Privacy Act changes - impacts for General Insurance
I will be discussing the General Insurance impact of tranche 1 of the Privacy Act changes at my GI Regulatory landscape 2025 webinar on 12th December 12-1.30pm (AEDT)
The Privacy and Other Legislation Amendment Bill 2024 introduced the first tranche of changes to the Privacy Act in a process that commenced in 2019 and is likely to continue until after the 2025 Federal election (for tranche 2 recommendations).
Most of the changes will take effect 24 months after Royal Assent
Impacts for General Insurance
- New civil penalties - 3 layers of penalties apply.
- The existing civil penalty for Serious interference with privacy - individual (max $2.5m) and body corporate (greater of $50m or 3 value of any benefit or 30% of turnover).
- a new civil penalty for Inteference with privacy (individual $660k & body corporate ($3.3m). Imposed by Federal Court
- a new Administrative fine imposed by OAIC for certain breaches of APPs (individual $66k & body corporate ($330k). If contested, the individual or body corporate would need to take the matter to court
- Serious invasion of privacy (new statutory tort) - an invasion of privacy by intrusion into seclusion or misuse of private information.
- this may apply, for example and subject to statutory defences surveillance of a person inside the privacy of their home
- Automated decision-making means a computer program makes a decision and the decision significantly affects the rights or interests of the individual and personal information about the individual is used in the operation of the computer program to make the decision or do the thing. Also applies where a human makes the final decision as part of automated decision-making.
- this may apply for example in automated GI sales/underwriting processes; &
- claim lodgement/triage processes
If automated decision-making is used, the decisions & personal information used must be included in the Privacy Policy
- Cross border disclosures - this will increase certainty in disclosing personal information to an overseas recipient where the Minister prescribes a 'whitelist', if the law of that country are substantially similar to APPs and there are mechanisms an individual can use to enforce that protection.
- Security APP 11 currently requires an entity must take such steps as are reasonable in the circumstances to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure. The Bill clarifies that steps include both technical and organisational measures
- technical includes firewalls, passwords and MFA etc ;
领英推è
- organisational measures include information security policy, training etc
- Ministerial powers the Minister may
- direct OAIC to develop an APP code for an industry, if the Minister considers it is in the public interest to do so
- direct OAIC to conduct a public inquiry into a privacy related matter
- make a declaration during an emergency or disaster
- make a declaration during an eligible data breach if necessary to prevent or reduce harm to individuals
- Children's online Privacy Code
- OAIC must develop a Children’s Online Privacy Code within 24 months
- The Code will apply to internet and electronic services (including social media platforms) likely to be accessed by children (persons under 18)
This may have relevant for motor vehicle insurance for drivers under 25
- Doxxing
- Against individuals where a person uses a carriage service to make available or publish personal data about an individual in a way that a reasonable person would regard as menacing or harassing towards the individual
- Against groups where a person uses a carriage service to make available or publish personal data about one or more group members in whole or in part because the group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, national or ethnic origin in a way that a reasonable person would regard as menacing or harassing towards the members
Regulatory landscape for General Insurance in 2025
I will discuss the above changes & other regulatory and Code impacts in more detail during my webinar on 12th December