for Information Security Management.

This achievement not only marks a compliance milestone but also represents our dedication to leading the way in quality, environmental sustainability, and information security.

ADITS - ISO 9001 for Quality Management Certified Badge

ISO 9001: Ensuring Quality Excellence

Our commitment to quality is relentless. The ISO 9001 certification highlights our dedication to maintaining rigorous processes that continually drive positive change, enhance customer satisfaction, and position ourselves as trusted technology partner.

ADITS - ISO 14001 for Environmental Management Certified Badge

ISO 14001: Championing Environmental Sustainability

From responsible resource management to waste reduction, we are actively contributing to a greener and cleaner planet, which is recognised by the ISO 14001 certification.

ADITS - ISO 27001 for Information  Security Management Certified Badge

ISO 27001: Safeguarding Information Security

At ADITS, we firmly believe in practising what we preach, especially when it comes to cyber security. And successfully transitioning to the 2022 version of ISO 27001 reinforces that commitment to having robust information security practices.

“Our triple ISO certification signifies more than just compliance—it reflects our dedication to excellence, transparency, and accountability,”

Adam Cliffe, Managing Director – SEQ.

“These certifications are not just milestones; they’re part of our ongoing mission to strengthen and protect the business community. They set new industry benchmarks and demonstrate our passion for delivering exceptional service,”

Ashley Darwen, Managing Director.

Thank You to All Involved

A special thank you goes to ISO365 for their invaluable support throughout our certification process. Their expertise and guidance have been instrumental in helping us achieve these certifications.

As well as a huge thank you to our team, clients, partners, and stakeholders for their unwavering trust and continued support.

We are excited about the future and are committed to continuously raising the bar, so stay tuned for more!