Privacy Protection Reform – Upcoming Changes and What You Need to Know!

“Protecting your organisation from cyber risk and implementing preventative measures to keep your organisation’s data safe, has never been more important for Australia’s not-for- profit sector.”¹

As technology and the digital world continue to advance, so does the need for privacy protections. One in eight not-for-profit organisations (NFPs) have experienced a cyber security breach or incident, and the risk of being exposed to such will only continue to grow.² Cyber security incidents are rising, and NFPs must arm themselves with the correct tools to remain protected.³

Following a two-year consultation, The Privacy Act Review Report was delivered in 2022 (Report). The Report proposed various law reforms to ensure companies, including NFPs, remain fit-for-purpose in the digital age.⁴ In particular, the Report made recommendations about the uncertainties around definitions and procedures, and the current broad exemptions, which could make personal information vulnerable to misuse.

The call for privacy uplift has caused the Australian Government to respond and commit to strengthening privacy protection through a reform of the Privacy Act 1988 (Cth) (Privacy Act). These reforms will inevitably affect NFPs. It is therefore crucial that NFPs are ready to adapt in anticipation of these changes, to ensure they are prepared for when the reforms eventually roll out.

The reforms outlined in the Government’s response to the review are quite complex, however NFP boards can utilise the following recommendations to ensure they comply with the most important anticipated changes:

1. Establish a detailed privacy policy

A key focus of the proposed reforms is providing individuals with the opportunity to experience transparency and assert control over their personal information in the collection of said information by entities. Surveys have demonstrated that 84% of Australians want more control and transparency over the collection and the use of their personal information.⁵ An effective way to achieve this is through NFPs establishing their own detailed privacy policies, which are clear, concise, and comprehensible to the general public.

The Government emphasised that overuse of requests for consent on webpages is an undesirable method to ensure that individuals understand privacy policies.

We therefore present the following recommendations for NFPs to include in their policies:

• maximum and minimum retention periods for personal information;
• reasoning as to why they may collect, use and disclose personal information;
• an explanation that collection notices will be provided for high privacy risk activities; and
• an explanation as to how individuals and customers may exercise their rights, including the ability of an individual to withdraw consent to collection.

2. Appoint a designated employee responsible for privacy

NFPs should, as soon as practicable, appoint a senior employee to have specific responsibility for the organisation’s privacy. This can be achieved by allocating an existing senior employee the additional responsibility for privacy or appointing a new employee with this specific role. The former may be suitable for small NFPs without large resources, whereas mid-large organisations may prefer the latter. This would encourage organisational accountability and proactive mitigation of privacy risks. Furthermore, it would build community trust in the NFP as a responsible steward of personal information.

3. Enable an opt-out feature for data collection

Data is crucial to NFPs, as the use of data and technology allows NFPs to bolster impact and improve service delivery.⁶ Government has also highlighted the importance of granting individual autonomy over how personal information is collected, used, and disclosed.

Accordingly, NFPs should include an opt-out feature for customers on any service that involves data collection, including for existing customers to whom the opt-out feature has been unavailable. In particular, customers should have an unqualified right to opt-out of data collection for direct marketing and targeted advertising while the Government works to clarify these terms in the Privacy Act.

It is also recommended that where the opt-out option appears to individuals, NFP boards should include an accompanying statement advising individuals of their rights and how those rights can be exercised to opt-out of data collection. This is an opportunity for NFPs to comply in advance with suggested reforms with respect to increasing individual and customer awareness of privacy rights.

4. Create procedure policies

An upcoming reform to which the Government has agreed in principle to protect NFPs from cyber incidents is the requirement of entities to notify the Information Commissioner within 72 hours in circumstances where there are reasonable grounds to believe there has been a data breach in the organisation. There will also be a requirement to notify individuals who may have been affected by such incident. NFP boards should take the opportunity to establish procedure policies, which clearly set out the processes that apply in such situations. This is particularly important for NFPs with multiple reporting obligations.

A similar upcoming reform requires entities to respond to requests from individuals in a certain way, including acknowledgement of receipt of request and provision of a timeframe to respond. Furthermore, when a request is refused, an entity must provide an explanation for the refusal. This reform goes to the rights of individuals. NFP boards should take action to budget for and implement this change.

5. Conduct cyber security training for staff

A potential challenge that may arise to the NFP sector from these reforms is the complex nature of these cyber security programs, processes, and policies. A key part of ensuring these reforms are effective is the awareness and skillset of staff. It is crucial that staff understand and recognise potential cyber security breaches, so they can effectively utilise the reforms and respond appropriately.

Studies have demonstrated that only 12% of NFPs provide regular cyber security awareness training to staff.⁷ Therefore, to ensure NFPs are achieving the purpose of the reforms, NFPs should ensure they are providing staff with regular cyber security training. This should occur at both onboarding, and at regular intervals to ensure staff remain up to date with incoming reform.

6. Introduce multi factor authentication

A key focus of the reforms is to guard against identity fraud, scams, and the risk to businesses of failing to manage personal information appropriately. This is a risk factor for the NFP sector, as the failure of organisations in this regard will soon, as agreed by the Government, be punishable by the introduction of proposed civil penalty provisions.

A recommended tool to assist NFPs in protecting against these risks is the implementation of multi-factor authentication for any programs, services or devices which contain any personal information.

Key Takeaway

Various reforms to the Privacy Act have been proposed and agreed (or agreed in-principle) by the Government, all of which NFPs should keep abreast. By adopting these practical tools, NFPs can ensure preparedness and compliance with the upcoming changes, and therefore continue to effectively meet the needs of clients and the wider community.

This article was originally published in the Better Boards Conference Magazine 2024

Disclaimer

This article is general commentary. It is not legal advice. If you need specific advice on the topics discussed, please contact the author.

Further Resources

Cybersecurity – Is This a New Directors’ Duty?

Policies & Procedures that Work

What Directors need to know about Cyber Security

References: