Putting People First with Privacy Act Compliance

New statistics from the OAIC reveal the number of data breaches reported in the first half of last year were the highest they’ve ever been in 3.5 years. This alarming volume of breaches represents a major threat to Australians’ privacy, and an increased need for businesses to shore up vulnerabilities and be more vigilant.   

The thing is, many businesses are unknowingly or unintentionally violating an essential data privacy regulation – one that’s mandatory for most Australian organisations: the Privacy Act 1988. And the potential legal, financial, and reputational consequences for putting sensitive information at risk can be severe.  

One property investment company, for instance, landed in hot water after breaching data privacy laws in Australia, sharing the names and addresses of people experiencing financial distress. MediBank suffered a whopping $1.8B loss after a data hack. Customers spoke out about the hidden financial and emotional cost of the breach, as well as genuine concerns for their safety.  

These cases make it clear how privacy breaches can have damaging personal consequences for individuals, while also exposing businesses to significant legal and reputational risks. 

Key Areas of Non-Compliance 

Many organisations assume they’re meeting the requirements outlined in the Privacy Act 1988, yet gaps in their data practices put them at risk. From consent failures to poor data handling, here are the most common compliance blind spots businesses need to address. 

1. Data Collection  

For many businesses, certain data collection practices can increase compliance risks and security vulnerabilities. This includes:  

• Unnecessary collection – if your business gathers data “just in case” rather than for an intended purpose or specific, immediate need, you may be in breach of the Privacy Act 1988 requirements. 

• Sensitive information risks – the higher the risk of unauthorised access or activity involving the personal information (and/or potential harm to the person that information is about), the more robust your security controls need to be. This means implementing stringent measures (encryption methods, regular audits, access controls, etc.) to ensure that sensitive information is protected from breaches and misuse.  

• Lack of transparency – individuals must be informed about how their data is collected, used, and disclosed. If your privacy policy is vague, buried in legal jargon, or not easily accessible, you may not be meeting the Privacy Act compliance standards. 

By limiting data collection to what is strictly necessary and clearly communicating its use, businesses can reduce risk and build greater trust with customers. Plus, the less data you collect, the less you need to protect!  

2. Data Use and Disclosure 

Is your organisation handling personal data responsibly, using it only for its intended purpose? When gaps in data use and disclosure go unnoticed, it can put you at risk of non-compliance, for example:  

• Using data beyond intended purposes – other than what has been stated at the time of collection, without obtaining proper consent. 

• Unauthorised disclosure – sharing personal information with third parties without proper authorisation or legal basis. 

• Data breaches – failing to implement adequate security measures to protect personal information from unauthorised access, use, disclosure, or destruction. 

Consider, for instance, businesses introducing personal information to train an AI model. Without explicit disclosure and express consent at the time of collection, repurposing individuals’ data in this way could breach the Privacy Act compliance obligations. 

3. Data Quality 

One thing many organisations overlook is how easily poor data quality can lead to compliance risks. This includes maintaining inaccurate, incomplete, or outdated personal information, and obstructing individuals’ rights to access and correct their personal information. Failing to update records not only undermines trust but can also lead to incorrect decisions based on flawed data.  

Does your organisation give people access or opportunities to correct their personal information? Difficult processes, such as outdated systems, unclear policies, or unnecessary administrative barriers doesn’t meet the mark.  

Additionally, does your organisation have a data retention policy, and act on it? For example, a medical practice is legally required to retain data for at least 7 years or more, depending on the type of facility and the state in which it operates, but often keeps patient records for decades. While policies are important, procedures are necessary to back them up. 

4. Individual Rights 

Many organisations don’t realise ignoring, delaying, or denying individual’s requests to access, correct or delete their personal information can put them at risk of non-compliance. Not honouring these requests can lead to complaints and penalties.  

The same risks apply if your privacy policy is filled with legal jargon, or doesn’t include clear, concise information about individual’s privacy rights. Having a poorly expressed, out-of-date or inadequate Privacy Policy – could lead to an infringement notice for up to $330,000 under the new Tranche 1 Privacy and Other Legislative Amendments (POLA) laws coming into effect. This is where transparency and responsiveness need to be front and centre. While the process for handling requests can vary from business to business, you may like to consider appointing a privacy officer, or including this as a core responsibility for a team member, to support accountability.  

