Building cybersecurity and digital trust
At PwC, we're helping to build cybersecurity and digital trust for a secure and resilient Australia. We offer a range of cyber, digital risk and related legal services to our clients.
The highly-anticipated report of the Attorney-General’s Department’s review of the Privacy Act 1988 (Cth) has finally landed. Two years in the making, the Report has put forward 116 proposals that, if implemented, will be the most dramatic change to the Australian privacy and data protection landscape since the introduction of the APPs.
We have broken down the key themes and issues in the existing legislation, and some of the key reforms proposed by the Report.
Additional guidance to be provided by OAIC such as the reasonable steps to secure and dispose personal information, publishing practice-specific guidance for
new technologies and emerging privacy risks (e.g. facial recognition and biometric data), and updating guidance on capacity and consent to protect vulnerable individuals.
More transparency for automated decisions, including rights to request information about how these decisions are made.
Increased privacy protections for children and vulnerable individuals, including development of a Children’s Online Code.
Enhanced enforcement measures for the regulator and new penalty provisions for privacy interferences.
Additional powers for investigations related to civil penalty provisions.
New measures to allow ongoing effectiveness of OAIC.
Give power to the Information Commissioner to make an APP code.
A positive standard of fairness and reasonableness for the collection and use of personal information.
Obligations to appoint or designate a senior employee as having specific responsibility for privacy.
Privacy Impact Assessments required for high-risk activities such as facial recognition.
Broadening definition of personal information to include generated or inferred information (e.g. IP addresses).
Removal of small business exemption and employee records exemption.
72-hour notification requirement in relation to the NDB Scheme.
Requirement to record the purposes for the collection, use and disclosure of personal information.
Enhancements to the consent process, including ensuring consent should be “voluntary, informed, current, specific and unambiguous”.
Stricter requirements on what should be detailed in a privacy policy collection notice.
Expansion of individual rights to enhance transparency and control over their own data, including direct right of action and statutory tort for serious invasions of privacy.
Introduction of a mechanism to identify countries with substantially similar privacy laws.
Increased protections for de-identified information.
Changes to the political exemption.
Individuals are provided unqualified right to opt-out of receiving targeted advertising.
Organisations should consider the ‘agreed’ reforms immediately in the context of their business to determine if further compliance uplift is required. These changes are more limited in nature, reflecting a measured and cautious approach in refreshing Australia’s privacy regime.
There is appetite for longer term uplift to the Privacy Act, and organisations should be working towards compliance with these wider range of reforms using lessons learned from global best practices (e.g. GDPR). We believe many of these are simply good governance and be considered to manage organisational data risks.
The Government acknowledges the importance of these proposals however will give further consideration to how these can be achieved. There may be privacy risks associated with targeted advertising and de-identified information that organisations should not overlook, as the Government adjusts its position with these proposals.
At PwC, we're helping to build cybersecurity and digital trust for a secure and resilient Australia. We offer a range of cyber, digital risk and related legal services to our clients.
PwC’s Cyber Threat Updates a digital publication that shares news, views and information about cyber threats and developments. Subscribe to receive regular updates.
2025 Global Digital Trust Insights Bridging the gaps to cyber resilience: The C-suite playbook. In its 27th year, it is the longest-running and largest survey of it’s kind with 4,042 executive respondents across business, technology, and security executives. Despite widespread awareness of the challenges in...
As the complexity of the global cyber threat environment continues to evolve, Australia remains an attractive target for threat actors of all ilk. In particular, espionage, ransomware and attacks on critical infrastructure continue to present significant threats to Australian organisations and institutions.
