From awareness to action – Reflections on PAW 2026

Comment

From awareness to action – Reflections on PAW 2026

By Chong Shao

On Monday, 4 May 2026, IIS joined other IAPP members for the Sydney launch of Privacy Awareness Week, where Privacy Commissioner Carly Kind gave the keynote address.

Commissioner Kind opened by alluding to the thing that many in the room were probably thinking: It’s Privacy Awareness Week again; is there anyone left who isn’t aware that privacy matters? She floated the heretical thought that PAW might have achieved its purpose. Awareness is not the gap anymore. The harder question – the one organisations should be sitting with – is whether that awareness is being converted into something real.

That framing set up the rest of her address, which was organised around three ideas: action, agency and alternatives. It also gave the speech a different feel from previous PAW addresses. As Olga Ganopolsky (General Counsel, Privacy and Data at Macquarie Group Limited) observed during a later fireside chat, where past years have been heavy on law reform, this year was striking for how much was being done under the regime that already exists.

That observation also captures the IIS view of where things stand: no Tranche 2, no problems. Commissioner Kind is proceeding full steam ahead – and, unlike certain other ‘full steam ahead’ projects in Australian public life (ahem, AUKUS), she has actual progress to show for it.

Twelve months on from last year’s PAW, the four themes we identified in the Commissioner’s stance have gathered apace. Commissioner Kind is still working with a holistic view of privacy grounded in power imbalance. She is still using the full regulatory toolkit, including pursuing matters in court. She is still interested in fresh, purposive readings of the existing Privacy Act. What is new this year is that there are now concrete cases and determinations to point to – and a clearer picture of where the OAIC is heading.

Action: mere compliance is not enough

The first theme was the move from awareness to action. The Commissioner’s organising question was a practical one: what does ‘good’ actually look like? Two recent matters illustrate her answer.

The Federal Court’s decision in Australian Information Commissioner v Australian Clinical Labs Limited deserves close reading not only for its technical security findings but for the governance failures sitting alongside. As the Commissioner put it in the fireside, the breach occurred on a subset of entities ACL had acquired, and post-acquisition the organisational measures were never properly embedded into the business (Medlab Pathology) which ACL had acquired. Key personnel had not been trained on the relevant policies and processes. There was over-reliance on a technical consultant whose advice turned out to be inadequate.

The Court found upwards of 200,000 contraventions on the OAIC’s preferred reading – each affected individual counting as a separate contravention. The Commissioner indicated that this will be the OAIC’s position going forward. With the maximum penalty per contravention now at $50 million rather than the pre-reform $2.2 million, the arithmetic speaks for itself.

The takeaway is not really about cyber security. It is that APP 11 has both a technical limb and an organisational one, and the latter does a great deal of work in practice. Acquisitions, integrations, restructures and outsourcing arrangements are exactly the moments when gaps start to show. A privacy policy is one thing. A privacy program – funded, properly governed, reflected in training, surviving an M&A event – is another.

The Vinomofo Pty Ltd investigation makes the same point from the other direction. The policies existed. The training, as the Commissioner described it, was nominal. Privacy was not embedded.

The third matter – the Bunnings review decision – extends the point from culture and training into process. APP 1.2’s requirement to take reasonable steps to implement procedures, processes and systems is not satisfied by scattered internal enquiries and informal sign-offs. For new, invasive or high-risk practices, the baseline is a formal, structured, documented assessment. Olga’s framing – ‘to avoid the Death Star, do a PIA’ – drew a chuckle from the room.

Bunnings is also worth reading for what the OAIC won and what it lost. The Tribunal departed from the Commissioner on proportionality and necessity, which the OAIC has acknowledged and will address in forthcoming updates to the APP 3 collection guidelines (now published). But on the points that matter most the OAIC won decisively. Collection-is-collection-no-matter-how-transient is the holding that will persist and make a difference. As the Commissioner noted, future collection events will look nothing like a paper form. They will be milliseconds long, mediated by AI, embedded in pixels, layered through brief and opaque encounters. Dispensing with the temporal threshold for ‘collection’ now matters enormously for how the Privacy Act applies later.

Agency: privacy as power, not paperwork

The second theme picked up the Commissioner’s continuing concern with power and information asymmetries. The question, she suggested, is not whether an individual could in principle have made a different choice. It is whether the individual was ever in a meaningful position to do so. Two areas stand out.

The first was AI. The Commissioner has clearly been mapping the AI landscape over the past year – engaging with developers, providers, agencies and civil society on the use of personal information to train AI models, and on the rollout of AI scribe technology in clinical settings. The iMed investigation closed without findings; others are ongoing and likely to produce decisions next year. The 2026 community attitudes survey, when it lands, will show that 93% of Australians do not think it is fair and reasonable for organisations to use personal information to train AI systems. That figure will inform how the OAIC interprets ‘purpose’, ‘use’ and ‘disclosure’ in this space.

The second practice was excessive collection. The 2Apply / InspectRealEstate determination is a striking application of APP 3. The factual setting matters: in a rental market with severe power imbalance and limited alternatives, a prospective tenant has little real say in what information they hand over or how the request is put to them. The OAIC found that the platform’s collection practices breached APP 3.3 (collection of sensitive information) and, more interestingly, breached APP 3.5 (lawful and fair collection), on the basis that the design of the application flow was unfair. Drawing on the UK ICO’s work on online choice architecture, the OAIC identified specific design patterns – ‘confirmshaming’ and biased framing – that contravened the fair-and-lawful-means requirement..

This is APP 3 doing more work than most organisations have assumed it does. The question is no longer just ‘can we identify a business reason for asking?’ It is whether each piece of information being collected is genuinely necessary – particularly sensitive or high-risk information that may carry more risk than value – and whether the way the request is put to the individual is fair on its own terms. Choice architecture has now arrived as a privacy concept, not just a consumer law one.

The thread connecting AI and rental applications (and, in forthcoming investigations, tracking pixels) is the one the Commissioner drew explicitly. These are all practices that are passive, opaque, or offer false choices. They are not legible to the people they affect. The OAIC’s regulatory interest is concentrating in exactly those places.

Alternatives: the Children’s Online Privacy Code as proof of concept

The third theme was the most forward-looking, and the most interesting departure from where one might have expected the speech to go.

There is a natural reading of action and agency together – fines are getting bigger, the OAIC is more active, the law is being read more purposively – that is essentially enforcement-focused. The Commissioner’s third move was to step out of that frame and ask a different question: what if the regulator did not just enforce against bad practice, but demonstrated what good practice could look like?

This is where the Children’s Online Privacy Code comes in. The exposure draft was published earlier this year. Three features stand out that make the Code structurally different from ordinary APP compliance.

First, the Code regulates at the service level, not the entity level. This follows the model used in online safety regulation. It also reflects a recognition that the entity is often not the right unit of analysis for digital services, where the same company might run multiple services with quite different risk profiles.

Second, data minimisation is the default starting position. Collection settings are switched off unless the child opts in. Consent must be genuine, not bundled or guilt-tripped, and where the child is under the age of digital consent they must still be brought into the conversation in age-appropriate language. There is a right to erasure, not just de-identification.

Third, the best interests of the child is the primary consideration. This is not a familiar concept in Australian privacy law. It draws from international children’s rights law and changes the orientation of the entire framework. Compliance is no longer principally about whether the organisation has acted reasonably from its own perspective. It is about whether the design of the service is in the interests of the children using it.

These are not incremental adjustments; they change the starting point. Commissioner Kind described feeling ‘something close to excitement’ about the Code’s potential. She also framed it as a proof of concept: ‘the aspiration is to build the alternative, then extend it to everyone else.’ If a digital ecosystem with stronger defaults, more honest design and meaningful user agency can be made workable for children, it becomes harder to argue that the same is impossible for others.

That is the part worth watching. There is an emerging Australian regulatory pattern here – the eSafety Commissioner’s Social Media Minimum Age framework, and now the OAIC’s Children’s Online Privacy Code – in which Australia is taking a more design-forward and structurally interventionist approach to digital regulation than comparable jurisdictions. The Children’s Online Privacy Code is the most ambitious yet because as the Commissioner indicated, the aspiration is to use it as a stepping stone: first prove the model with children, then extend the same defaults, design standards and user controls to digital services more broadly.

