New regulations have been introduced by the Federal Government that affect the way companies manage their customers’ information, and also how they use artificial intelligence (AI) in their business.

Customer privacy

A recent review by the Australian Competition and Consumer Commission (ACCC) has resulted in the introduction of new and expanded individual rights, impacting Australian organisations.

The Government’s Privacy Act Review Report includes strict rules on consent, data retention, and the right for individuals to request data erasure.

The rules will overhaul personal data collection, recording, and handling, necessitating significant investments in new systems, staff training, and updated practices, including geolocation data rules.

One significant change is the right for individuals to request the deletion of their personal information.

Organisations that collect and store customers’ Personally Identifiable Information (PII) will therefore need to invest in personnel, processes, and technology to handle such requests, ensuring compliance with the Privacy Act and the Consumer Data Right initiative.

The following measures must be implemented to satisfy the ACCC’s new requirements:

  • Update Policies: Revise data retention, deletion, and consumer rights policies.
  • Data Mapping: Conduct comprehensive data mapping to track where consumer data is stored, including databases, third-party services, and backup systems, ensuring proper handling and deletion.
  • Data Management Systems: Upgrade systems to support automated, secure, and irreversible data deletion.
  • Backup Systems: Modify backup systems to allow specific data deletions without compromising integrity.
  • Consumer Request Processes: Create online forms and customer service channels for data deletion requests.
  • Audits: Conduct regular internal and external audits to ensure policy compliance and continuous monitoring.
  • Employee Training: Provide ongoing training on data privacy regulations and proper data deletion practices.
  • Third-Party Compliance: Ensure contracts with third-party service providers include data deletion requirements and conduct compliance checks.

Use of AI

In addition, mandatory rules for high-risk AI are also under discussion. The Government is seeking to ensure AI is designed, developed, and deployed safely and responsibly, especially in high-risk areas where harm from AI use could be irreversible.

In addition, mandatory guardrails to promote the safe design, development and deployment of AI systems will be considered, including possible requirements relating to:

  • Testing: Safety testing before and after product release.
  • Transparency: Transparency about model design, data sources, AI system labelling, and AI-generated content watermarking.
  • Accountability: Training for AI developers and deployers, possible certification, and clear accountability expectations.

Clients will notice HLB firms introducing new systems and procedures in response to these changes.

This article was published in the Spring 2024 issue of Financial Times.