Anna Johnston

Australia now has the biggest fines for privacy breaches in the world. 

Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill last month, which introduced significantly increased penalties for severe or repeated privacy breaches. 

At the Professional Planner Researcher Forum, Salinger Privacy principal Anna Johnston discussed the bill’s implications.

The bill will increase the penalty for privacy breaches under section 13G of the Privacy Act to three times the value of the benefit of the privacy breach. If the value can’t be determined, it will instead be based on 30 per cent of the firm’s adjusted turnover for the relevant period.

For an individual, the maximum penalty will be $2.5 million. The maximum penalty for a corporate body is $50 million.

Johnston said the recent Optus and Medibank breaches revealed that current safeguards are outdated and inadequate. The new law makes it clear to companies that the penalty for significant data breaches cannot be regarded as the cost of doing business anymore.

The difference between cyberattacks, data breaches, and privacy breaches 

Johnston said there were misunderstandings between cyberattacks, data breaches, and privacy breaches. 

A cyberattack is an attempt by hackers to damage or destroy a computer network or system. 

Data breaches occur when personal information is accessed and disclosed without authorisation or is lost. 

A privacy breach is when personal information is stolen or lost or is collected, used, or disclosed without permission or prior knowledge. 

“Not every cyberattack will result in a data breach,” Johnston said. 

“It’s almost like a truck parking across your driveway. You can’t get in or out of your house with your car anyway, or in or out of your garage. No-one’s stolen anything, no-one’s accessed anything – they’ve just blocked your ability to move in or out.” 

She added that although a cyber-security incident may not necessarily be serious, companies are still required to report them to the federal government. 

“There are certainly strategies organisations can use to store people’s data more securely,” she said. 

“Some of these strategies have a lot to do with minimisation. For example, companies might not any data collect in the first place, or they might get rid of it as soon as they don’t need it anymore.” 

Another strategy Johnston recommends is hiding data from people within companies who don’t need to see it.

The Optus and Medibank breaches 

Unsurprisingly, the data breaches at Optus and Medibank have been one of the top issues this year.

Even within financial services, the RI Advice breach highlighted the need for licensees and advice practices to have sufficient cyber policies in place. 

Johnston said the Optus and Medibank incidents “have put privacy and cyber-security at the forefront of the minds of boards and audit and risk committees.”

“They have also been front-page news and caused political headaches for the government.”

Join the discussion