Stay ahead by gaining insights into Australia's evolving data privacy regulations and their specific impact on your industry.
Since 2020, 63% of reporting organizations have experienced a data breach in connection with remote work practices and technologies. In Australia, this surge in data privacy lapses — either through error or malicious activity — has been among the worst in countries with significant reporting data. Moreover, the high incident rate of data breaches has continued through 2022, including several notable breaches of millions of personal records from single organizations:
The generally accepted cause of this trend is fairly straightforward. During the first few months of the COVID-19 pandemic in 2020, businesses around the globe rapidly implemented remote work policies to comply with public health measures. As IT teams scrambled to adopt cloud technologies to enable remote work, data privacy vulnerabilities proliferated, leading to a 400% spike in global cybercrime.
Following these continued losses to cybercrime in 2022, the Australian government has decided to respond with significant updates to the country’s existing data privacy laws. This guide provides an overview of current Australian law, incoming changes in 2023, and steps organizations should take to comply with new requirements.
The foundation of Australia's current data privacy laws is the Privacy Act 1988. The Privacy Act outlines standards for collecting, using, and disclosing personal information, ensuring organizations and agencies maintain data protection practices. Australia’s legislature amended the Privacy Act in 2014, adding a more explicit regulatory framework of 13 Australian Privacy Principles (APPs) that apply to data handling by Australian government agencies and private sector organizations.
The APPs are:
While the APPs worked relatively well as privacy protections before the widespread adoption of cloud technologies — which vastly multiply remote access points for data — the recent uptick in data breaches has revealed inadequacies for today’s challenges. In the words of Australia’s Minister of Home Affairs, Claire O’Neil, Australia is “behind the eight-ball” and must “step up (the) game in Australia in terms of policy, in terms of citizens, and in terms of how we think about this problem.”
In the wake of recent data breaches, the Australian government faced mounting public pressure to revisit its privacy frameworks. The Australian Competition and Consumer Commission's Digital Platforms Inquiry was commissioned to evaluate the Privacy Act of 1988. The aim was to ascertain its aptness for the contemporary data environment.
This scrutiny culminated in the introduction of the Privacy Bill in October 2022, which proposed key amendments:
Additionally, New South Wales implemented the Privacy and Personal Information Protection Amendment Act 2022, which will become effective in December 2023. This regional legislation, affecting areas like Sydney and Newcastle, targets only public sector agencies and state-owned enterprises. Its provisions introduce a mandatory data breach notification scheme. Breaches — defined as unauthorized access or exposure causing potential significant harm — must be assessed and reported within a 30-day window.
Anticipating future legislative directions, the Attorney General's review of the Privacy Act in early 2022 hints at broader data privacy transformations in Australia. This review produced the Privacy Act Discussion Paper, which outlines potential legislative changes:
The impending modifications in Australia's data privacy legislation stand to reshape the landscape for both banking and mortgage brokering sectors. As outlined by the Australian Banking Association (ABA), while the reforms aim to increase data security and consumer empowerment, there's a potential unintended consequence. Customers might experience "consent fatigue," stemming from banks having to continuously request permissions, even for routine transactions like payments. Such incessant permissions could slow innovation, making the design of new financial products more difficult and potentially stalling crucial fraud prevention efforts.
Banks rely heavily on customer data to perform their standard operations. Customer data is necessary for evaluating creditworthiness, optimizing payment procedures, and creating tailored digital banking services. The incoming regulations — especially stringent consent protocols, data retention limits, and the introduction of the "right to erasure" which enables individuals to request that organizations destroy or de-identify information about them — could pose challenges. There's a genuine concern that these rules might inadvertently tie banks' hands when it comes to protecting customers at risk and effectively combating cyber threats.
Mortgage brokers in Australia already operate under numerous regulatory acts. These include the Personal Properties Securities Act 2009, the National Credit Act 2010, and the long-standing Privacy Act 1988. While their primary mandate is to maintain the confidentiality of client data, the anticipated legal revisions may add challenging layers of complexity. Brokers could find themselves navigating a more bottlenecked loan application process. Additionally, the amplified data privacy requirements might deter foreign organizations from investing in Australian firms, potentially affecting the broader economic ecosystem.
To meet the requirements of Australia’s new data privacy laws, organizations should implement clear and concise privacy policies. Here are three reasons why:
To prepare for compliance with the impending changes, affected organizations should:
Ensure data breach policies align with the new mandatory breach notification scheme and publicly disclose these policies. Maintain both internal and external records of all breaches.
Adopt rigorous protocols to clearly disclose data usage intentions and the implications of granting consent.
Introduce mechanisms for individuals to request data deletion under the "right to erasure."
Understand and establish guidelines on the Privacy Act's application to emergent technologies like AI and the Internet of Things.
Simplify language around data privacy practices and policies, ensuring accessibility and comprehension for the public and stakeholders.
Achieving compliance with Australia's new data privacy laws demands stringent measures to protect client data. However, financial service providers shouldn’t view this process as merely a box to check. Rather, it is an opportunity for financial services organizations to develop a proactive security posture toward preventing breaches of client data — a dynamic shift comparable to the requirements of the updated FTC Safeguards Rule in the U.S.
FileInvite offers a file sharing and document collection platform tailored to maintaining compliance with upcoming legal changes and integrating them seamlessly into efficient workflows. Key features include:
To learn more and request a demo, visit FileInvite today.
With Best Interest Duty (BID) a core focus in Australia, thousands of mortgage brokers are joining industry leaders on FileInvite.
This blog post covers the legal status of e-signatures in financial services verticals within the U.S., U.K., and Australia, and how they can be used.
The addition of Loan Market and Aussie means that the documentation for one in three brokered loans in Australasia now goes through FileInvite each...