Dianne Gibert (MD) on Government's Proposed Privacy Reforms

Companies could potentially face harsher penalties and greater accountability when it comes to privacy and data security.  

The Federal Government’s recently proposed changes to the Privacy Act 1988 aim to give individuals greater control over their personal information and strengthen how organisations protect it.

A wake-up call for businesses 

“Every business will need to look at what their privacy management protocols are,” warns Certex Managing Director, Dianne Gibert.  

“Controls are not as tight as they could and should be. Even if they were appropriate 10 years ago, in the current environment of hacking and attacks, they’re nowhere near as good as they should be.” 

“The world has changed, but it’s possible a lot of agencies have not yet woken up to the fact that they’re going to have to change what they collect, when they collect it, and how securely they hold it.” 

“I’ve often said to recruitment agencies: Do you know you hold enough information on some of your candidates to apply for a loan in their name? You can pretend to be them.” 

Proposed reforms 

The Australian Information Commissioner and Privacy Commissioner recognised the proposals as an “important milestone” in reforming the nation’s privacy framework.  

“This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place.”  
— Angelene Falk, Australian Information Commissioner and Privacy Commissioner

Dianne notes the introduction of “a couple of mid-tier penalties” which may require businesses to pay to rectify a breach, “such as replacing the drivers’ licenses.” 

Other key proposals include enabling individuals to take direct action in courts if their privacy is breached and the removal of some exemptions from the Privacy Act.  

Businesses need a plan 

Dianne believes that most businesses “have some recognition that they need to report if there’s been a breach”. However, many are unaware that “you don’t get a lot of time and there’s an enormous amount of work to do.” 

“The plan needs to be pretty clear. You’ve got to have phone numbers, and names of people at the other end of those phone numbers, so when you ring them and say, ‘Everything is collapsing around my ears,’ [they will] know what to do because they already know you.”  

Certex is proud to support many of our clients with data response plans and privacy security. We are risk-management professionals. Through robust risk assessments, we can help identify and address cybersecurity hazards.   

Certex’s iSuite of risk management programs include iPrivacy and iCyber.  Please contact us for more information. 

“The thing with having a plan is that it enables you to undertake the actions really quickly.”  

“It’s having the plan ready to be implemented – that, I think, is the bit that’s missing.”