jacobAustralian Data Security Standards are legislated under the Privacy Act (1988)(Cth), known simply as the Privacy Act. This act includes twelve Australian Privacy Principles (APPs) in which Australian organisations with an annual turnover of above $3 million, referred to in the legislation as APP entities, are legally bound to follow. This means that an APP entity must take steps to reasonably manage the personal information and data of its clients under the APPs, which include:
- A clearly expressed, up to date, and easy to access ‘APP privacy policy’ which documents how personal data is managed by the APP entity.
- How to collect sensitive personal information with informed consent as well as when the APP entity must destroy personal data whether it’s unsolicited or no longer used.
- Limits on using personal data for a secondary purpose other than the reason it was originally collected and restrictions on collecting personal data that is not relevant to business operations.
- Integrity and correction of personal data as well as the rights of individuals to access the personal information that is collected by the company.
- Whether the APP entity is ‘likely to disclose the personal information to overseas recipients’ which is important for APP entities expanding internationally.
Differences in Data Security Standards between Privacy Act and GDPR
One of the fundamental differences between Data Security Standards in Australia and the EU is how the laws on data security were originally legislated. The Privacy Act was introduced in 1988, long before the widespread penetration of the Internet, and has since gone through 80 minor and major amendments (Australian Government, 2012). The GDPR, Europe’s Data Security legislation, on the other hand, was introduced as a single piece of legislation in 2018, thirty years after the Privacy Act first became law in Australia.
The Privacy Act has twelve Australian Privacy Principles while the GDPR uses eight principles defined as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability (Cavey, 2021). The terminology used also differs between both pieces of legislation. For example, an individual’s data is called “personal information” in the Privacy Act and “personal data” in the GDPR. Where the Privacy Act regulates how an APP entity can collect data on individuals, the GDPR regulates how “data controllers” process the personal information of “data subjects”. This may seem like splitting hairs to the layperson but where the law is concerned slight differences in wording and terminology can be debated in court and could mean the difference between a favourable or unfavourable adjudication.
Following this line of legal reasoning, a 2017 amendment to the Privacy Act introduced statutes that classify an eligible data breach as something “a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates” (Privacy Amendment (Notifiable Data Breaches) Act 2017). This “real risk of serious harm” qualifier in the Privacy Act is not clearly defined within the act which means what is considered serious harm to a reasonable person will evolve over time in Case Law as Australian courts grapple with the impact of data breaches and the unauthorised access or disclosure of personal information (Cox, 2021).
In contrast, Article 33 of the GDPR does not make a distinction for serious harm and uses the language of rights and freedoms “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (GDPR vs Australian Data Privacy Regulations: 5 Key Differences, 2018). This broader definition in the European legislation reduces ambiguity and enables the company or data controller to determine the likelihood of risk of a data breach.
