Archive:March 2023

1
Facebook’s face-off with the OAIC to proceed says High Court of Australia
2
Good report card but data breaches are up, with no sign of letting up
3
Key Dates for China’s standard contractual clauses compliance
4
Australia to be the most cyber secure nation?
5
Breaking Down the Privacy Act Review Report #3: Removal of the Small Business Exemption
6
Breaking Down the Privacy Act Review Report #2: Modifying the employee records exemption

Facebook’s face-off with the OAIC to proceed says High Court of Australia

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

Proceedings led by the Office of the Australian Information Commissioner (OAIC) against Facebook, Inc. (Facebook) for their role in the Cambridge Analytica scandal will finally proceed in the Federal Court of Australia.

Read More

Good report card but data breaches are up, with no sign of letting up

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

[Featured image from a linkedin post of Office of the Australian Information Commissioner made on 3 March 2023]

Shortly after the Government announced their ambition to make Australia a global leader in cyber security, Australia has been named the country with “the greatest progress and commitment toward creating a cyber defence environment” in MIT’s Cyber Defence Index of 2022/23.

However, the Office of the Australian Information Commissioner’s latest notifiable data breaches report paints a different picture. The Commissioner reported a 26% increase in the number of total reported data breaches and a 41% increase in the number of reported data breaches arising from malicious or criminal attacks compared with the first half of 2022. Health service providers and the finance sector were the worst hit, together representing almost a third of reported data breaches.

In releasing the report, the Commissioner once again stressed the need for organisations to collect only the minimum amount of personal information required and deleting it when it is no longer needed. In the report the Commissioner has recommended a number of steps to address the kinds of issues featured in the second half of 2022, including:

Read More

Key Dates for China’s standard contractual clauses compliance

By Amigo L. Xie

2023 is destined to be a big year for the hottest issues of the China Personal Information Protection Law (PIPL) for MNCs doing business in or with China especially in the areas of: cross-border personal data transfers, localization, compliance, and enforcement.

It is worth noting the following milestones in your timeline for China data privacy compliance in 2023:

Read More

Australia to be the most cyber secure nation?

By Cameron Abbott, Rob Pulham and Dadar Ahmadi-Pirshahid

Not content with merely implementing broad-scale privacy reform, the Government has announced a new position, the Coordinator for Cyber Security to be added to the Department of Home Affairs as a step towards their aim of “making Australia the most cyber secure nation by 2030“.  This would seem to be a rather aspirational target!

The Coordinator will be supported by a National Office for Cyber Security, and their role will be to oversee steps to prevent future cyber security incidents and to help manage cyber incidents as they occur. 

Read More

Breaking Down the Privacy Act Review Report #3: Removal of the Small Business Exemption

By Cameron AbbottRob Pulham and Stephanie Mayhew

Currently, most small businesses (with some exceptions) are not covered by the Privacy Act – with the threshold shaping a small business being an annual turnover of $3 million or less. However the Attorney General’s Department recognises that Australians want their privacy protected and that small businesses shouldn’t be excepted from this.

In the long term, proposal 6.1 seeks to remove the small business exemption but only after:

  • an impact analysis has been undertaken
  • appropriate support is developed
  • in consultation with small businesses, the most appropriate way for small business to meet their obligations is determined (propionate to the risk) – e.g. through a code, and
  • small businesses are in a position to comply with these obligations.

Proposal 6.2, in the shorter term, seeks to ensure that small businesses comply with the Privacy Act in relation to the collection of biometric information and remove the exemption from the Privacy Act for small businesses that obtain consent to trade in personal information (trading in personal information will mean the Privacy Act applies).

Read More

Breaking Down the Privacy Act Review Report #2: Modifying the employee records exemption

By Cameron AbbottRob Pulham and Stephanie Mayhew

The section of the Report dealing with the employee records exemption highlighted significant debate and difference of opinion. Employers expressed a strong desire to retain or even strengthen the exemption; employee representatives consider reform is needed.

In that context the Report does not conclude how the changes should take effect, but proposals 7.1(a)-7.1(d) recommend stronger protection of private sector employee information, to:

  • enhance transparency over what employee information is collected and why
  • ensure employers have adequate flexibility to deal with employees’ information to administer the employment relationship (and addressing whether consent should be required to collect sensitive information)
  • ensure adequate security and destruction measures around employee personal information, and
  • notify employees and the OAIC of data breaches involving employee personal information.

What does this mean for my organisation?

Private sector employers who don’t yet have a good grasp of the breadth of information they collect and hold about their employees will need to stocktake their collection activities and sharpen their focus on why they collect such information; prepare appropriate collection notices and employee privacy policies (if not used already); and ensure employee information is appropriately covered in their security measures and considered in their data breach response plans.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.