Privacy has become a critical concern for individuals and businesses alike. The surge in data collection, along with high-profile data breaches, has amplified the need for strong privacy protections. These protections are especially important in light of the new definition of personally identifiable information.
The Australian government has undertaken a comprehensive review of the Privacy Act. Significant changes to better protect the privacy of Australians are likely on the way.
A key aspect of these changes revolves around the concept of Personally Identifiable Information (PII). This guide will explore what PII is under the new legislation. We’ll also cover the proposed changes, and what businesses need to do to stay compliant.
What is personally identifiable information (PII)?
Personally Identifiable Information refers to any data that can be used to identify an individual. PII data can be either on its own or combined with other information. Under Australia’s Privacy Act, the definition of PII is broad and encompasses a wide range of data types.
The proposed changes to Australia’s Privacy Act aim to clarify and expand this definition to keep pace with digital innovation.
Key components of Personally Identifiable Information
Understanding the types of information that make up PII is essential for ensuring compliance with privacy regulations.
PII can include several types of data. PII data can be from direct identifiers to more subtle forms of data that can identify an individual when combined.
Direct identifiers
These are pieces of information that directly identify an individual. Examples include:
- name
- address
- email address
- phone number
- driver’s licence number
- passport number
Indirect identifiers
Indirect identifiers are pieces of information that may not identify an individual on their own. These pieces of information can identify someone when combined with other data. Examples include:
- date of birth
- gender
- postcode
- IP address
- device identifiers (such as MAC address, device ID)
Sensitive information
Sensitive information is a category of PII that is given higher protection due to its nature. Examples include:
- health information
- genetic and biometric data (e.g., fingerprints, facial recognition data)
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- sexual orientation or practices
- criminal records
Geolocation data
A significant update in the proposed changes is the explicit inclusion of geolocation data as PII. This refers to data that indicates an individual’s precise location at a specific time and can be tracked over time. Geolocation data is particularly sensitive because it can reveal an individual’s patterns of behaviour, daily routines, and potentially their identity.
Technical and inferred personally identifiable information
The new legislation also includes technical and inferred data as PII if it can be used to identify an individual. This includes:
- IP addresses
- device identifiers
- cookies and other tracking technologies
- inferences drawn from behaviour, preferences, or characteristics (e.g., profiling for targeted advertising)
The importance of identifiability
A critical aspect of PII under the Privacy Act is whether the information can reasonably be used to identify an individual, either by itself or in conjunction with other data.
The concept of “reasonably identifiable” is central to determining whether information falls under the definition of PII. This ensures that businesses must consider all potential data points that could lead to the identification of an individual.
Key Changes to the Act
The Australian government has proposed 38 changes to the Privacy Act. Many of these changes directly impact how PII is defined, handled, and protected.
These changes are designed to modernise Australia’s privacy laws. These changes are to ensure that they remain fit for purpose where data has become a valuable asset.
Expansion of the definition of PII: The definition of PII will be expanded to include technical and inferred data. This could include indicators such as IP addresses, device identifiers, and geolocation data. Today’s data can be used to identify individuals, even if it doesn’t explicitly include their name or other direct identifiers.
Mandatory data destruction: One of the proposed changes highlights a critical aspect of privacy protection. It emphasises the importance of securing personally identifiable information and ensuring its proper destruction when it’s no longer needed. Businesses will be required to implement processes for securely destroying or de-identifying PII. This must occur once the information is no longer required for the original purpose it was collected.
Increased accountability: The changes will also increase accountability for businesses. Organisations will now be required to appoint a senior employee responsible for privacy. Additionally, businesses must conduct Privacy Impact Assessments (PIAs) for high-risk activities. They will also need to ensure that third-party data collection is lawful.
Enhanced consent requirements: Businesses collecting sensitive information or geolocation data will need to obtain explicit and unambiguous consent from individuals. This means individuals must be fully informed about how their data will be used. They must also actively agree to its use.
Stricter data breach notifications: If a data breach occurs, businesses must act quickly. They are required to notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of the breach. This requirement is designed to ensure that affected individuals are informed as quickly as possible. It allows them to take steps to protect themselves.
Broader applicability: The changes also propose removing the small business exemption. This means that all businesses, regardless of size, will need to comply with the Privacy Act if they handle PII. This change reflects the understanding that even small businesses can pose significant privacy risks to managing and protecting PII.
What does your business need to do?
With these proposed changes on the horizon, it’s crucial for Australian businesses to start preparing now. Here are some steps businesses should take:
Appoint a privacy officer: Designate a senior employee to oversee privacy compliance and ensure that all data handling practices align with the new requirements.
Conduct a data inventory: Businesses should conduct a thorough inventory of all the PII they collect, store, process, or share. This includes direct, indirect, sensitive, and technical data.
Update privacy policies: Privacy policies should be updated to reflect the expanded definition of PII, particularly in relation to geolocation data and inferred data.
Implement data destruction processes: Businesses should develop and implement processes for securely destroying PII when it is no longer needed. This includes both physical and digital records.
Obtain clear consent: Businesses must ensure they obtain clear and explicit consent for collecting, using, or sharing sensitive information and geolocation data.
Prepare for breach notifications: Develop and test a data breach response plan that ensures compliance with the new 72-hour notification requirement.
The proposed changes to Australia’s Privacy Act mark a significant step forward in protecting individuals’ privacy.
The government is expanding the definition of PII. They are also introducing stricter requirements for handling and securing this information. These changes aim to ensure that privacy laws remain robust and effective.
For businesses, this means taking proactive steps to understand and comply with these changes. It’s essential to protect not only their customers but also their reputation. This is increasingly important in a privacy-conscious world.
Read the full report and proposed changes from the Attorney General’s website.
Ready to learn more?
If you’re looking to strengthen your Microsoft 365 and minimise the risks of cyber threats and data breaches, we’re here to help. Fill in the form below and our team will get in touch to talk about how we can support your business in securing its sensitive data.