What this means for organisations

The clearest message of PAW 2026 is that waiting for Tranche 2 is not a compliance strategy. The Commissioner is using the Act she has, using it well, and signalling that she will continue to explore new understandings and applications of its existing terms.

The concepts that Commissioner Kind is seeking to clarify in the coming year include the definition of personal information, and purpose, use and disclosure under APP 6. These terms are especially pertinent when it comes to how the Act applies to AI training, profiling and connected devices.

For organisations, the practical implications follow from each of the three themes.

On action, paper compliance is no longer a safe place to sit. Privacy needs to be funded, embedded, reinforced in training and reflected in how the organisation actually makes decisions about new technologies. Acquisitions and integrations are where this can fall over in practice. High-risk and novel practices should be supported by formal, structured, documented assessments. The Commissioner has now made clear that anything less is unlikely to satisfy APP 1.2.

On agency, the orientation has shifted. The question is no longer whether the organisation’s privacy practices can survive a narrow legal review. Rather, the lens should be about trust: how do these practices hold up when looked at from the perspective of the person on the other side of the form, the screen or the AI model? Excessive collection, opaque processing and dark-pattern design are in the Commissioner’s crosshairs, and they will not be defended by pointing to a privacy policy.

On alternatives, the Children’s Online Privacy Code is worth paying attention to, including by organisations that are not directly captured by it. The design choices in the Code reflect a regulatory view about what good looks like across the board. The closer an organisation’s own practices are to those defaults, the less exposed it will be if (or when!) the model is extended at some future point.

Conclusion

PAW 2026 was a challenge as much as a celebration. There is more work to be done to promote privacy and win trust.

The regulator is doing its part. I am genuinely impressed at how much the OAIC has been able to pull off, given all the things on its plate and the (limited) resources it has to work with.

As Commissioner Kind noted at the outset, the Australian community is already privacy-aware. The question now is whether regulated entities are paying attention – and what they intend to do about it.

If you have any about how these developments might affect your organisation, or would like assistance with privacy program uplift, PIAs or any of the practical implications above, please contact us.

Comment

Children's Online Privacy Code: What You Need to Know and What's Next

Comment

Children's Online Privacy Code: What You Need to Know and What's Next

By Gabriella Assis

Introduction

Australia is entering a new era of child-centred privacy regulation, with the draft Children’s Online Privacy Code (the Code) marking a major shift in how children’s data must be handled.

The Office of the Australian Information Commissioner (OAIC) notes that by age 13, an estimated 72 million data points may have been collected about a child. The Code responds to the growing risks associated with large scale data collection, including discrimination, algorithmic bias, identity theft, targeted advertising and other forms of misuse.

This volume of data leaves children and young people exposed to a range of data practices including profiling, direct marketing and targeted advertising, as well as ingestion of personal information into AI. Data breaches, unlawful disclosure and broader security failures, identity theft, discrimination, and algorithm bias all can lead to serious financial, reputational and developmental harms. These risks highlight the need for stronger, enforceable safeguards.

The Children’s Online Privacy Code is a legislative instrument made under the Privacy Act 1988 and was introduced by the Privacy and Other Legislation Amendment Act 2024 (POLA Act). The Code places clear responsibility on organisations to embed safety, transparency and privacy protective design into their digital services.

This Insights post outlines what the Code is, why it matters, how it was developed, how stakeholders can influence its final form, how IIS can support organisations preparing submissions, and what happens next.

1. Understanding the Children’s Online Privacy Code

Why this matters

The Code is a major uplift to Australia’s privacy framework, designed to protect children in a digital ecosystem where data collection is pervasive and often invisible. The Code will become a legally enforceable instrument once it is registered on 10 December 2026.

Why the Code is needed: Evidence from the EdTech ecosystem

Recent independent research into school‑endorsed educational apps in Australia shows a clear gap between what privacy policies promise and what apps actually do – the very risks the Children’s Online Privacy Code is designed to address. Analysis of almost 200 apps approved for use in schools found that many shared children’s personal information with third parties as soon as the app was opened, often before any user interaction, contradicting their own privacy policies and exposing gaps in oversight by education systems, app developers, and regulators.

The research also found that most apps included advertising or tracking tools that were not necessary for their educational purpose, while only a small number of privacy policies accurately reflected these practices. Most policies were written in language too complex for parents and children to reasonably understand, and child-focused branding often created an illusion of safety not supported by how the apps operated.

Together, these findings highlight that current consent and disclosure mechanisms reinforce the need for enforceable, design focused obligations that place responsibility on organisations rather than children, parents, or schools to act in the best interests of the child.

Scope and application

The Code applies to businesses or organisations covered by the Privacy Act 1988 if:

  • They are a provider of a social media service, a relevant electronic service or designated internet service,

  • The service is likely to be accessed by children or primarily concern the activities of children, and

  • If the organisation is not providing a health service.

For the purposes of the Code, a social media service, a relevant electronic service, and a designated internet service are understood by the OAIC as follows:

  • Social media services: platforms where people can connect, share content and interact with others (e.g. social networks, public media-sharing sites, discussion forums and review platforms).

  • Relevant electronic services: online services that let people communicate with each other (e.g.  messaging apps, email services, video calling platforms and online games where players can chat).

  • Designated internet services: online services that allows users to access or receive material over the internet (e.g. cloud storage, websites that let users receive/access content, streaming platforms, consumer IoT devices).

Importantly, the Code applies at the service level, not the organisational level. This means only the child-facing or child-relevant components of a business fall within scope. This means that if an organisation operates one part of its website that is likely to be accessed by children, that specific service will be covered by the Code. Other services that are not accessed by children – or that do not involve children at all – remain outside the Code’s scope. In practice, the organisation would need to, for example, publish a dedicated privacy policy on its website that clearly identifies the in-scope services and explains its privacy practices in language that is easy for children to understand.

How the Code will work in practice

The Children’s Online Privacy Code introduces obligations that materially change how organisations must handle children’s personal information. This includes:

  • ‘Best interests of the child’ as the governing principle for collection, use, and disclosure of personal information.

  • Stronger consent mechanisms, including notifying a child when a parent consents.

  • Ensure personal information about a child is destroyed upon request, unless an applicable exception applies.

  • Limits on direct marketing, only permissible with consent and when in the child’s best interests.

  • Age-appropriate transparency, requiring clear, accessible, developmentally appropriate notices.

These obligations shift responsibility from children and parents to the organisations designing and operating digital services.

The Code’s primary requirement

The Code’s primary requirement is for organisations to only collect, use or disclose personal information in ways that are consistent with the ‘best interests of the child’.

To understand what actions are in the ‘best interests of the child’, the Code indicates that organisations should consider factors such as:

  • The nature and extent of child exploitation risks, noting that child exploitation includes any situation where a child is abused, harmed or used by another person for economic, sexual or personal gain.

  • The likely mental or physical impacts on the child.

  • The likely impact on the physical, psychological, emotional, social and cognitive development of the child.

  • The extent to which the child’s ability to develop and express their views and identities may be affected.

  • The extent to which the child’s freedom of association, play, leisure or participation in social, cultural or educational activities may be affected.

  • Whether particular groups of children may experience disproportionate or adverse impacts, including children with disabilities, Aboriginal and Torres Strait Islander children, children from culturally and linguistically diverse backgrounds.

  • The evolving capacities of children, including differences in age, maturity and developmental stage across childhood.

2. How the OAIC developed the Code

A research-driven, consultative approach

The OAIC’s development of the Code has involved research, evidence, and consultation. The OAIC has reported that it conducted more than 65 engagements with stakeholders across government, industry, academia, civil society, and international regulators.

Three phase consultation process

Phase 1 (Jan-Aug 2025) – The OAIC held the initial consultation with children, parents, and organisations focused on children’s welfare.

Phase 2 (Apr-Aug 2025) – The OAIC engaged with civil society, academia, and industry to test early concepts and gather insights and perspectives.

Phase 3 (current) – Mandatory 60-day public consultation (31 March – 5 June 2026): The OAIC is seeking industry, civil society, academia and any other interested parties to submit a written response to the Children’s Online Privacy Code.

