Revised legislation for safeguarding personal data in Australia
As the digital age continues to evolve, so does the need for robust data privacy laws. In Australia, the mandatory data breach notification law will come into effect on February 22, marking a significant milestone in the protection of personal data. Meanwhile, the Texas Legislature has passed the Texas Data Privacy and Security Act (HB 4), which, if approved by Governor Greg Abbott, will make Texas the 10th state with comprehensive privacy legislation.
The Australian Privacy Principles (APPs)
The APPs, introduced in Australia, apply to private entities subject to the Australian Privacy Act, businesses providing a health service, and federal government agencies. These principles require businesses to adopt specific measures to ensure the privacy and security of personal data.
Privacy Policies
Businesses are required to maintain and make publicly available a clear and comprehensive privacy policy. This policy must detail how personal information is managed throughout its lifecycle, including collection, use, disclosure, and disposal.
Cross-Border Disclosures
When disclosing personal information to overseas recipients, businesses must ensure that the overseas party complies with the APPs or an equivalent standard of privacy protection. Businesses remain accountable for the information even when it is handled abroad.
De-identification
The Australian Privacy Act encourages the use of de-identification techniques to protect personal information when full identification is unnecessary. De-identified data must be handled to ensure individuals cannot be re-identified without authorization.
Security Measures
Businesses must take reasonable steps to protect personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. This includes implementing adequate cybersecurity measures and protocols to prevent breaches. Organizations must also comply with data breach notification requirements if a data breach occurs.
Direct Marketing
Personal information may only be used for direct marketing if certain conditions are met, including providing the individual with a clear option to opt out of receiving marketing communications. Businesses must respect any opt-out requests promptly.
Sensitive Information Protection
Sensitive information (e.g., health data, biometric data) requires higher levels of protection. Its collection, use, or disclosure is generally restricted unless the individual consents or specific exceptions apply. Businesses must handle sensitive data with a greater degree of security and transparency, ensuring compliance with relevant APPs and any specific sectoral regulations.
These principles apply to businesses with annual turnover over AUD 3 million, health service providers regardless of size, and certain others handling personal data in Australia.
The Texas Data Privacy and Security Act
Similar to the California Consumer Privacy Act (CCPA), the Texas Data Privacy and Security Act includes provisions for personal data privacy and security. It requires businesses to implement reasonable security measures to protect personal data, provide consumers with the right to access, delete, and correct their personal data, and include a provision for data breach notification, requiring businesses to notify affected individuals and the Attorney General in the event of a data breach.
The Act also includes a private right of action for consumers, allowing them to sue businesses for violations. If enacted, the Act will regulate the collection, processing, and sharing of personal data in Texas.
Sergei Tokmakov, a privacy expert, has commented on the significance of these developments, stating, "These laws are a step in the right direction towards ensuring that individuals' personal data is protected and that businesses are held accountable for their data handling practices."
Businesses in both Australia and Texas are advised to review and update their privacy policies, cloud computing policies, and contracts involving personal information disclosure to ensure compliance with these new regulations.
[1] Australian Information Commissioner. (2021). Australian Privacy Principles. Retrieved from https://www.oaic.gov.au/privacy/privacy-act/australian-privacy-principles/ [2] Australian Government Department of Health. (2020). Australian Privacy Principles: Sensitive Information. Retrieved from https://www.health.gov.au/health-topics/privacy/privacy-act-2014/australian-privacy-principles/sensitive-information [3] Australian Government Department of Health. (2020). Australian Privacy Principles: Security of Personal Information. Retrieved from https://www.health.gov.au/health-topics/privacy/privacy-act-2014/australian-privacy-principles/security-of-personal-information [4] Office of the Australian Information Commissioner. (2021). Notifiable Data Breaches Scheme. Retrieved from https://www.oaic.gov.au/privacy/privacy-act/notifiable-data-breaches/ [5] Australian Information Commissioner. (2021). Australian Privacy Principles: Application and Interpretation. Retrieved from https://www.oaic.gov.au/privacy/privacy-act/australian-privacy-principles/application-and-interpretation/
- In the context of the Australian Privacy Principles (APPs), businesses are encouraged to employ de-identification techniques for personal data, ensuring its suitable handling, especially when full identification isn't necessary for its intended purpose.
- The Texas Data Privacy and Security Act, similar to the California Consumer Privacy Act (CCPA), requires businesses to implement robust security measures to protect personal data, provide consumers with the right to access, delete, and correct their personal data, and establishes a provision for data breach notification, holding businesses accountable for their data handling practices.
