Contact

3 Business Lessons From The OAIC 2020 Highlights

Published
12 Mar 2021
Read time
4 min read
Category
Law, Privacy, Privacy Practice

The OAIC 2020 Highlights Infographic gives us plenty of information about the direction of privacy in Australia. It tells us, for instance, that we can expect to see Australia align with the global trend of increasing consumer protections. It also looks like we can expect stricter enforcement, with regulators seeking significant penalties from businesses that don’t comply.

Here are 3 lessons businesses can draw from the OAIC 2020 Highlights: 

 

1. There are Consequences for Interfering with Privacy Rights 

The OAIC launched its first ever civil proceeding against a company for interfering with personal privacy. The claim was made against Facebook with regards to the Cambridge Analytica scandal, where an app harvested information that was sold and used for purposes well outside the users’ expectations. It is alleged that Facebook breached APP 6.1 and APP 11.1(b) when it disclosed the details of approximately 320,000 Australians.   

Legally, this case is significant. It will determine whether disclosures like this are treated as one disclosure or 320,000 disclosures. It will also clarify whether the Privacy Act applies to digital businesses which operate from offshore entities. Finally, it demonstrates that the OAIC is taking part in the broader trend of active enforcement and more stringent regulation in relation to data privacy. 

Takeaways from the Cambridge Analytica Action 

Here’s what your business should take away from the OAIC starting this action: 

  • Make your opt-out settings very clear and very easy to locate. 
  • Make your privacy policy clear, easy to navigate, and very easy to locate.  
  • Keep precise records of the personal information you disclose to any third parties.  
  • Take care with any third-party disclosures. 
  • Ensure your third-party providers have adequate measures in place to protect the personal information you disclose. (ASIC launched proceedings against RI Advice Group Pty Ltd last year for failing to implement adequate cyber security – indicating that this type of enforcement is also likely to increase.)

2. Human error is a significant cause behind notifiable data breaches. 

The number of notifiable data breaches doubled between the January – June 2019 and the July – December 2019 period. Since then, the number has remained consistently high, when compared to previous years. In 2020, the OAIC oversaw the notification and remedy of 1,150 notifiable data breaches. More than 35% of those data breaches were a result of human error.  

Takeaways for businesses hoping to protect customer and employee data: 

Training your team is incredibly important. It raises awareness about common causes behind these mistakes, helping to prevent them.  

3. You Should Be Proactive in Your Privacy Assessments.  

The OAIC 2020 Highlights outlines that it undertook 9 proactive privacy assessments to enhance organisational privacy in 2020. Many of the recommendations outlined in these privacy assessments provide guidance to organisations looking to uplift their privacy protections, including: 

  • Understand your privacy obligations under the Australian Privacy Act, as well as international legislation.  
  • Develop staff awareness of information security risks and implement measure to mitigate these risks. 
  • Centralise your approach to privacy governance – and ensure your cybersecurity and privacy team members communicate and allocate responsibility appropriately.  
  • Privacy obligations extend to physical security too. For instance, be sure to revoke access to personal information when team members leave – or when they no longer need access to it. And consider providing dedicated workspaces for employees who have higher levels of administrative access to personal information.   
  • Routinely update your risk mitigation documents and strategies to make sure they adequate address the current risk climate.  
  • Adopt multi-factor authentication methods, where possible and where it is warranted by the risk of disclosure.  
  • Establish policies around destroying and de-identifying data.  

Develop Your Privacy Governance with Privacy 108 

Privacy 108 works with businesses and organisations to develop and implement mature privacy governance programs. We contemplate digital and physical risk to your data in our assessment of your current privacy posture. Then, we work with you to develop stronger data protections that align with your legal obligations today – and empower you to remain compliant into the future.  

Find out more about our privacy consulting. 

 

Oops! We could not locate your form.

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.