International alignment

The OAIC has aligned the Code with global frameworks such as theAge Appropriate Design Codedeveloped by the UK Information Commissioner’s Office, while integrating novel protections to ensure Australian children benefit from leading privacy approaches.

3. A call to action for stakeholders: How to participate in the public consultation

Why your input matters

The OAIC has emphasised that it is approaching this consultation with an open mind and is actively seeking feedback to refine the Code and ensure it is implementable.

How to get involved

Stakeholders can:

Where feedback is most valuable

This is where organisations can meaningfully influence the final Code.

1. Scope clarity

As the Code applies at the service level, organisations with mixed service lines (e.g., banks, telcos, EdTech providers) should provide feedback if the application of the Code to some but not all of their services is unclear.

2. Operationalising the Code

Stakeholders can provide input on (or pose questions about):

  • Approaches to interpreting and operationalising the ‘best interests of the child’ principle, recognising that its application may involve balancing competing interests or rights.

  • How to balance commercial and child-centred interests.

  • What evidence organisations must demonstrate to comply with the Code.

  • How to implement any other requirements of the Code.

How IIS can support your submission

If your organisation wishes to have its say, now is the time to engage. IIS can support you in preparing a clear, well-structured submission that reflects your operational context and highlights any practical considerations the OAIC should take into account. Our team can help you interpret the Exposure Draft of the Children’s Online Privacy Code, assess the implications for your services, and articulate your feedback in a way that constructively contributes to the consultation process.

4. What happens after the consultation

Regulatory pathway

After the consultation closes, the OAIC will:

  • Review all submissions.

  • Engage in a Regulatory Impact Analysis (RIA) to conduct a cost-benefit analysis of the implementation of the Code. For the Children’s Online Privacy Code, the RIA focuses on balancing stronger privacy protections for children against the regulatory and economic impacts on online services.

  • Where appropriate and required, the OAIC will continue to consult with relevant stakeholders to ensure different voices are heard and represented throughout the process in developing the final Code.

  • Register the final Code by 10 December 2026 as required by the POLA Act. Once registered, the Code becomes legally enforceable.

Conclusion

The Children’s Online Privacy Code represents a significant development in the national privacy landscape. It elevates children’s rights, places responsibilities on organisations to design safer digital environments, and aligns Australia with global best practice.

The current consultation period is a critical opportunity for interested stakeholders to help shape the final Code, ensuring it is practical and capable of meaningfully protecting children in an increasingly complex digital ecosystem.

Comment

The OAIC’s new approach: An enforcement memo in complaints clothing

Comment

The OAIC’s new approach: An enforcement memo in complaints clothing

By Chong Shao and Malcolm Crompton

On 2 March 2026, Privacy Commissioner Carly Kind published a post announcing a ‘new approach’ to how the Office of the Australian Information Commissioner (OAIC) will handle individual privacy complaints. At one level, the post is about complaint handling. IIS reads this as an enforcement memo in complaints clothing.

Commissioner Kind has made a statement about regulatory priorities: in an environment of growing privacy risks, rising complaint volumes, and constrained public resources, the OAIC intends to focus its effort where it can have the greatest impact. The complaints-handling changes flow from that. They are a consequence of the strategy, not the story.

What the OAIC has announced

Four elements of the announcement are worth noting, all of which point in the same direction:

  1. Enforcement focus is now the headline. The OAIC describes an intentional shift over the past 12 months toward a greater focus on enforcement, citing deterrent and educative benefits, and a desire for ‘maximum impact’ across sectors. The results are already tangible: a $5.8 million civil penalty against Australian Clinical Labs, civil penalties proceedings filed against Optus and Medibank, and a $50 million settlement from Meta Platforms.

  2. Complaint handling will be more selective and threshold-driven. Not all complaints will be taken through to investigation. The OAIC will conduct a ‘strategic assessment’ and may decide not to investigate after considering all circumstances, including regulatory priorities.

  3. Complainants are being coached to bring better-formed complaints. The OAIC has published checklists, templates, and is clear about what information is required from the outset (including what happened, when, and the impact).

  4. Timing expectations are being reset. As of February 2026, new validly lodged complaints are unlikely to be substantially progressed for 6-12 months. That is a frank admission, and a deliberate signal.

It’s rare for a regulator to be this candid about the trade-offs it is making. The OAIC isn’t just explaining process – it is publicly setting out why individual casework is being deprioritised in favour of enforcement.

So what for organisations?

IIS advises four things with respect to this shift in focus:

1. Don’t confuse ‘slower complaint handling’ with ‘lower risk’

The OAIC is concentrating its effort, not retreating from the field. Organisations whose practices generate repeated complaints or patterns of non-compliance are now more likely to attract attention, not less.

The relevant question isn’t whether your next complaint gets processed in three months or twelve. It’s whether your privacy practices are the kind the OAIC will decide are worth pursuing at scale.

2. Complaints will increasingly function as signals, not just casework

The OAIC is deliberately narrowing the front door. Complainants are being directed to raise matters with organisations first, to use alternative pathways where available, and to understand that even a well-formed complaint may not be investigated.

The practical effect is that organisations become the primary forum for resolution. The complaints that do reach the OAIC will increasingly arrive as signals of something worth looking at, not as individual grievances to be managed. Treat your complaint themes accordingly. A pattern of similar issues across customers or channels is exactly what an enforcement-focused regulator scans for.

3. This is consistent with the direction the OAIC has been signalling

None of this is a surprise. IIS’ reflections on Privacy Awareness Week 2025 highlighted Commissioner Kind’s emphasis on organisational accountability, systemic power imbalances, and a more proactive regulatory posture. The March 2026 post is another milestone on that same trajectory: greater willingness to use the regulator’s full toolkit, and a clearer focus on shaping organisational behaviour and resilience at scale.

The direction of travel is clear: privacy compliance is increasingly about governance and accountability, not just documentation and process.

4. Privacy complaint handling still matters

Finally, and straightforwardly, make sure your privacy complaint handling process is in good shape. The OAIC requires complainants to raise matters with the organisation first and allow 30 days for a response. That makes the organisation the first and most important forum for resolution. The process does not need to be elaborate – but it does need to reach the right people, produce a genuine response, and generate enough of a record to identify repeat issues. Pattern detection, at even a basic level, is now a governance capability.

The way forward

Don’t read the Privacy Commissioner’s post as ‘complaints will take longer to process, so we can relax’. Read plainly, it signals the opposite: the OAIC is being explicit that it will deploy its resources toward enforcement and systemic impact. It will apply more robust thresholds to individual complaints to make that shift possible.

For organisations, the practical response has two dimensions. The first is operational: ensure privacy complaint handling is genuinely effective and allows for pattern detection over time. The second is strategic: treat complaint patterns as an early warning system for the kinds of systemic issues and market practices that the OAIC is now most focused on. That is where the real regulatory risk sits, and where board and executive attention should be directed.

IIS can help – if you would like assistance with this or any other privacy or data protection matters, please contact us.

Comment

FIIG and beyond: How regulators are converging on the same cyber standard

Comment

FIIG and beyond: How regulators are converging on the same cyber standard

By Chong Shao

On 9 February 2026, the Australian Securities and Investments Commission (ASIC) announced that the Federal Court ordered FIIG Securities Limited to pay $2.5 million in pecuniary penalties, following ASIC action over cyber security failures spanning more than four years.

This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general Australian Financial Services (AFS) licence obligations. ASIC didn’t treat this as a one-off IT mistake. Its message was simple: cyber resilience is now part of doing business.

Whether or not you are in financial services, this case is significant. Across Australia’s regulatory ecosystem, we are seeing a steady convergence towards a practical, outcomes-focused cyber security standard, often described as ‘reasonable steps’.

FIIG in brief and why this outcome matters

ASIC’s media release sets out the core narrative clearly:

  • FIIG’s failures related to protecting thousands of clients from cyber security threats over a sustained period.

  • A 2023 cyber-attack resulted in around 385GB of confidential information being stolen, with highly sensitive client data leaked online (including identity documents and financial identifiers).

  • FIIG notified around 18,000 clients that their personal information may have been compromised. 

  • FIIG admitted that adequate measures suited to a firm of its size and the sensitivity of the data would likely have enabled earlier detection and response, and that complying with its own policies may have prevented some or all of the client information from being downloaded.

