Select from any of the filters or enter a search term

Focus on privacy reforms

Focus on privacy reforms

By Anna Johnston


Practitioners should be aware of three significant legal reforms in privacy law commencing in 2018 which will impact on legal practices and clients.


  • Significant reforms to privacy law commence in 2018. Legal practitioners will need to consider the impact on clients, as well as on the operation of their own legal practices.
  • The changes will affect all medium to large Australian businesses; some smaller businesses depending on the nature of their business; all Australian government agencies; and to a lesser extent state and territory agencies and small businesses in their capacity as employers.
  • The changes include mandatory notification of data breaches, the extension of European data protection law to Australia, and new rules designed to bring about cultural change across the public sector.


Three significant legal reforms will commence in 2018, impacting on the manner in which organisations handle personal information. The reforms, spread throughout the year, are:

  • mandatory notification of data breaches under the Privacy Act 1988 (Cth)
  • the General Data Protection Regulation (GDPR), a European privacy law with extra-territorial reach into Australia
  • the Australian Government Agencies Privacy Code.

February – Notifiable data breaches

Who is affected

Commencing 22 February 2018, amendments to Part IIIC of the Privacy Act 1988 (Cth) will affect almost every organisation in Australia in some way:

  • all entities already required to comply with the 13 Australian Privacy Principles (APPs), which includes all Australian government agencies, almost all businesses and non-profits with a turnover of more than $3 million per annum, plus some smaller businesses such as health service providers and contracted service providers to the Commonwealth
  • all organisations which receive Tax File Numbers (TFNs) – which will include bodies not regulated by the APPs, such as state and territory agencies and most small businesses, in their capacity as employers
  • credit providers and credit reporting bodies.

The key requirements

The amendments require notification of certain types of data breaches. Notifiable data breaches are incidents which involve the loss of, or unauthorised access to or disclosure of, personal information (or a TFN or credit eligibility/reporting information), and which are likely to result in serious harm to one or more individuals. When a data breach meets this threshold test, notification is required, as soon as practicable, to both the Australian Privacy Commissioner and the affected individuals. The Privacy Commissioner is part of the Office of the Australian Information Commissioner (OAIC).

The legislation sets out the factors which impact on whether a data breach is "likely to result in serious harm"; the time frames in which an assessment must be carried out on a suspected breach; what a notification must contain; and how a notification must be made.

A failure to comply with the new notification requirements attracts a civil penalty of up to $2.1million.

The takeaway

There are two objectives driving the move towards mandatory notification of data breaches. The first is to fulfil a duty of care to the affected individuals, by letting them know that their personal information has been put at risk. The second is to create a sufficient financial disincentive, such as to prompt organisations into investing more in their privacy and security programs, to avoid data breaches in the first place.

What to focus on

To prepare for a data breach, every organisation should prepare a Data Breach Response Plan. Having a plan in place can clarify what needs to be done when and by whom in the first few hours and days after a data breach is discovered.

To avoid data breaches in the first place, the privacy team or legal advisor should be working hand-in-hand with the information security team. Staff need privacy training and constant reminders of privacy messaging; and third-party contractors, vendors and suppliers need to be bound by appropriate terms and subject to additional controls to avoid becoming the weakest link in the security chain.

Further resources

The OAIC has guidance material available at Salinger Privacy has privacy tools including a template Data Breach Response Plan available at

May – The GDPR

Who is affected

Commencing 25 May 2018, the GDPR will regulate not only businesses based in the European Union (EU), but any organisation anywhere in the world which provides goods or services (including free services) to, or monitors the behaviour of, people in the EU.

The GDPR will replace the current set of differing national privacy statutes with one piece of legislation, and will offer a one-stop-shop approach when dealing with the privacy regulators across all 28-member states of the EU – including the UK post-Brexit.

The key requirements

In addition to harmonising the privacy rules across the EU, the GDPR introduces some new privacy obligations (although using the European term “data protection” rather than “privacy”). One is the accountability principle, which requires organisations to be proactive. This means that if an organisation doesn’t have an effective privacy compliance program, it can be found in breach of its data protection obligations even if it doesn’t suffer a data breach. Although by no means a European invention – APP 1 in the Australian Privacy Act has the same objective – the financial penalties attached to the GDPR are intended to kick-start proper privacy governance in even the most recalcitrant organisations.

