The Privacy and Other Legislation Amendment Bill 2024 was introduced to Parliament in September, and was passed by the Senate at the end of November 2024.
Its aim is to amend the Privacy Act 1988 in accordance with several of the recommendations from the Privacy Act Review Report. Some of the changes will be of interest to businesses that collect, store or use personal data.
The changes DCA has singled out as being of greatest interest in this case are as follows:
- Changes to obligations regarding the security and retention of personal information
An alteration to Australian Privacy Principle (APP) 11 clarifies that obligations to the security of personal information should include both “technical and organisational measures.”
It’s a small change, but one that really centres the need for a robust data governance framework in 2025.
- Changes to international data flows
This change asks for a white list of prescribed jurisdictions where the laws of the country would be “substantially similar” to the APPs.
It’s always important for an organisation to have a strong understanding about where its data flows might go, but this change would reduce the burdens of privacy assessment currently borne by businesses. Such a change may help companies streamline their decisions about where to host and process information.
- Changes to transparency and disclosure requirements around automated decision making
Businesses will soon be required to disclose automated decision making that uses personal information and might affect individuals’ rights or interests. Companies will need to update their privacy policies to let people know which personal information, which kinds of decisions, and whether or not those decisions are made wholly or substantially by computer programs.
Automated decision making is often built up over time, with each layer constructed atop the scaffolding of the technology and diverse data flows that came before. Because of this, it will be worthwhile for businesses to ensure they know all about their use of personal information.
All of these upcoming changes have the capacity to affect business as usual operations. Changing legislation demands a dynamic response from businesses, so data governance will be an important consideration for many of us in 2025.
If you have a question about how you can implement tools or processes to improve your organisation’s data privacy and governance, DCA’s data specialists are here to help. Contact us today.