There are two takeaways from the FIIG case. Firstly, cyber security hygiene is being treated as a matter of ongoing governance, not just technology. Secondly, regulators and courts are increasingly interested in whether controls are operationalised – that is, implemented, monitored, tested and evidenced – not merely documented.

That shift is not unique to ASIC. It’s part of a broader move (including in privacy regulation) from policy compliance to demonstrable protection.

The cyber hygiene checklist: what regulators now expect as basics

ASIC was unusually specific about what FIIG did not have in place. This gives organisations a simple and helpful prompt: Are we covering the basics, and can we prove it? 

Here’s a practical checklist, using the categories ASIC highlighted:

  • Identity and access

    • Multi-factor authentication for remote access users

    • Strong passwords

    • Access controls for privileged accounts

  • Network and endpoint protection

    • Appropriate configuration of firewalls and security software

  • Testing and scanning

    • Regular penetration testing and vulnerability scanning

  • Patching and updates

    • A structured plan to ensure key software systems were updated to address security vulnerabilities

  • Monitoring

    • Qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks

  • Training

    • Mandatory cyber security awareness training to staff

  • Incident readiness

    • An appropriate cyber incident response plan, tested at least annually.

A key subtext in the FIIG outcome is that the ‘what’ is only half the story. The other half is whether controls are actually in place and operating day-to-day.

Most organisations can point to policies. Fewer can answer simple operational questions like:

  • Do we have multi-factor authentication in place for remote access users, and is it consistently enforced?

  • When did we last run penetration testing and vulnerability scanning, and what did we do about the findings?

  • When did we last test our incident response plan, and what changed as a result?

Operationalising the controls is how ‘reasonable steps’ become real.

The bigger shift: ‘reasonable steps’ is becoming the common standard

It’s tempting to read FIIG as a financial services story: AFSL obligations, ASIC enforcement, court-ordered penalties. But the more important trend is cross-regime.

A similar ‘reasonable steps’ story has been playing out under privacy law. The OAIC has been increasingly explicit about its enforcement posture, including civil penalty proceedings anchored in APP 11.1 (security) and the expectation of ‘reasonable steps’ to protect personal information. 

In Australian Clinical Labs, the Federal Court imposed $5.8 million in civil penalties, including $4.2 million for failing to take reasonable steps under APP 11.1 to protect personal information held on Medlab Pathology’s IT systems. The Court’s analysis focused on concrete security shortcomings – such as weak authentication, inadequate logging, lack of file encryption, unsupported systems and limitations in antivirus controls – reinforcing the same core message as FIIG: principles-based obligations are now being tested against real-world cyber hygiene.

When you put FIIG alongside recent privacy enforcement, a clear pattern emerges. Through different regulators and different statutes, there is a shared test: do you have security controls that match your data and risk profile, and can you demonstrate that in practice?

The shared test also points to why silos don’t work. You can’t assess whether controls are proportionate without understanding what data you hold, why you hold it, how long you keep it, and what expectations you’ve set with customers. In practice, cyber hygiene, data governance and privacy compliance end up being assessed together – because together they explain whether your safeguards are reasonable for your context.

Regulators are rarely interested in the elegance of any single framework. They’re interested in whether your organisation:

  • invested appropriately (people, process, technology) 

  • operated controls consistently over time to manage data risk

  • learned and improved

  • can demonstrate that through clear records.

Turning checklists into confidence: a practical next step

For many organisations, the right response to FIIG is not a massive multi-year program. It’s a practical sequence:

  1. Start with the data – confirm what sensitive data you hold, where is it held and who can access it; then check that you have the FIIG ‘baseline’ controls in place for that environment.

  2. Validate the controls work in practice – and that they’re prioritised around your highest-risk data and systems.

  3. Make it easy to demonstrate – keep clear, simple records that link your data and governance decisions to the controls you operate.

How IIS can help

We help organisations translate ‘reasonable steps’ into something practical. Depending on where you are starting from, that can include:

  • A short, targeted review of your current cyber hygiene controls, focusing on the gaps that matter most and what you can readily demonstrate.

  • Bringing privacy, security and data governance together so you have one joined-up view of what data you hold, how it's protected, and who is accountable.

  • Sharper governance and reporting for executives and boards – clear ownership, a realistic view of risk, and a sensible uplift plan rather than a long list of ‘to-dos’.

  • Practical incident response exercises that test how things work under pressure and result in concrete improvements.

Please contact us if you have any questions or would like assistance.

Comment

IIS and CBPR: A long view on building interoperable data transfer frameworks

Comment

IIS and CBPR: A long view on building interoperable data transfer frameworks

By Malcolm Crompton

Cross-border data transfers remain one of the hardest practical problems in privacy compliance. One framework IIS has worked on since its earliest days is the Cross-Border Privacy Rules (CBPR) system – first within the Asia-Pacific Economic Cooperation forum (APEC), and now through the Global CBPR Forum. This short reflection was prompted by a recent IAPP article on the Global CBPR Forum.

For the first years of its development (2003-2016), IIS was deeply involved in the creation of the APEC privacy framework and the CBPR system. Much of that process was led by officials from the Australian Attorney-General’s Department, especially Peter Ford and Colin Minihan. IIS led the design of the APEC Data Privacy Pathfinder in 2007, when Australia hosted APEC. After that, we collaborated closely with participants and officials from other economies including the United States, Japan and Korea, to agree on a workable CBPR system.

Much of our written contribution is collected on the Cross-Border Data Flows and International Regulation page of the IIS website. In particular, our short article ‘East meets West: striving to interoperable frameworks?’ (2014) compares CBPR with EU approaches to cross-border data flows, and explains why CBPR has practical advantages over mechanisms such as adequacy and Binding Corporate Rules. Later papers on that page include our work on benefits realisation from CBPR.

Over time, it became clear that the design of CBPR meant it did not have to be limited to APEC economies. That insight helped drive the creation of the Global CBPR Forum (established by participating jurisdictions in 2022) to transition CBPR and related certifications to a global framework.

In the words of the Global CBPR Forum website, Global CBPR certifications “allow organizations to demonstrate their compliance to internationally-recognised data protection and privacy standards developed and supported by participating jurisdictions. Accountability is a key feature of the Global CBPR and Global PRP Systems. Companies that seek Global CBPR or Global PRP certification must have their data protection and privacy policies and practices verified by a third-party certification entity known as an Accountability Agent.”

In practical terms, the Global CBPR System is designed to ensure that when a certified organisation moves personal information across borders, it is protected to the standards prescribed by the Global CBPR Framework. Importantly, participating jurisdictions nominate an enforcement “backstop” (a privacy enforcement authority/regulator) to support compliance and provide redress for individuals should matters reach that point.

Participation in Global CBPR has grown only slowly – not least because of stout resistance from European interests. But grow it does.

The recent article in IAPP News echoes everything IIS has been saying for the last 15-20 years. It is usefully titled “What makes the Global CBPR Forum an attractive data transfer framework to implement?” If your organisation is reassessing cross-border transfer mechanisms in 2026, Global CBPR is worth putting on the shortlist for serious evaluation.

Comment

From ‘Black Box’ to Transparency: the Privacy Act’s New ADM Rules

Comment

From ‘Black Box’ to Transparency: the Privacy Act’s New ADM Rules

By John Pane

The introduction of the Privacy and Other Legislation Amendment Act 2024 (POLA Act) in 2024 represented the federal government’s phased approach to implementing the proposed changes to the Privacy Act 1988 (Cth) (Privacy Act) as published in the Government’s response to the Review of the Privacy Act Report.

One of the deceptively ‘simple’ changes made to the Privacy Act features in Part 15 to Schedule 1 of the POLA Act which introduced new transparency requirements for Automated Decision-Making (ADM) undertaken by APP entities and government agencies.  These reforms, which come into effect from 10 December 2026, specifically:

  • target how organisations use algorithms, AI and computer programs to make decisions that impact individuals;

  • seek to prevent ‘black box’ decision-making by forcing organisations to be open about when and how they use these technologies; and

  • uplift organisational privacy policies with all necessary changes.

What does Part 15 of the POLA Act say?