To help achieve this, the GDPR embeds a proactive requirement to do “data protection by design”, or as we tend to know it in Australia, “privacy by design”. The technique used to ensure privacy is built-in to project design is known in the GDPR as Data Protection Impact Assessment, or here as Privacy Impact Assessment (PIA).

The GDPR also has a strong focus on getting reactive strategies right. It sets a default time frame for notifying data breaches of only 72 hours, which adds further complexity for Australian organisations already adjusting to the new Australian notification scheme (above). However the GDPR also offers escape clauses for organisations that have appropriate technical and organisational measures in place to protect data, and recognises de-identification as a risk management tool (while also recognising its limitations).

The GDPR also updates the scope of privacy law to cover such things as data portability and the “right to erasure”, and aims to ensure that algorithmic decision-making is subject to human review.

The takeaway

The objectives of the GDPR are to harmonise privacy law across the EU and streamline its application, and dramatically increase the penalties for non-compliance. Fines for failing to comply with the GDPR will reach up to €20 million, or 4 per cent of a company’s annual global turnover, whichever is the greater. These new penalties are aimed squarely at the tech behemoths which could previously afford to shake off smaller fines as the price of doing business.

What to focus on

Organisations of any size and sector in Australia will need to determine whether they fall within the scope of the GDPR, and then prepare accordingly. Turning “privacy by design” into a reality poses significant challenges for any organisation. There is often a cultural divide between legal practitioners who are comfortable with principles-based law and concepts like “within reasonable expectations”, and system engineers who need to code for decision-making in a binary fashion. A comprehensive privacy management program and a culture of conducting PIAs on new projects will be needed to ensure compliance with the GDPR as well as Australian privacy principles, as well as embed a culture of building privacy protection into all decision-making.

Further resources

The OAIC guidance about the GDPR and Australian businesses is available at Guidance from EU privacy regulators is available through the Article 29 Working Party, as advisors to the European Commission; ( Salinger Privacy has a free Privacy Officer’s Handbook, to explain what should be in a privacy management program, and a guide to de-identification; both are available at

July – Australian Government Agencies Privacy Code

Who is affected

The Privacy (Australian Government Agencies – Governance) APP Code 2017, known as the Australian Government Agencies Privacy Code, is a legislative instrument made by the Australian Privacy Commissioner. Commencing on 1 July 2018, the Code will affect all Australian government agencies, as defined in s6(1) of the Privacy Act, with the exception of Ministers.

The key requirements

Australian Privacy Principle 1 is the accountability principle that requires all organisations – whether public or private sector – to establish a privacy management program and effective governance in order to achieve compliance with the remaining APPs when handling personal information.

The new Code prescribes certain steps that public sector agencies must take in order to comply with APP 1.

The new requirements include:

  • preparing, annually reviewing and updating a privacy management plan, which should set out the agency’s privacy goals and the actions it plans to take to achieve them
  • having a designated privacy officer as the primary point of contact for internal and external advice on privacy matters
  • having a designated privacy champion who must be a senior official and whose role is to provide leadership within the agency on strategic privacy issues, promote a culture of privacy and report regularly to the agency’s executive
  • regularly reviewing and updating privacy practices, procedures and systems, including the agency’s privacy policy and collection notices
  • conducting or commissioning a PIA on all projects involving new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals
  • providing appropriate privacy education or training on an annual basis to all staff who have access to personal information.

The takeaway

After a year or so of some spectacularly embarrassing “privacy fails” by Australian government agencies, an intervention was needed to re-build public trust and confidence in the government’s ability to handle and secure the personal information of all Australians. The Privacy Commissioner proposed this new Code as a way of triggering cultural change across the public sector. The objective of the Code is to promote good privacy governance within agencies, but the Code can equally be seen to set a benchmark for private sector businesses and non-profits alike.

What to focus on

The new Code will set new standards for federal government agencies, which will increase demand for lawyers who understand how to assess privacy risks and conduct PIAs on behalf of client agencies.

Further resources

The OAIC has a checklist guide to the Code available at Salinger Privacy has a free Privacy Officer’s Handbook, to explain in more detail what should be included in a privacy management program, as well as training modules, templates and checklists to assist with conducting PIAs; see


Anna Johnston is director of Salinger Privacy. Salinger Privacy has a range of privacy tools to assist compliance, including training modules, checklists, and template policies and procedures.

*This article first appeared in the Law Society of NSW Journal, issue 41, February 2018.

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment