Privacy in the news and what it means for your organisation

Privacy and data breaches are in our headlines yet again, but what can the not-for-profit and education sectors learn this time around? This article considers lessons from recent high-profile privacy breaches.

Lesson 1: What your organisation does after a data breach is extremely important for your brand.

Data breaches can trigger emotional responses from members of the public who are affected – and big headlines in the media – because privacy is tied to identity, individuality and autonomy.

Malicious and criminal attacks are the leading cause of data breaches notified to the OAIC under the Notifiable Data Breach Scheme. While data breaches, or malicious hacking, may be an inevitable threat, there are measures you can implement in your organisation to ensure you are prepared to respond swiftly and in an appropriate manner.

Now is a good time for you to review your current data breach response plan. The OAIC has guidance about the four key steps to responding to data breaches which are: contain, assess, notify and review.

In addition, staff should regularly receive data breach simulation training to help staff recognise data breaches, risks to data security and know how to respond in the moment. Taking swift, immediate steps is critical to limiting the further dissemination of information affected by a data breach.

Lesson 2: Children’s privacy is gaining importance in the regulatory space and community expectations

The trend of children’s privacy gaining importance can be seen in Australia, Britain and California.

In Britain

The British Information Commissioner’s Office (ICO) has taken enforcement action against TikTok for breaching the privacy of children, which could impose the largest fine in the ICO’s history: £27 million.

The ICO’s investigation found TikTok may have:

  • processed the data of children under the age of 13 without appropriate parental consent;
  • failed to provide proper information to its users in a concise, transparent and easily understood way; and
  • processed special category data, without legal grounds to do so.

This enforcement action is currently a notice of intent. No fine or factual findings have been made as yet.

In Australia

In Australia, much has been accomplished by the eSafety Commissioner in recent years, partly with the introduction of two new schemes: the Online Content Scheme and Cyberbullying Scheme.

The growing concern for upholding children’s rights to privacy is confirmed as the focus of the Privacy Act Review on stronger measures to ensure consent from parents and/or children, and the need for clear language that is child-friendly when organisations’ key stakeholders are children. Overall, greater organisational accountability, transparency and privacy-by-design requirements will also contribute to better empowering children to make decisions to protect their privacy, and establish baseline expectations so pro-privacy mechanisms are built into online platforms.

Transparency and accountability are part of the ICO’s criticisms of TikTok. The Online Privacy Bill published as an exposure draft in 2021 was designed to implement an Online Privacy Code regulating the activities on social media platforms specifically, however, this bill has not yet been put to Parliament. The Attorney-General has promised an overhaul of Australia’s privacy laws. As we await a bill to amend the Privacy Act 1988, we recommend organisations work with children to take pro-active steps to ensure policies, procedures and technology uphold the privacy rights of children interacting with your organisation.

In California

On 15 September 2022, the Californian Governor signed legislation protecting the wellbeing, data and privacy of children using online platforms. To be called the California Age-Appropriate Design Code Act, many of the themes resemble pro-privacy design elements so children are not manipulated into waiving privacy rights on online platforms. Ensuring terms of service are easily understandable is another common feature.

How we can help

We can help you respond to a data breach by helping with the immediate steps, and subsequent notifications required by the Notifiable Data Breach Scheme. We can also provide assistance by leading privacy audits to proactively identify information security risks in your systems and processes.

In conjunction with our Safeguarding expertise, we are also passionate about helping organisations keep children safe online and uphold their privacy rights.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Authors