Part 15 of the POLA Act states organisational privacy policies must be amended for greater transparency under APP 1 where:

  • the organisation uses a ‘computer program’ to either:

    • perform decision-making functions in a fully automated manner (without a human decision-maker); or

    • substantially and directly assist human staff to make decisions;

  • the computer program uses personal information about that individual to perform its function (i.e. to either make the decision, or to assist the human decision-maker); and

  • the decision could ‘reasonably be expected to significantly affect the rights or interests of an individual’.

Defining the scope: What is a ‘computer program’?

The term ‘computer program’ is not restricted to emerging technologies like Generative AI or Large Language Models (LLMs). Instead, the POLA 2024 Bill Explanatory Memorandum clarifies that it encompasses a wide spectrum of automation, ranging from sophisticated machine learning to basic rule-based logic.

 While these reforms have obvious implications for emerging technologies such as autonomous AI agents, they also have the potential to capture a broad range of simpler automation use cases that are already widely used, such as:

  • software that assesses input data against pre-defined objective criteria and then applies business rules based on those criteria (e.g. whether to approve or reject an application);

  • software that processes data to generate evaluative ratings or scorecards, which are then used by human decision makers (e.g. predictive analytics); and

  • robotic process automation (which uses software to replace human operators for simple and repetitive rule-based tasks, such as data entry, data extraction and form filing).

If a tool (such as predictive analytics, algorithmic sorting or legacy macros) leverages personal information to either make a final determination or provide ‘substantial and direct assistance’ to a human decision-maker, it may fall within the scope of Part 15.

The materiality threshold: Assessing ‘significant effect’

Not every automated process requires disclosure in the organisational privacy policy. The obligation is triggered when a decision could ‘reasonably be expected to significantly affect the rights or interests of an individual.’

The POLA Act emphasises that the impact must be more than trivial and have the potential to significantly influence an individual’s circumstances. Management must conduct case-by-case assessments to determine if their use cases meet this threshold. The legislation provides a non-exhaustive list of high-impact domains:

  • Legal and Statutory Benefits: Decisions regarding the granting or revocation of benefits under law.

  • Contractual Rights: Decisions affecting insurance policies, credit facilities, or service agreements.

  • Access to Essential Services: Impacting an individual’s ability to access healthcare, education, or significant social supports.

For organisations operating in regulated sectors – such as financial services, healthcare, and law enforcement – the majority of automated processes are likely to meet this threshold. However, general corporate functions, such as automated fraud detection or facial recognition for security, must also be evaluated under the same materiality lens.

Mandatory updates to privacy policies

The most immediate operational requirement arising from the ADM reforms is ensuring your APP Privacy Policy is ready for the new APP 1.7-1.9 obligations, which commence on 10 December 2026. From that date, an APP entity must include additional information in its privacy policy if it has arranged for a computer program to use personal information to make (or substantially and directly support) decisions that could reasonably be expected to significantly affect an individual’s rights or interests.

1. What must be included in the privacy policy

Where the threshold is met, the privacy policy must describe the kinds of:

  • Data Inputs: What categories of personal information are fed into the relevant computer programs?

  • Fully Automated Decisions: Which processes are handled entirely by technology without human intervention?

  • Assisted Decision-Making: Which processes involve human-in-the-loop models where a computer program provides the primary evaluative data?

2. Practical drafting tip

The Office of the Australian Information Commissioner’s (OAIC’s) framing in its APP 1 Guidelines is deliberately ‘kinds of’ rather than ‘every single model/rule’. For many organisations, the cleanest approach is to add an ‘Automated decisions’ (or similar) subsection in the privacy policy that:

  • lists the key decision areas that meet the ‘significant effect’ threshold (e.g. onboarding/eligibility, credit/insurance decisions, fraud outcomes that affect access, service access/termination), and

  • for each, summarises the kinds of personal information used and whether it is fully automated or substantially and directly assists a human decision-maker.

Failure to update organisational privacy policies carries direct legal, financial and reputational risk. The OAIC has the authority to issue infringement notices for non-compliant policies.

Strengthening internal procedures and controls

Besides review and uplift to organisational privacy policies, impacted APP entities (including government agencies) should ensure alignment and compliance with these new obligations.: As a limited example this may include the following activities:

1. Automation mapping and inventory

Organisations should conduct a comprehensive audit of their ‘automation footprint.’ This involves identifying all instances where computer programs interact with personal information to influence outcomes. This inventory should distinguish between ‘back-office’ efficiencies (like data entry) and ‘evaluative’ functions (like credit scoring, tenancy applications, talent acquisition screening) that meet the materiality threshold.

2. Risk Impact Assessments

In line with existing practices for conducting a Privacy Impact Assessment (PIA), organisations should incorporate automated decision-making into their analysis. This would evaluate the logic of the program, the quality of the data inputs, and the potential for biased or inaccurate outputs, particularly for vulnerable groups such as children or individuals with disabilities.

3. Human-in-the-loop verification

Where computer programs/applications provide ‘substantial assistance’ to humans, internal controls must verify that the human involvement is meaningful rather than a ‘rubber-stamping’ exercise. Documenting the level of human oversight is essential for demonstrating compliance with the assisted decision-making disclosure requirements.

Navigating ambiguities and future privacy reforms

While the POLA Act provides a clearer transparency framework, certain areas remain subject to interpretation. The ‘second tranche’ of Privacy Act reforms may further impact these more recent changes. For instance, the current exemption for employee records and the evolving definition of ‘personal information’ (regarding metadata, disambiguated data or biometric templates) may impact how ADM rules apply to internal workplace monitoring.

Furthermore, while the POLA Act does not currently mandate changes to APP 5 Collection Notices, the existing requirements of APP 5.2 may already necessitate disclosures if personal information is shared with third-party AI platforms or automation vendors.  Management therefore should take a holistic view of their privacy compliance obligations across all organisational touchpoints of the personal information lifecycle.

IIS can help

IIS can help you with compliance and best practice in the ADM space, including:

  • Undertake automation mapping and inventory activities.

  • Assess whether ADM processes meet the materiality threshold.

  • Conduct PIAs that assess ADM-related projects.

  • Prepare updates to privacy policies to enhance ADM transparency.

More broadly, we help organisations:

  • Navigate the complexity of the privacy, cyber security, and digital regulatory landscape.

  • Get the basics right and help you comply with current and incoming requirements, to satisfy customer expectations and to avoid regulator scrutiny and enforcement.

  • Move beyond compliance to performance and resilience that builds trust and achieves business objectives in a fast-changing world.

Why? Because as we have said at IIS for two decades, ‘It is just good business.’

Please contact us if you have any questions about the Privacy Act reforms and how they may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

Comment

Australia’s National AI Plan: Big Vision, Missing Guardrails

Comment

Australia’s National AI Plan: Big Vision, Missing Guardrails

By Mike Trovato

On 2 December 2025, the Australian government released the National AI Plan (NAP). NAP has arrived at a pivotal moment, when artificial intelligence (AI) is the hot technology pathway for all organisations, touted as rapidly shaping economic structures, labour markets and critical digital infrastructure.

NAP is ambitious in scope: expand AI’s economic opportunity, ensure its benefits are widely distributed, and keep Australians safe as the technology becomes embedded in daily life, essential services, and banking. NAP frames AI not merely as a tool for productivity, but as a democratising national capability requiring coordinated investment in skills, compute, public-sector transformation, and international alignment (without the laws and regulations).

But there are legitimate concerns and questions about it. John Pane, Electronic Frontiers Australia Chair, said in a recent blog post, “We need strong EU style ex ante AI laws for Australia, not a repeat of Australia’s disastrous ‘light touch’ private sector privacy regime introduced in 2000. We need to also resist the significant geo-political pressure being brought to bear on Australia and others by the Trump administration, forcing sovereign nations to adopt US technology ‘or else’.

Most importantly from an IIS perspective, it puts additional pressure on already stretched regulators such as the Office of the Australian Information Commissioner (OAIC) who will bear the brunt of the enforcement burden, without a commensurate increase in funding.

What is it

The core architecture of NAP is built around three pillars:

  1. Capture the opportunity – Increase Australia’s AI capability through sovereign compute access, industry investment, research support, and a workforce strategy that emphasises inclusion and long-term adaptability.

