Speakers
Synopsis
The Privacy and Other Legislation Amendment Bill 2024 contains a number of amendments that affect the handling of data breaches.
These include
- changed penalties for failure to comply with certain procedural steps and time limits in managing a data breach; for bodies corporate these new ‘mid-tier’ penalties range from 60 penalty units (currently $18,780) to 10,000 penalty units (currently $3,130,000)
- expanded Federal Court powers in response to complaints and own motion investigations by OAIC; and
- new information-sharing powers to support management of complex multi-entity breach incidents (using a Ministerial Declaration). These powers are modelled on the existing Emergency Declarations regime in Part VIA of the Privacy Act
These changes can be seen as the next plank in the Government's response to the Optus and Medibank data breaches, working alongside the earlier increase in penalties for serious invasions of privacy (already implemented in late 2022).
This presentation will consider these changes in detail, in terms of what they mean for the work of teams managing data breaches / cybersecurity incidents involving personal information. We will also look at what is not in the package.
Also of interest (even possibly concern) is the Attorney-General's new power to direct the Information Commissioner to hold a public inquiry, even into matters arising before commencement of the amendments. The amendments also empower the Commissioner to obtain information and documents and examine witnesses for a public inquiry.
Finally we will briefly cover the new tort of invasion of privacy and the new anti-doxxing offences, to explore possible overlap for certain types of severe / malicious data breach incidents.
