Sign saying privacy please

3 Business Lessons From The OAIC 2020 Highlights

The OAIC 2020 Highlights Infographic gives us plenty of information about the direction of privacy in Australia. It tells us, for instance, that we can expect to see Australia align with the global trend of increasing consumer protections. It also looks like we can expect stricter enforcement, with regulators seeking significant penalties from businesses that don’t comply.

Here are 3 lessons businesses can draw from the OAIC 2020 Highlights: 


1. There are Consequences for Interfering with Privacy Rights 

The OAIC launched its first ever civil proceeding against a company for interfering with personal privacy. The claim was made against Facebook with regards to the Cambridge Analytica scandal, where an app harvested information that was sold and used for purposes well outside the users’ expectations. It is alleged that Facebook breached APP 6.1 and APP 11.1(b) when it disclosed the details of approximately 320,000 Australians.   

Legally, this case is significant. It will determine whether disclosures like this are treated as one disclosure or 320,000 disclosures. It will also clarify whether the Privacy Act applies to digital businesses which operate from offshore entities. Finally, it demonstrates that the OAIC is taking part in the broader trend of active enforcement and more stringent regulation in relation to data privacy. 

Takeaways from the Cambridge Analytica Action 

Here’s what your business should take away from the OAIC starting this action: 

  • Make your opt-out settings very clear and very easy to locate. 
  • Make your privacy policy clear, easy to navigate, and very easy to locate.  
  • Keep precise records of the personal information you disclose to any third parties.  
  • Take care with any third-party disclosures. 
  • Ensure your third-party providers have adequate measures in place to protect the personal information you disclose. (ASIC launched proceedings against RI Advice Group Pty Ltd last year for failing to implement adequate cyber security – indicating that this type of enforcement is also likely to increase.)

2. Human error is a significant cause behind notifiable data breaches. 

The number of notifiable data breaches doubled between the January – June 2019 and the July – December 2019 period. Since then, the number has remained consistently high, when compared to previous years. In 2020, the OAIC oversaw the notification and remedy of 1,150 notifiable data breaches. More than 35% of those data breaches were a result of human error.  

Takeaways for businesses hoping to protect customer and employee data: 

Training your team is incredibly important. It raises awareness about common causes behind these mistakes, helping to prevent them.  

3. You Should Be Proactive in Your Privacy Assessments.  

The OAIC 2020 Highlights outlines that it undertook 9 proactive privacy assessments to enhance organisational privacy in 2020. Many of the recommendations outlined in these privacy assessments provide guidance to organisations looking to uplift their privacy protections, including: 

  • Understand your privacy obligations under the Australian Privacy Act, as well as international legislation.  
  • Develop staff awareness of information security risks and implement measure to mitigate these risks. 
  • Centralise your approach to privacy governance – and ensure your cybersecurity and privacy team members communicate and allocate responsibility appropriately.  
  • Privacy obligations extend to physical security too. For instance, be sure to revoke access to personal information when team members leave – or when they no longer need access to it. And consider providing dedicated workspaces for employees who have higher levels of administrative access to personal information.   
  • Routinely update your risk mitigation documents and strategies to make sure they adequate address the current risk climate.  
  • Adopt multi-factor authentication methods, where possible and where it is warranted by the risk of disclosure.  
  • Establish policies around destroying and de-identifying data.  

Develop Your Privacy Governance with Privacy108 

Privacy108 works with businesses and organisations to develop and implement mature privacy governance programs. We contemplate digital and physical risk to your data in our assessment of your current privacy posture. Then, we work with you to develop stronger data protections that align with your legal obligations today – and empower you to remain compliant into the future.  

Find out more about our privacy consulting. 


Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.