  2. Spread the benefits – Ensure AI adoption occurs not just in major corporations and government agencies but across regions, small businesses, social sectors, and public services. The Plan closely links AI growth to social equity, union negotiation, and regional skills pipelines. [1]

  3. Keep Australians safe – Establish the Australian AI Safety Institute, enhance standards alignment, and build frameworks for responsible, trustworthy AI across public and private sectors.

This structure does mirror the strategies of peer nations such as the UK, Singapore, and Canada with some notable omissions. It does provide unity: a national vision that integrates economic development with safety, fairness, and social wellbeing.

Socio-technical benefits

National coordination

Australia has struggled with fragmented digital and AI policy, spread across departments, agencies, and states. NAP moves toward a unified national architecture. This could reduce duplication and create a reference point for regulators, industry, and research institutions.

Investment in sovereign AI capability

By emphasising compute infrastructure, cloud capacity, and research ecosystems, NAP begins shifting Australia from AI consumer to AI contributor. This infrastructure matters: without sovereign compute access, Australia risks dependency on foreign technology decisions, third party vendors (with concentration risk) and data-handling practices.

Worker protections and social equity

Few national AI strategies foreground labour and social outcomes as explicitly as NAP. It integrates unions, worker transition programs, and protections for vulnerable groups. This ensures AI adoption considers societal impacts, not solely economic metrics. Yes, as noted above we have already seen some missteps in this area and fear is very much at the front of mind of several sector-specific worker types.

By targeting small businesses, local councils and not-for-profits, NAP attempts to democratise AI adoption [2], reducing the risk of AI-driven inequality between large and small organisations. This will be challenging given the trust issues many Australians have with AI and with respect to privacy and community attitudes.

Public sector modernisation

NAP emphasises AI-enabled public services such as health, education, welfare, and transport. When deployed safely, AI can increase accessibility, reduce administrative burden, and improve service delivery in remote and underserviced communities. Yes, this does assume a level of accountability and testing we did not see in Robodebt [3], and yes, we will have privacy concerns as we saw with Harrison.AI.

Socio-technical gaps

Despite its strengths, NAP contains structural weaknesses that carry real risk. The most significant dangers correspond to gaps in regulation, governance, and implementation.

Legal obligations and assurance

Unlike the EU AI Act or the US frameworks that mandate safety testing, reporting, and restrictions, NAP contains no enforceable legal obligations for high-risk AI systems. The Australian AI Safety Institute is promising but undefined. Without standards, authority, or enforcement powers, Australia risks deploying AI in financial services, healthcare, policing, and welfare without adequate safeguards.

Assurance is another area of potential harm for individuals. Globally, AI assurance, independent evaluation of robustness, bias, safety, and regulatory compliance is becoming essential and, in some cases, mandated by law. NAP does not define:

  • Assurance requirements

  • AI audit processes (or appropriate depth)

  • Documentation requirements

  • Pre-deployment testing

  • Model lifecycle controls

  • Ongoing continuous monitoring

  • Evaluation methods for generative AI.

Without an assurance regime, high-risk AI may be deployed in opaque, untested, or unsafe ways.

Risk identification and treatment

NAP does not specify which AI systems should be considered ‘high risk’ in banking, payments, energy, digital identity, critical infrastructure, healthcare, legal, national security or property systems.

Other nations treat critical infrastructure AI as a national security concern requiring heightened controls. Australia does not. The result could be AI-driven failures or exploitation in systems foundational to economic stability and social trust.

Government procurement is one of the most powerful levers for enforcing safe AI. The US and UK require impact assessments and supplier compliance with AI safety principles. NAP includes none of this. Australia may inadvertently purchase unsafe or non-compliant systems, embed risks such as bias, discrimination, or allow human harm within essential public functions.

NAP does not specify:

  • Which agency oversees AI risks in each sector

  • How regulators coordinate

  • How compliance will be enforced

  • Incident reporting for AI failures

  • Enforcement authority.

This creates a governance vacuum. In high-stakes and high risk domains, unclear jurisdiction leads to slow response, regulatory drift, and systemic risk.

Possible privacy concerns

NAP touches privacy indirectly. Potential gaps remain:

  • No new privacy protections tailored to AI-enabled data processing.

  • No guidance on model training using personal data or derived data or data use (consent).

  • No restrictions on biometric surveillance, emotional analytics, or behavioural prediction.

  • No provisions for transparency, contestability, opt-out, or rights when AI makes or influences decisions.

This leaves individuals exposed, particularly in welfare, policing, employment, and health contexts where Australia already has a history of algorithmic harm.

It also puts additional pressure on already stretched regulators such as the OAIC.

Risk identification and treatment

Lastly, NAP is ‘civilian oriented’, Australia lacks a publicly articulated framework for military, defence, dual-use, or national-security AI governance, even though peer nations (US, UK, EU, Singapore) explicitly integrate defence considerations or maintain separate defence AI strategies. This is worrisome.

Conclusion

NAP is a credible and coherent strategic document with substantial socio-technical benefits: national coordination, sovereign capability, worker-centred policy, public-sector uplift, and inclusive AI diffusion. It positions Australia to participate more actively in the global AI landscape.

NAP also leaves dangerous gaps. The absence of enforceable safety rules, AI assurance infrastructure, sector-specific oversight, procurement standards, enforcement authority, unclear government roles and responsibilities, and privacy safeguards creates systemic risk.

NAP nods toward safety without building the machinery necessary to enforce it. NAP is aspirational and does not ensure or build resilience Australia will still need the regulatory, technical, and institutional backbone that transforms NAP from vision to real protection.

[1] However, we already see AI redundancies and sectoral fears, for example recently at CBA, when it revealed in July it would make 45 roles in its customer call centres redundant because of a new bot system it had introduced – then reversed the decision after deciding it needed the humans to cope with its growing workloads

[2] In broad strokes, ‘democratise’ in an AI context equates to the notion that everyone and every organisation, regardless of socio-economic status, and regardless of technical skill or acumen or for companies and organisations without specialised or extensive IT, can have the same access to AI tools, workflows, and benefits.

[3] While Robodebt was not and AI making autonomous decisions, it was algorithmic bias that was relied upon without proper testing, safety, or human in the loop controls. See Royal Commission into Robodebt.

Comment

What’s next for Australian privacy regulation – Reflections on PAW 2025

Comment

What’s next for Australian privacy regulation – Reflections on PAW 2025

By Chong Shao

On Monday, 16 June 2025, IIS joined other IAPP members in Sydney for the launch of Privacy Awareness Week. Together we heard an address from, and fireside conversation with, Privacy Commissioner Carly Kind.

The past 12 months have been eventful for Commissioner Kind and the Office of the Australian Information Commissioner (OAIC). Here are some highlights:

At the Sydney PAW launch, Commissioner Kind gave further remarks about her office’s regulatory approach, given the current technological landscape and the uncertain timeframe of further privacy legislative reform.

This post summarises the key themes from those remarks, along with some practical takeaways to help you navigate both privacy compliance and good practice today.

1. The Commissioner takes a holistic view of privacy that emphasises organisational accountability and power imbalances

Throughout her remarks, Commissioner Kind highlighted the need for a broader conception of privacy than simply the protection of personal information.

This broader notion of privacy – autonomy to make decisions, free from interference and intrusion – is more important than ever in a world that is marked by technology that is always-on, collects data passively, subtly conditions our thoughts and behaviours, and removes friction from all manner of experiences.

Commissioner Kind noted that the problem is not that people aren’t aware of the importance of privacy these days, but that they feel helpless, fatalistic and disempowered. In pushing back against overreliance on individual responsibility for privacy, she memorably invoked a climate change analogy – ‘privacy settings are the plastic straws of the privacy world’.

Instead, Commissioner Kind wants entities to take accountability for doing the right thing in the first place, and for various groups and associations in our society to leverage their power as a counterbalance and advocate for more privacy-friendly approaches.

She noted that the scale of technological impact is a novel problem in our era, and that this informs her thinking with respect to regulatory priorities. In particular, she foreshadowed that her office will be looking at spaces where there are power disparities between individuals and organisations. As examples, she listed credit reporting, data brokerage and emerging technologies (such as AI and biometrics).

