New privacy laws

The Privacy and Other Legislation Amendment Bill 2024, introduced in Parliament on 12 September 2024, is set to revolutionise Australia's privacy laws. Expected to take effect early next year, this bill brings a wave of new standards and protections.

This bill marks a significant step towards modernising Australia's privacy laws and reflects the rapidly changing expectations of how the University should handle and protect personal information to emphasise privacy as a key element of trust and transparency.

What's new?

1. Enhanced security measures: the new standards require 'reasonable steps' to include both technical and organisational measures, ensuring robust protection of personal data.
2. Automated decision-making: updates to the ANU Privacy Policy and supporting resources will guide staff on the privacy implications of using automated decision-making systems.
3. Right to sue for privacy invasions: individuals can now sue for serious invasions of privacy, providing stronger protection for personal information.
4. Simplified international agreements: recognition of comparable international privacy laws will make it easier to collaborate with institutions abroad.
5. Combatting doxing: new obligations will require training to reduce the risk of doxing, protecting individuals from malicious exposure of their personal data online.

What this means for ANU

• Policy overhaul: significant investment will be needed to update the privacy and other policies and practices, ensuring compliance with the new requirements.
• Strengthened protections: a thorough review of technical and organisational protections will be conducted to meet the new legislative standards.
• Contract updates: existing contracts will be revised to align with the new privacy thresholds, simplifying privacy assessments for international agreements.
• Enhanced training: privacy training and communication programs will be updated to educate the community on the new obligations and penalties.
• AI and privacy: Privacy Impact Assessments will be required for all AI initiatives, ensuring compliance with the new standards.

ANU emphasises robust data governance in the age of generative AI

ANU is taking proactive steps to ensure robust data governance as it integrates generative AI into its processes. With AI’s rapid evolution, ANU aims to maintain high levels of trust and compliance with legislative requirements.

AI presents vast opportunities for ANU across research, teaching, and business process improvement. However, the University stresses the importance of aligning AI use with key data governance principles to maintain stakeholder confidence. These principles include:

• Compliance with policies: AI use must adhere to ANU policies and procedures, including staff and student Codes of Conduct.
• Consent for personal information: AI should not be used to collect, store, or disclose personal information without explicit consent. For any AI use involving personal information, staff should seek advice from the ANU Privacy Office.
• Approved AI solutions: Only AI solutions approved by the University should be used to ensure proper data governance and security.
• Record management: AI outputs that are classified as University records must be stored in the University’s Electronic Records Management System (ERMS).
• Proper AI practice: the use of AI should align with the good practice guidelines provided by TEQSA.
• Transparency: staff and students should be transparent about AI use in creating outputs.

As AI continues to evolve, ANU remains dedicated to fostering a secure and compliant environment for its community. For more information and to view the FAQs, visit Generative AI and data governance.

Vigilance against scams during holiday season

As the end of the year approaches and the holiday season kicks into high gear, the University is reminding staff and students to remain vigilant against phishing and other scams. This period is notorious for a spike in fraudulent activities, targeting both professional and personal spheres.

Scammers often exploit the busy holiday period, knowing that people are more likely to be distracted and less cautious. Phishing scams, where fraudsters impersonate legitimate entities to steal sensitive information, are particularly prevalent. These scams can come in the form of emails, text messages, or even phone calls, often appearing to be from trusted sources.

ANU emphasises the importance of being cautious with unsolicited communications. Staff and students are advised to:

• Verify the source: always double-check the sender’s email address or phone number. If in doubt, contact the organisation directly using official contact details.
• Avoid clicking on suspicious links: Hover over links to see the actual URL before clicking. If it looks suspicious, do not click.
• Report suspicious activity: immediately report any suspicious emails or messages to ITS
• Personal vigilance: in addition to professional vigilance, ANU encourages everyone to be equally cautious in their personal lives. Scammers do not discriminate and can target anyone. Be wary of deals that seem too good to be true, and always verify the legitimacy of online sellers and charities.

ANU is committed to maintaining a secure environment for its community. As we enjoy the festive season, let’s stay alert and protect ourselves from scams. For more information on how to stay safe, visit ANU CyberSense.

Record number of privacy breaches reported to regulator

New statistics from the Office of the Australian Information Commissioner (OAIC) reveal that the number of data breaches reported in the first half of 2024 has reached its highest level in three and a half years.

Australian Privacy Commissioner Carly Kind has shared the view that the OAIC has high expectations of organisations like ANU to meet its privacy obligations and protect our community from harm. The increase in breaches reported to the OAIC demonstrates the scope of privacy risk, but also the increasing privacy maturity of Australian organisations.

Commissioner Kind highlighted the significant threats to Australians' privacy, stating "almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm."

Commissioner Kind also emphasised that the Notifiable Data Breaches scheme is now mature. Recent enforcement actions against Medibank and Australian Clinical Labs underscore the importance of keeping personal information secure and meeting scheme requirements.

The OAIC will continue to enforce compliance and provide guidance to help organisations meet their obligations. Commissioner Kind said, "we would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible.”

Looking for more Privacy Advice?

For assistance with any privacy questions please visit the ANU Privacy website or reach out to the ANU Privacy team. They are here to support any privacy needs and can provide a customised information session for your local area.