Deep Dive into Privacy Act Reforms

Paul Dugan and Lachlan Chuong recently gave a presentation as part of DMAW Lawyers' CPD program entitled “Deep Dive into Privacy Act Reforms (Part 2)”. This followed Part 1 presented by Tasha Naige previously. This series examines some of the significant reforms in privacy law in the pipeline, many of which arise out of the Privacy Act Review and the Commonwealth Government’s response to the review.

As part of this presentation Paul and Lachlan highlighted the significant increase in data breaches emanating from third party service providers. The most recent OIAC Notifiable Data Breach Report – July to December 2023 reports that third party breach notifications have increased from 29 in the previous period to 121 in the July to December period.

The Privacy Commissioner has recently identified third party service providers in supply chains as a high risk area and emphasised the need for organisations to take appropriate steps manage those risks in order to comply with their obligations under the Privacy Act. This follows previous warnings from ASIC about duties to manage cyber security risks in supply chains.

Underlining those risks are three reported data breaches involving third party providers between 15 and 17 May alone affecting Sumo, an energy utility, the Iress Onevue wealth management hub and, most recently, Medisecure, one of Australia’s two paperless medical scripts networks which manages digital scripts issued by doctors. Medisecure manages millions of scripts per year.

In order to comply with Privacy Act obligations to protect personal and sensitive information and mitigate the risks and damage that might result from a data breach, organisations should ensure that they:

• are undertaking due diligence on the information security controls of service providers with whom they share information;
• have in place contractual terms and practical arrangements with those providers addressing:

• appropriate industry standard cyber and information security controls

• the handling of personal information, including defined data retention periods and processes for destroying or de-identifying data

• data breach response, including assigning roles and responsibilities for investigating, managing a data breach and meeting regulatory reporting obligations

• notification of cyber incidents
• rights to monitor/audit information security compliance.

If you would like any further information on this topic or how we can assist in helping to safeguard your business, please feel free to contact Paul Dugan.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Our team of cyber and information security specialists advises clients at each stage of the data lifecycle – from proactive risk management to incident response and recovery.

From the outset, we work closely with our clients to identify and manage internal and external data privacy and security risks through legal documentation, establishment of appropriate board and management governance arrangements, policies and procedures, on-boarding arrangements and IT protection.

Should a cyber incident or information breach occur our team will be right by your side to advise and assist you with response, damage mitigation, recovery and obtaining legal remedies.

Find out more about how our expert cyber and information security team can assist your business here.

The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.

Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.

Find out more about our involvement with the Cyber Alliance Group here.