Practical takeaways:

  • Take accountability as an organisation to embed privacy into your culture and practice:

    • Set privacy culture from the top through strong messaging and financial investment in privacy; and

    • Limit over-collection of data and destroy what you don’t need.

  • Undertake a privacy review to identify potential gaps and opportunities to improve practice.

2. The Commissioner is committed to using the full toolkit of her regulatory powers

On the topic of enforcement, Commissioner Kind gave some additional thoughts on the powers now available to her office.

She noted that the power to issue infringement notices is limited to a relatively narrow set of APPs (e.g., Privacy Policy deficiencies, failure to offer direct marketing opt-out). However, it could potentially be used as part of a ‘compliance scan’ of a particular sector or market in relation to those privacy practices. This is similar to what the Australian Competition and Consumer Commission (ACCC) and the UK’s Information Commissioner’s Office (ICO) have done in the past.

Commissioner Kind reiterated that her office will prioritise enforcement action for violations that are persistent, egregious and/or manifest in real-life harms, as well as in places where intervention is likely to change market practices or help clarify aspects of policy or law.

She flagged that her office will be conducting more investigations and making more determinations this year, as well as taking more enforcement actions in a similar vein to the recent Australian Clinical Labs (ACL) and Medibank cases.

In response to an audience member question about what more can be done to get the C-suite to appreciate the importance of privacy, Commissioner Kind recognised the power of fines to highlight the risk of not taking sufficient action. She remarked matter-of-factly that her office is seeking to extract the largest fines possible.

Practical takeaways:

  • Review your Privacy Policy to ensure it is compliant, up-to-date and fit for purpose.

  • Revisit your organisation’s privacy risk appetite and posture (including raising this at the Board level), in light of the large fines now available under the Privacy Act and the OAIC’s more proactive enforcement stance.

3. The Commissioner recognises the importance of regulatory certainty and is willing to go to court to obtain it

One of the more interesting threads was what Commissioner Kind thought about her office’s role in providing regulatory certainty. She recognised that regulatory certainty is important because it helps entities know how to comply with the law and to innovate confidently.

Compliance can be challenging without guidance, examples and ultimately court cases that provide a firm interpretation and application of the law.

To this end, Commissioner Kind indicated that she not only wants to develop clear guidance and make regulatory decisions, but she also wants to actively pursue court cases (including inviting challenges to her investigations and determinations) that will either endorse or repudiate the OAIC’s position.

In taking this approach, it appears that she considers court cases to be a ‘win-win’ scenario – even if the court rejects the OAIC’s interpretation, this still moves the ball forward in terms of clarifying the law for everyone.

Commissioner Kind pointed to current cases on foot in the Federal Court (ACL, Medibank) that could bring more clarity on what is considered reasonable security steps under APP 11.1.

She also flagged other areas where regulatory and judicial interpretation is desirable:

  • Definition of personal information and what is ‘de-identification’ – especially in the relatively unchecked practices of data tracking and profiling where she is keen to establish clearer ‘red lines’ for that industry.

  • Definition of ‘reasonable expectations’ in the context of APP 6.2, which permits the use or disclosure of personal information for a secondary purpose where it is related to the primary purpose of collection, and it is reasonably expected by the individual.

Practical takeaways:

  • Keep watching this space for potential clarifications and (re-)interpretations of the current law, especially during a time when privacy law reforms are on a slow burn. [1]

4. The Commissioner is interested in fresh interpretations of current principles in the Privacy Act to keep pace with today’s privacy challenges

Speaking of the current law, the most significant insights from Commissioner Kind came when she was reflecting on how to make the most of the Privacy Act that we have, given the slow pace of legislative reform.

Commissioner Kind noted that many of the terms in the Act and the APPs are flexible in nature. She considered that they should be subject to a ‘purposive interpretation’ to keep pace with modern privacy risks and harms.

The key examples she gave come from APP 3, the collection principle:

  • APPs 3.1 (for agencies) and 3.2 (for organisations) posit that collection must be reasonably necessary for the entity’s functions or activities

  • APP 3.5 states that collection must take place via lawful and fair means.

Commissioner Kind noted that the language of ‘reasonably necessary’ and ‘lawful and fair’ approximate the ‘fair and reasonable’ test that has been proposed by the Privacy Act Review.

To consider what is reasonably necessary is to engage in an exercise of gauging reasonableness, proportionality and necessity. To consider what is fair is to incorporate notions of community values that evolve over time and adapt to changing circumstances.

Commissioner Kind gave an example of what (un)fairness could look like in the digital era – the scraping of publicly available information, bringing it together for profiling, and supporting predatory business practices. Assessing fairness should extend beyond the technical means of collection and extend to the purposes for which the collection takes place.

The Commissioner’s views cut against a legalistic and ‘minimum compliance’ reading of the current Privacy Act. Instead, she has laid down the challenge for organisations to take a ‘commonsense’ and proportionate approach to personal information collection and handling.

Practical takeaways:

  • Use commonsense and apply the ‘pub test’ to assess whether a proposed collection of personal information is reasonably necessary and fair.

  • With any personal information handling activity, ask ‘should we do this’ and not just ‘can we do this’.

  • Map how personal information collection leads to downstream uses and disclosures.

If you have any questions on the Privacy Act and its impact on your organisation, or would like assistance with any of the practical takeaways, please contact us. You can also subscribe to our newsletter to receive updates on the latest privacy developments, including law reform changes, further guidance and new interpretations.

[1] Asked about the status of the Tranche 2 reforms, Commissioner Kind observed that the timing was a matter for the Attorney-General’s Department. She did note that she had met with the new Attorney-General, the Hon Michelle Rowland MP, and was encouraged by her background and interest in privacy and digital regulation.

Comment

Australian Government introduces Cyber Security Legislative Package: Are you ready?

Comment

Australian Government introduces Cyber Security Legislative Package: Are you ready?

By Simon Liu and Sascha Hess

On 2 October 2024, the Australian Government announced its first standalone Cyber Security Bill as part of a package of reforms in critical infrastructure and national security to bring Australia in line with international best practice on new and emerging cyber security threats. The Cyber Security Legislative Package includes the Cyber Security Bill 2024 as well as amendments to the Intelligence Services Act 2001 and the Security of Critical Infrastructure Act 2018 (SOCI Act).

The proposed regulatory framework forms part of the government’s vision of becoming a world leader in cyber security by 2030, according to its 2023-2030 Australian Cyber Security Strategy, and specifically to build the government’s awareness of the ransomware threat, which continues to grow and raise risk for all organisations.

IIS welcomes the four key measures this bill introduces.

Set up a response and learning framework for cyber incidents

Three initiatives work together to systematically enhance Government and Industry’s ability to respond to, and learn from, cyber security incidents:

  • Providing data

  • Lowering barriers to information sharing with the Government, and

  • Creating a ‘no-fault’ cyber incident review board.

These efforts align with existing industry practices and common sense – sharing data fosters an informed, coordinated response, while conducting blameless post-mortems helps embed lessons for future incidents.

The bill does this by:

1. Introducing mandatory ransomware reporting for certain businesses to report ransom payments

Introducing a mandatory reporting obligation for entities who are affected by a cyber incident, within 72 hours of making the ransomware payment or becoming aware that the ransomware payment has been made. The two categories of entities that have ransomware reporting obligations are:

  • Category 1

    • Entities that carry on business in Australia with an annual turnover for the previous financial year that exceeds the turnover threshold (which is likely to be $3 million, yet to be confirmed);

    • Not a Commonwealth body or a State body; and

    • Not defined as a responsible entity for critical infrastructure asset under the SOCI Act.

  • Category 2

    • Responsible entities for a critical infrastructure asset to which the SOCI Act applies. In other words, all responsible entities will be ransomware reporting obligations even where their annual turnover does not exceed the turnover threshold (which is likely to be $3 million, yet to be confirmed), or where they are a Commonwealth or State body.

2. Introducing a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD)

Introducing a ‘limited use’ obligation that restricts how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be used and shared with other government agencies, including regulators.

3. Establishing a Cyber Incident Review Board

Establishing a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.

Set up a minimum security baseline for ‘smart devices’

Smart devices are becoming a common feature in Australian homes and businesses. From home security systems and video doorbells to keyless entries and voice assistants, who doesn’t enjoy the added convenience and peace of mind? However, like any software, internet-connected devices have security vulnerabilities that require proper securing and regular patching.