The Consequences of Non-Compliance 

When Privacy Act compliance slips through the cracks, the fallout can be swift and severe. Businesses may face hefty fines, which can reach into the millions, as well as potential civil lawsuits from affected individuals. The Tranche 1 POLA law now includes a “Tort for serious invasions of privacy”. This new cause of action empowers an individual to sue another person where that person has invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them. Under this tort, any individual or organisation can be sued. 

Beyond legal penalties, reputational damage and losing customer trust can be just as costly. Since customers expect their personal information to be handled with care, privacy breaches can quickly erode this trust and leave your business at a competitive disadvantage.  

Prioritising data privacy and supporting compliance means protecting your business’s future.  

Top Tips for Supporting Compliance 

Meeting Privacy Act standards involves more than ticking boxes. It requires an ongoing commitment to safeguarding personal information and using it appropriately. By taking proactive steps, businesses can reduce risk, build trust, and stay ahead in an evolving digital landscape. Here are some tactics for strengthening your approach to compliance. 

Conduct a Privacy Audit 

Start by assessing your current data handling practices against the Privacy Act. Identify gaps in how personal information is collected, stored, and shared. A thorough audit helps uncover risks before they become compliance issues. ADITS’ exclusive assessment focuses on APP11, and provides a comprehensive evaluation of over 200 controls across 17 practice areas. 

Develop a Comprehensive Privacy Policy 

A well-defined privacy policy includes transparency and accountability. Clearly outline how your organisation collects, uses, and discloses personal information, as well as individual’s rights about their data. 

A comprehensive privacy policy includes:  

• Data collection – the types of personal information as well as how and why it is collected (included if this information is via referral or a third party). Organisations should only be collecting the personal information that is necessary for the purposes for which it is processed, ensuring that excessive or irrelevant data is not gathered.  

• Data use – specific information about how it will be used (including primary and secondary purposes)  

• Data protection – how this information is secured (such as through encryption, utilising Australian storage, securing paper records, and access controls), and prove that your organisation has taken all of the reasonable steps possible to protect data.  

• Data retention – policies about what happens to information when it is no longer required.  

• Processes – for data breaches or complaints.  

Ensure Effective Data Governance 

Effective data governance is crucial to ensure that your organisation manages its data properly and securely. Begin by identifying the types of personal and sensitive data your organisation handles. This includes determining where this data is stored, processed, and transmitted. 

Next, classify your data based on its sensitivity and importance. This helps in applying appropriate security controls and ensuring that sensitive data receives the highest level of protection. 

Unstructured data, such as emails and documents, can often be challenging to manage. Implement tools and processes to organize, store, and secure this type of data effectively. 

Know where your personally identifiable (PI) and sensitive data resides within your organisation. Ensure that it is stored in approved systems that comply with security and privacy regulations. 

Implement Strong Security Measures 

In protecting data privacy, robust security measures are essential. Consider measures such as strong passwords and MFA (multi-factor authentication), access controls, firewalls, anti-malware software and employee training to protect sensitive information from unauthorised access and breaches. 

Provide Your Team with Adequate Training  

Even the best policies don’t work if your team members don’t follow them, or are uncertain about how to put them into practice. Regular privacy training can help your people understand their obligations, recognise risks, and apply best practices to prevent Privacy Act compliance violations. Incorporate privacy training within your cyber security awareness training. ADITS, for instance, does so through our cyber security training program. The OAIC also offers privacy training video modules. 

Regularly Review and Update Practices 

As privacy law and risks continue to evolve, so should your approach to compliance. Stay informed about changes to Australian privacy laws, review your policies regularly, and adjust your data practices accordingly to keep up with new legal and security expectations. 

On one hand, supporting Privacy Act compliance is a legal requirement. On the other, it’s an opportunity to develop trust with your customers. Taking smart measures, such as prioritising transparency, handling data properly, and providing your team members with ongoing training can help put your organisation on the front foot. As privacy laws in Australia change, being proactive is a great way to develop your business’s reputation and relationships, protect individuals from data breaches, and reduce risk.