Twenty five years ago, when the Privacy Act 1993 came in to force, emails and the internet were in their infancy. Shopping wasn't conducted online and delivered to your door direct from overseas, and social media hadn't been contemplated. Scams came via fax machine or leaflets in your letter box, and any major banking transaction required a visit to your local branch.

In 2018, the loss of your passwords means that your money can be stolen, your reputation tarnished by fake posts, and your credit worthiness ruined, all within a matter of minutes. Regular publicity of mass data protection breaches by government and private sector organisations have heightened concern over the risks of identity theft and undermined confidence in privacy protection. Disclosures of privacy breaches are often belated, depriving individuals of the chance to take any steps such as password changes to try to reduce harm.

The Government has now introduced a new Bill to Parliament to replace the existing Privacy Act with one more suited to our digital world.

The core elements of the Privacy Bill are the same as the Act it is designed to replace. It retains the twelve information privacy principles, which protect people's privacy by governing the collection, storage, and use of personal information, while also providing for legitimate use of information by government, businesses, and other organisations. However these information privacy principles are updated in the Bill, to better protect personal information sent overseas.

The Privacy Bill also retains the role of the Privacy Commissioner, and the system for making a complaint to the Commissioner if there has been a breach of privacy. In addition, the Privacy Commissioner is being given new powers, allowing the Commissioner to make binding decisions on complaints about access to information, and to issue compliance notices to those who are in breach of the legislation.

A key addition to the Privacy Bill is a requirement for any entity which handles personal information to notify the Privacy Commissioner and any affected individuals of any unauthorised access to or disclosure of personal information, where the access or disclosure poses a risk of harm. This will be something that:

  • has caused, or may cause, loss, detriment, damage, or injury to an individual;
  • has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of an individual; or
  • has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.

The notification of a breach to the Privacy Commissioner must:

  • occur as soon as practicable after becoming aware that the breach has occurred;
  • describe the breach, including the number of people affected (if known), and the identity of any person or body suspected of being in possession of the personal information;
  • set out the steps already taken or that are intended to be taken in respect of the breach, including in relation to the notification to affected people;
  • if the intention is to not personally notify affected people, provide the reasons for either notifying by way of public notice or for relying on an exception to the requirement to notify; and
  • provide details of any other agency advised of the privacy breach (which would include lawyers, insurers, IT technicians, and the Police).

Failure to notify the Privacy Commissioner of a breach can result in a fine of up to $10,000, regardless of whether steps had been taken to address the breach.

The notification of a breach to an affected individual must:

  • occur as soon as practicable after becoming aware that the breach has occurred;
  • describe the breach, and state whether the identity of the person or body suspected of being in possession of the personal information is known, but must not disclose the identity;
  • set out the steps already taken or that are intended to be taken in respect of the breach;
  • set out any steps the affected individual may wish to take to mitigate or avoid potential loss or harm;
  • advise the individual that the Privacy Commissioner has been notified of the breach, and that the individual may make a complaint about the breach to the Commissioner; and
  • not disclose any details about any other person affected by the breach.

Anyone who holds other peoples' personal information should consider setting up processes for notification before they actually experience a breach, to ensure that they can respond to a breach in a timely way.

The penalty provisions for breaching the Act are also being expanded. The maximum fine will increase from $2,000 to $10,000, and is available for a wider range of offences, including:

  • obstructing, hindering or resisting the Commissioner or any other person exercising powers under the Act;
  • refusing or failing to comply with any lawful requirement of the Commissioner or any other person exercising powers under the Act;
  • making a false or misleading statement or providing false or misleading information to the Commissioner;
  • a person impersonating or falsely pretending to be another individual for the purpose of obtaining access to that individual's personal information or having that personal information used, altered or destroyed; or
  • destroying any document containing personal information knowing that a request had been made in respect of that information.

The Privacy Commissioner had been requesting the inclusion of an ability to impose a fine within the options available to the Commissioner when dealing with a complaint. While this hasn't been included in the Bill at this stage, that could change as the Bill progresses through the select committee.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.