4. Introducing a minimum set of cyber security practices for smart devices

The bill marks the first step in establishing a minimum-security baseline in Australia and follows the lead of the UK in April 2024.

Ready, Steady, Go

The legislation, if enacted, will become Australia’s first standalone cyber security legislation to strengthen protections for and enforcement measures against businesses from the increase in cybercrime.

Businesses will need to adapt to stricter security standards for smart devices and embed their new reporting requirements into their incident response plans.

Please contact IIS to have a confidential chat on how we can support your business to become compliance ready.

If you are interested to understand the impacts of a real major cyber security incident and a serious data breach, see our whitepaper on “What businesses need to know about the Optus 2022 cyber attack and lessons learned from the Service NSW 2020 Data Breach”.

Comment

Key takeaways from the Privacy Amendment Bill 2024

Comment

Key takeaways from the Privacy Amendment Bill 2024

By Chong Shao

The Australian Government has introduced the Privacy and Other Legislation Amendment Bill 2024, as part of the first tranche of its long-awaited response to the Privacy Act Review. We knew that progress would be measured in years, and so far this is proving out.

The headline changes touted by the government include:

  • A new statutory tort to address serious invasions of privacy.

  • Development of a Children’s Online Privacy Code to better protect children from online harms (accompanied by further funding to support the OAIC in development the code).

  • Greater transparency for individuals regarding automated decisions that affect them.

  • Streamlined and protected sharing of personal information (PI) in situations of a declared emergency or eligible data breach.

  • Stronger enforcement powers for the Australian Information Commissioner.

  • A new criminal offence to outlaw doxxing (i.e., the malicious release of personal data online that could enable individuals to be identified, contacted, or located).

For many, these reforms are modest and therefore disappointing, given the scope and duration of the Privacy Act Review.

Notably missing from the Bill is:

  • Any update to the definition of Pl.

  • Inclusion in the Bill of the four elements along EU GDPR lines that make a consent valid.

  • The introduction of a ‘fair and reasonable test’ for the handling of PI.

  • A requirement for APP entities to conduct a Privacy Impact Assessment for activities with high privacy risks.

  • The right for individuals to request erasure of their PI.

Also missing is one of the more contentious recommendations, the gradual removal of the small business exemption.

On the other hand, the changes represent a moderate progression from the status quo, which needs to be monitored closely and will likely have bigger implications over time.

Some key takeaways:

1. Privacy as a major intersection point

The Bill confirms that privacy sits at the intersection of the major technological and societal issues of our time.

For example:

  • The statutory tort introduces a cause of action for individuals against another person or organisation where there is a serious invasion of privacy – organisations should be aware of this provision (no small business exemption here!); although it should not be an issue if they are focused on “doing the right thing”.

  • A Children’s Online Privacy Code will be developed alongside other initiatives in the online safety space, including Online Safety Codes and the eSafety Commissioner’s research and work on age assurance.

  • Greater transparency regarding automated decision-making comes as part of a broader push by the government around promoting safe and responsible AI.

  • The streamlining of PI sharing in emergency and eligible data breach scenarios is a welcome move but will have to be considered alongside notification requirements in other laws and schemes such as the Security of Critical Infrastructure Act 2018, Data Availability and Transparency Act 2022, and APRA’s Prudential Standard CPS 234 Information Security.

The Bill is a microcosm of the complex privacy, cyber security, and digital regulatory landscape that is taking shape in Australia. The picture is getting (understandably!) complicated, and the Bill contributes to this.

2. Enforcement will matter more

The government’s touting of ‘stronger enforcement powers’ for the Australian Information Commissioner is a bigger deal than it appears on the surface.

On closer inspection, the Bill provides a series of changes that enable more flexible and effective enforcement of the Privacy Act:

  • A civil penalty provision for interference with privacy of individuals (not just ‘serious’ interference).

  • Separately, the civil penalty for serious interference with privacy of individuals is retained, with better elaboration of factors that may be considered in determining if the interference is serious.

  • The Commissioner may seek civil penalty orders and issue infringement notices for breaches of certain Privacy Act provisions and certain Australian Privacy Principles (APPs).

  • Additional monitoring and investigation powers.

One of the biggest issues with compliance and enforcement of the Privacy Act has been the relative lack of flexibility with the existing law, where there is a (recently strengthened) civil penalty provision for ‘serious and repeated interferences with privacy’. OAIC enforcement actions have been few and far between, typically reserved for ‘high profile’ cases such as Meta (Facebook), Medibank, and Australian Clinical Labs.

These changes to the Privacy Act, especially in relation to civil penalty orders and infringement notices, provide the OAIC with a bigger ‘toolkit’ to enforce breaches of the Privacy Act and the APPs.

Privacy Commissioner Carly Kind, in a Privacy Awareness Week Sydney event earlier this year, spoke of the ‘exciting opportunity for the OAIC to become a more enforcement-based regulator’. During the Q&A, she noted that for the first time in a decade there are three dedicated commissioners, and that they would be thinking a lot more about how to conduct proactive and proportionate enforcement.

This was confirmed by the OAIC’s Corporate plan 2024-25, which commits the OAIC to a ‘risk-based, education and enforcement-focused’ posture.

The true effectiveness of the regulator will depend on the extent to which it is sufficiently resourced. We have been advocating for greater funding for the OAIC for over a decade in speeches, forums and submissions. We eagerly await the next budget to see if the government will put its money where its mouth is and that they are indeed serious about ‘ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age’.

Nevertheless, the Bill and the OAIC’s recently publicised posture demonstrate a clear intent and capability for the regulator to conduct more enforcement. Organisations should take note.

3. Keep sticking to the basics

The Privacy Act Review was flagged five years ago, as part of the ACCC’s 2019 Digital platforms inquiry. In the meantime, organisations are facing an increasingly challenging environment:

  • Cyber security incidents (including data breaches and the sophistication of bad actors) continue to increase in size and scale.

  • The growing data economy and technologies like AI heighten business pressures to collect and use personal information, while exposing organisations to greater data governance risks.

  • Australians care more than ever about privacy – according to the OAIC’s Australian Community Attitudes to Privacy Survey 2023, 82% of respondents care enough about protecting their PI to do something about it, and 84% want more control and choice over the collection and use of their PI.

It has been a slow and winding journey to reach the first tranche of changes to the Privacy Act. 

Our key takeaway is not to get over-excited, nor complacent. Not over-excited, because in many ways these are modest changes that will take time to realise their full effects. Not complacent, because the Bill heralds a new era of enforcement for the OAIC, including compliance with the existing Privacy Act and its APPs.

Instead, we think it is best to keep calm and stick to the basics. This means:

  • Assess your privacy practices against the existing APPs with a focus on Pl collection and handling practices and ensure you are taking ‘reasonable steps’ (including technical and organisational measures) in securing and protecting personal information. [1]

  • Know what PI (including sensitive information) you have now, where it is, whether you should still have it and the ways in which you are using it.

  • Assess cyber security risks and controls and consider certification against relevant standards.

  • Establish an improvement and remediation plan based on the findings of points 1, 2 and 3.

Putting the foundations in place now will give you a simpler path to compliance and good practice for both the current legislative requirements and the new requirements to come, including whatever Tranche Two will bring.

IIS can help

IIS and our subsidiary TrustWorks 360 can help you:

  • Navigate the complexity of the privacy, cyber security, and digital regulatory landscape.

  • Get the basics right and help you comply with current and incoming requirements, to satisfy customer expectations and to avoid regulator scrutiny and enforcement.

  • Move beyond compliance to performance and resilience that builds trust and achieves business objectives in a fast-changing world.

Why? Because as we have said at IIS for two decades, “It is just good business.”

Please contact us if you have any questions about the Privacy Act reforms and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

[1] In a separate interview, Commissioner Kind discussed the OAIC’s enforcement action against Medibank, for activities leading up to the data breach. The OAIC is making the case that Medibank didn’t take ‘reasonable steps’ to protect the personal information they collected and held. Reasonable steps are described as:

  • State of the art security

  • Good governance

  • Organisational responsibilities.

Comment