Archive: October 2021

1
Long awaited increase to privacy breach penalties – a step closer to reality
2
Good practice – the storage of COVID-19 vaccination certificates
3
Ransomware plan of action
4
Privacy obligations when collecting COVID-19 vaccination status

Long awaited increase to privacy breach penalties – a step closer to reality

By Cameron Abbott, Rob Pulham, Max Evans and Ella Richards

On October 25 the Australian Attorney-General’s Department released a draft bill amending the Privacy Act 1988 (the Draft Bill), inviting industry submissions by 6 December 2021.

We have been hearing about an alignment with Australian consumer and competition law penalties for quite some time – and the Draft Bill does not disappoint.

Under the Draft Bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to the greater of:

  • $10 million
  • three times the value of any benefit obtained through the misuse of information, or
  • 10% of the corporate group’s annual Australian turnover.

The Draft Bill also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services. It is expected that industry will be given the first opportunity to develop the code, for approval by the Commissioner – with the ability for the Commissioner to develop the code in certain circumstances.

Finally, the Draft Bill introduces information sharing powers to facilitate greater engagement between the Information Commissioner and law enforcement bodies, alternative complaint bodies and State, Territory or foreign privacy regulators. This means the Information Commissioner or the receiving authority will be able to share information and documents to more effectively exercise their respective functions and powers.

With regulators banding together, maximum penalties becoming meaningful and a binding online privacy code on the horizon – there has never been a better time to get your Privacy house in order!

Good practice – the storage of COVID-19 vaccination certificates

By Cameron Abbott, Rob Pulham and Ella Richards

As the public’s focus in NSW and Victoria turns quickly to reopening and emerging from lockdowns, we have experienced an increased focus across the country on vaccination rates. Public health orders and laws in several Australian jurisdictions have changed to require businesses to, amongst other things, collect, store and hold vaccine information about their workers, and to take steps to ensure unvaccinated persons do not enter their premises.

This has led to businesses collecting vaccination information including in the form of government-issued COVID-19 vaccination certificates. However the collection of this information creates additional legal and cyber security risks. Some federal government issued certificates contain an individual healthcare identifier (IHI) – a number individually identifies an Australian for healthcare purposes (it is more sensitive than your Medicare number). The IHI combined with the individual’s name and date of birth creates an attractive opportunity for cyber criminals. It is so sensitive that it comes with its own specific legislation sanctions including criminal penalties for breach.

Businesses should ensure they have the right processes in place when collecting and storing this kind of information to avoid exposure to civil and criminal penalties, including up to two years’ imprisonment for improper use or disclosure of an IHI.

For more information on the appropriate processes for collection and storage of vaccination information, please contact Cameron Abbott from our Privacy team. K&L Gates will keep you informed of any further updates.

Ransomware plan of action

By Cameron Abbott, Rob Pulham and Ella Richards

Following the 60% increase in ransomware attacks over the past year, the Department of Home Affairs has released a Ransomware Action Plan – proposing to introduce mandatory reporting requirements for companies who have been hit by a ransomware attack.

Under the proposal, companies with a turnover of $10 million or more per year will be required to inform the Australian Cyber Security Centre soon after experiencing a ransomware attack and will face civil penalties if they fail to comply. The government is also planning to introduce a standalone offence for cybercriminals who seek to target critical infrastructure as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

This document is part of Australia’s overarching 2020 Cyber Security Strategy, with industry and community consultation anticipated in the near future. Stand by for further developments.

Privacy obligations when collecting COVID-19 vaccination status

By Cameron Abbott, Rob Pulham and Ella Richards

Some Australian jurisdictions have imposed obligations on businesses and employers to either sight, or collect and hold, information about their workers’ COVID-19 vaccination status, or to take reasonable steps to ensure unvaccinated individuals do not enter their worksites or premises. For example, on 7 October 2021, the Premier of Victoria released Directions that require employers to collect information about workers’ COVID-19 vaccination status before allowing them to work anywhere outside of the employees’ usual place of residence. Industry-specific obligations (with some differences to those Directions) also apply to some settings such as education, construction and healthcare. Similarly, under public health orders in New South Wales, certain businesses from 11 October 2021 must take reasonable steps to ensure people who are not fully vaccinated do not enter their premises.

The Victorian Government Directions for workers are in effect from today, 15 October 2021, meaning that many employees must provide proof of either receiving their first dose or having booked their first dose by 22 October 2021.

To comply with privacy obligations (including under applicable health records legislation), employers must provide employees with a clear collection statement that outlines, among other things:

  1. the types of sensitive information that the employer is collecting;
  2. the purpose of the collection;
  3. who the employer may disclose the information to, including specifying if any of these parties are outside of Australia; and
  4. a reference to the employer’s Privacy Policy that applies to the information collected about employees.

Even where a business is not subject to these mandatory collection requirements, they may wish to collect this information from employees to assist the business to maintain a safe and secure working environment (including, for example, to provide encouragement to staff to get vaccinated – subject to the requirements around providing incentives to do so).

If you would like advice on your Privacy obligations as an employer, please reach out to Cameron Abbott from our Privacy team. For further information on the Victorian Government Directions, see the Alert from our K&L Gates employment team here.

Copyright © 2022, K&L Gates LLP. All Rights Reserved.