Privacy has always been an important issue but never more so than since big businesses like Optus and Medibank were targeted by hackers in 2022, resulting in the public release of thousands of customers’ personal information.
As a result of the backlash, new changes have been introduced in the Privacy Act 1988, which can have serious impact on business owners, including real estate agencies.
The big hacks
While most people assume their data is safe in the hands of big businesses, thousands of Australians found out this isn’t necessarily the case, when their personal information was released following the Optus and Medibank hacks. The latter even led to the release of medical information.
Following the backlash, a change in privacy laws was inevitable. The amendments aim to provide greater protection of the personal data and privacy of Australians.
So, how do they achieve this? The penalties for serious or repeated interferences with privacy have been increased under the Privacy Act.
What do agencies need to know?
The big question for real estate agencies is: what constitutes a serious or repeated interference with someone’s privacy?
Well, according to the law, these are two different concepts/actions, and for either of them you could be found liable for the penalties. In some cases, you might be found doing actions that are both serious and repeated.
The next question then is: what is a serious interference with someone’s privacy? This is what a reasonable person would consider to be a ‘serious’ interference – therefore, as the standards of society and people change over time, so too does what we consider ‘serious’.
Serious interference
Today, the aspects generally looked at when determining if the interference was serious include the number of people affected, whether sensitive information was involved, whether one or more individuals suffered, or are likely to suffer, significant harm from the interference, whether your interference was done deliberately or recklessly, or who was responsible for the breach – for example, were they senior staff, experienced, etc?
What, then, is repeated interference? This means that you or your organisation have interfered with the privacy of an individual or multiple people on two or more occasions – whether it be because of the same actions or different ones.
However, the interferences must have occurred at separate occasions – so if an interference happens simultaneously for multiple individuals, it will only count as one occasion.
The changes
The new changes to the act increase the penalties for body corporates in breach of these provisions to:
- $50 million.
- riple the value of any benefit obtained from the contravention; or
- 30 per cent of the adjusted turnover over a relevant period.
The greater of the three will be applied as the penalty. Previously, the penalty was $2.22 million.
The changes to the act increase the penalties for individuals in breach of these provisions to a maximum of $2.5 million. Previously the penalty was $440,000.
The changes also increased the Commissioner and OAIC’s enforcement and sharing powers. These include a more detailed notification to the Commissioner when you experience a notifiable data breach.
What happens after a breach
When an entity faces a data breach that is notifiable, they are required to prepare a statement for the Commissioner. This statement must also contain the particular kinds of information that were involved in the data breach.
For example, previously it was enough to mention that ‘contact information’ had been breached. Now, the particular kind of contact information must be mentioned (such as phone number, home address).
They can now assess your ability to comply with the notifiable data breach scheme. They can also issue infringement notices to someone who fails to provide information when they are required to; The penalty is:
- 60 units for a person ($16,500)
- 300 units for a body corporate ($82,500).
They can also share information with other authorities such as enforcement bodies, other complaint bodies, an authority of the government, state, and/or territory. In addition, they can now publicly disclose information if it is in the public interest to do so.
For businesses this could have serious reputational consequences if you’re not careful with your privacy practices. So now is the time to familiarise yourself with the changes.