Michael Fagan, former chief transformation officer at Village Roadshow, examines the proposed changes to the Privacy Act and what CIOs in Australia need to be aware of.
I received 7 unsolicited CVs and resumes in the last 12 months, from well-educated and qualified people, seeking to join the organisation where I was working. Unbeknownst to the senders, they put me at risk of breaching one of the 13 Australian Privacy Principles (APP), despite me not really knowing these people, and never asking them for information. The jobseekers included a varying amount of personal information, including email address, phone numbers, home address, work and education history, and more. One applicant even included a photograph and, no lie, their weight. (Although I suppose if I only weighed 47kg I’d put it on my CV too). By giving me this personal information, they placed an obligation on me and my organisation to use it wisely, or risk penalties up to $1.8m.
In 2024, the government has committed to strengthening privacy law, including equipping the regulator with more powers and more options to enforce – meaning that those penalties could be even harsher. The Attorney General’s department spent three years reviewing the 1988 Privacy Act, and released a report in February 2023 outlining 116 proposals for change. The Australian Government published its response in September 2023 agreeing to 38 proposals, “agrees in principle” to 68 proposals (i.e. further consultation required to understand impact and alignment with other reviews like Digital ID, and the Australian Cyber Security Strategy before implementation), and notes the remaining 10. The report is available here, and the response here, and the government’s current round of consultation ends 28 March 2024.
Michael Fagan
The report is comprehensive, more than 300 pages, and the response runs to 40 pages, with promise of further consultation and analysis – but the intent is clear, legislation will be updated, likely this year, under the following five themes:
1) Bringing the Privacy Act into the Digital Age. Of the Australians surveyed by the OAIC, 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation.
2) Uplift protections by requiring entities to handle personal information within community expectations, enhancing requirements to keep that data secure, and destroying it when no longer needed.
3) Increase clarity and simplicity for entities and individuals.
4) Improve control and transparency for individuals over their personal information. This includes new avenues for individuals to seek redress for interference with privacy, such as a ‘direct right of action’ for individuals to seek remedies in court for breaches of the Act. And
5) Strengthen enforcement via increased powers for the OAIC.
Some of this will be straightforward. The second theme tells me that I was right to delete all those resumes when the applications had been assessed; I no longer needed that data. However we are yet to see how the third theme will play out. Very often we try to simplify but make things worse by adding exceptions, corollaries, definitions, and more rules (take a look at our tax law).
Another complication is that there are multiple competing requirements. For example, the Australian Taxation Office and Border Force are very interested in employers checking the right of an individual to work. The most common way to do that is with copies of passports and visas – some of the most intimate personal information you have, and certainly covered by the APP. Ten years ago the HR department would have insisted on taking copies of this data and storing in their HRIS – “proof” that they had done the right thing, “look we have a copy of their passport!”. Today, a smart CHRO will make this a checkbox saying that existing employee X has sighted the relevant documents of new employee Y, but they won’t store a digital copy.
Data was heralded as the “new oil” just a few years ago – and I was one of those who trumpeted this. But is it now the new poison, something that organizations should seek to remove from its body as quickly as possible?
Related content
feature
Rocket Mortgage lays foundation for generative AI success
The US mortgage lender, which has a history making the most of machine learning and AI, is taking a model-agnostic approach to generative AI, boosted by a versatile data platform tuned for speed.
By Paula Rooney
Mar 29, 2024
7 mins
Generative AI
Digital Transformation
Artificial Intelligence
feature
10 fastest growing US tech hubs for IT talent
You don’t need to move to Silicon Valley to cash in on the boom for IT talent. These 10 cities are among the fastest growing tech hubs by salary, according to Dice.
By Sarah K. White
Mar 29, 2024
10 mins
Salaries
Careers
opinion
4 lessons healthcare can teach us about successful applications of AI
From LLMs for clinical decision support, to best-in-class medical chatbots, healthcare is paving the way for applied generative AI.
By David Talby
Mar 28, 2024
5 mins
Healthcare Industry
Artificial Intelligence
news
White House requires agencies to create AI safeguards, appoint CAIOs
A new OMB policy focuses on maintaining public safety and protecting human rights as the federal government begins to embrace AI.
By Grant Gross
Mar 28, 2024
5 mins
Government IT
Generative AI
IT Governance
PODCASTS
VIDEOS
RESOURCES
EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : CIO – https://www.cio.com/article/2075325/why-cios-need-to-pay-attention-to-the-most-significant-overhaul-of-australian-privacy-law-in-40-years.html