Skip to main content

May 2024

Proposed Changes to Australian Privacy Act You Should Know

May 2 2024, The Hon Mark Dreyfus KC MP gave a speech at the 2024 Privacy by Design Awards. Read this article to see what was discussed and how you could be impacted. 


People discussing things in the server room

Proposed Changes to Australian Privacy Act  

May 2 2024, The Hon Mark Dreyfus KC MP gave a speech at the 2024 Privacy by Design Awards. Read this article to see what was discussed and how you could be impacted. 

What was presented?  

  • Recent large-scale breaches have highlighted the outdated Privacy Act’s inadequacy in protecting and safeguarding the personal data of Australians. 

  • The Government has initiated amendments to the Act – which will significantly enhance penalties and enforcement powers. Despite some progress, comprehensive reform is imperative.  

  • Surveys conducted by the Government, have shown that Australians overwhelmingly support for legislative reform.  

  • The current weak privacy laws not only jeopardies individuals but also impede business competitiveness and threaten vulnerable groups.  

  • Click here to read the full press release - 

What are the proposed reforms?  

  • The Government is also carefully considering a range of proposals that would further entrench Privacy by Design Principles into our Commonwealth framework. 

  • This includes requiring that privacy notices should be clear, up-to-date, concise and understandable. 

  • The introduction of a ‘fair and reasonable' test could assist in ensuring that the collection, use and disclosure of personal information by entities are fair and reasonable in the circumstances. 

  • The Government is also considering options to respond to recommendations in relation to high-risk privacy practices, by expanding the range of entities required to conduct Privacy Impact Assessments for activities with high privacy risks. 

  • These include instances involving new or changed ways of handling personal information that have a significant impact on the privacy of individuals – such as certain kinds of facial recognition technology, or the use of biometric information for identification when used in public spaces. 

  • The Government has also agreed that the types of personal information to be used in substantially automated decisions which have a legal, or similarly significant effect on an individual's rights should be clearly outlined in privacy policies. 

  • There will also be a right for individuals to request meaningful information about how these decisions are made. 

  • The Government has agreed-in-principle that a statutory tort for serious invasions of privacy should be introduced, to complement the Privacy Act protections. 

  • Based on recommendations made by the Australian Law Reform Commission in 2014, the proposed tort would regulate a broader range of privacy harms, such as the physical intrusion into an individual's private space and would extend to individuals and entities who are not otherwise required to comply with the Privacy Act. 

  • The proposed tort will be designed so that privacy protection is appropriately safeguarded and balanced with other rights, including freedom of speech and freedom of the media. 

  • The Government has also agreed-in-principle that individuals should have more direct access to the courts to seek remedies for breaches of the Privacy Act through a direct right of action.   

  • The direct right of action would enable individuals who suffer loss or damage as a result of an interference with their privacy to seek compensation. 

  • This important reform will help enhance individuals' control over their personal information. 

  • The Government is also considering requiring entities to develop maximum and minimum retention periods for personal information they hold and specify these in their privacy policies. 

  • Consultation with industry ensures that the implementation of the reforms is both feasible and balanced with the regulatory burden on industry. 

  • The Attorney-General's Department has also convened a cross-jurisdictional engagement forum to facilitate jurisdictions updating each other on key developments in privacy reform and to allow States and Territories to provide feedback on Commonwealth privacy reform proposals, including implications for the work of State and Territory government agencies. 

This information was retrieved from - 

What should my organisation do to prepare?  

In anticipation of forthcoming privacy law reforms, it's crucial for organisations to not only track the proposed changes but also take proactive measures.  

Partnering with a reputable third-party cybersecurity provider before the reforms are enacted is highly recommended. This proactive approach not only instills confidence among customers but also demonstrates a commitment to data protection. 

Understanding the data held is fundamental to developing effective protection strategies. Just as accurately listing valuable items is essential for securing the right home and contents insurance, comprehending the nature and sensitivity of data is critical for safeguarding it. 

However, it's important to strike a balance – not all data requires equal protection. Prioritising and securing sensitive information while maintaining cost-effectiveness is key. Engaging a trusted third party to conduct vulnerability assessments provides invaluable insights, ensuring organisations stay ahead of potential risks with ease. 

Stay Ahead with Good Cyber  

You've likely heard this message repeatedly in recent years, but it bears repeating; partnering with a trusted cyber consultant is crucial.  

Such a partnership ensures your organisation stays ahead of evolving privacy reform legislation and the broader Australian cyber landscape.  

By receiving tailored consulting tailored to your organisation's specific needs and industry requirements, you'll be well-positioned to navigate ongoing changes effectively in the months and years ahead. 

How We Help  

  • We partner with our clients to make sense of their data, so they feel in control of the data they hold.  

  • We partner to ensure our organisations are compliant based on their sector specifications.  

  • We partner with our clients and look not only at their data but their people, processes and technology to ensure we provide them with bespoke cyber consulting which suits their exact needs.