What do proposed legislative changes mean for the social sector? David Spriggs investigates. 

The past month has seen some major changes take place in both legislation and government agencies that may have significant impacts for the not-for-profit sector. This includes key changes and proposals to reform the Privacy Act 1988 (Cth) as well as the announcement of a new National Office for Cyber Security.

What are the current challenges in the sector?

These changes follow extensive surveys and reports conducted by Infoxchange and professional services firm PricewaterhouseCoopers (PwC) which reflect community wide concern regarding data security, cybersecurity breaches and a general lack of capability and confidence in the sector on how to address such concerns. 

According to PwC’s 2022 Global Digital Trust Insights report, more than 60 per cent of organisations expect an increase in cybersecurity incidents this year. Further, not-for-profit leaders ranked security and privacy maturity  as low.  

Whilst PwC’s NFP CEO Survey identified that 48 per cent of respondents are making progress on establishing a cybersecurity and privacy uplift program, 30 per cent have not considered, or have not made progress on, establishing such a program. 

Meanwhile, Infoxchange’s 2022 Digital Technology in the Not-For-Profit Sector report revealed that 53 per cent of not-for-profits surveyed hadn’t provided cybersecurity awareness training to their staff, placing their data at greater risk of a security breach. Further, more than 1 in 3 organisations are yet to implement multi-factor authentication, a simple step to significantly improve information security.

Overview of Privacy Act changes

Recently, the Federal Attorney-General’s Department published its long-awaited review into the Privacy Act 1988 (Cth). This Act governs how our personal information is handled and shared, ranging from our social media profiles to data held by the sector on vulnerable members of our community. The report followed extensive stakeholder consultation and considers whether the Act and its enforcement mechanisms are fit for purpose. 

In addition to the current review and in response to a number of high-profile data breaches, new significantly higher penalties were introduced under the Act in December 2022. 

Even if not all 116 recommendations put forward in the Privacy Act Review Report are enacted, it will still be the most significant change to Australian privacy law since the introduction of the Australian Privacy Principles. 

Implications for the sector

This transformation of Australia’s privacy landscape may have the potential to impose new and broad ranging responsibilities on the not-for-profit sector, and the need for significant organisational investment to ensure future compliance. 

Currently the Office of the Australian Information Commission (OAIC) specifies that the Privacy Act only applies to an NFP if its annual turnover is greater than $3 million. 

However, if the small business exemption is removed from the Act (as is currently recommended in the Privacy Review Report), there is potential that all NFPs will be regulated by the Act notwithstanding the size of their annual turnover.

New investments may include initiatives to classify information to guide data protection methods such as robust encryption standards and data loss prevention. Further, they may need to invest greater resources into uplifting privacy management processes such as implementing a process to perform Privacy Impact Assessments and the development of a Privacy Management Plan. 

Many of these uplifts, whilst costly, should create value for the sector through improved data security, enhanced public confidence and an ability to find, utilise and create insights from data that may not be possible without these enhanced data governance measures.

We encourage all organisations to review and to contribute to consultation on the Privacy Act Review recommendations, which closes on 31 March 2023. 

The new cybersecurity office

In February 2023, the federal government announced that it will be appointing a new national cybersecurity coordinator, which will be supported by the National Office for Cybersecurity and an advisory board composed of industry leaders. 

The government is also in the process of developing the new 2023-2030 Australian Cyber Security Strategy, which will focus on enhancing regulatory frameworks, securing government systems and strengthening our international strategy on cybersecurity. 

These anticipated changes will likely introduce mechanisms that will provide greater support and guidance to the sector, including guidance on how to prioritise resources, minimum controls and training materials for small and medium sized organisations. 

Support for the sector will be critical, considering that only 49 per cent of Australian NFPs currently have an information security policy in place, with most of these having no strategy in place to manage cyber-related risk. 

However, while the proposed changes may provide greater support structures for organisations, anticipated changes to regulatory frameworks will likely introduce more stringent requirements that require financial and human resources for compliance. 

Considering the often-limited funds available for investment in digital and information security initiatives and a skills shortage in relation to cybersecurity skill sets, the sector may face difficulty in finding and prioritising resources to ensure compliance with new laws.

Preparing for change

It will be some time before we know exactly how these changes will impact the sector. 

In the interim, we encourage any organisation seeking to address cybersecurity and data privacy challenges to visit our Digital Transformation Hub, where they will find resources, training, cybersecurity tools, assessments and further information as well as an expert bar to assist with any enquiries.

We are thankful to PwC for the assistance they provide in helping us to support the Digital Transformation Hub and the expert bar as well as for enabling vital research to support our sector.