The Australian Government releases its response to the Privacy Act Review — The Salesforce Edition

Doug Merrett
6 min readSep 28, 2023
An abstract picture meant to show Customer Data.
Photo by Claudio Schwarz on Unsplash

TL;DR; The New Privacy Act will impact all Salesforce customers as Small Businesses will no longer be exempt. There are lots of detail, however it looks to be similar to the GDPR. You will need to have a way to detect breaches (Event Monitoring) and be taking reasonable steps to protect the data where a security assessment will assist in highlighting any possible issues.

The Australian Government today has released its response to the Privacy Act Review Report which was released in February 2023.

The five focus areas are: Bring the Privacy Act into the digital age; Uplift protections; Increase clarity and simplicity for entities and individuals; Improve control and transparency for individuals over their personal information; and Strengthen enforcement.

Of the proposals made, the vast majority were agreed or agreed in-principal.

The ones which will affect most Australian Salesforce customers are:

  • The definition of ‘collection’ should be amended to expressly cover information obtained from any source and by any means, including inferred or generated information (proposal 4.3).
  • The Government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment (proposal 6.1).
  • The Government agrees in-principle that privacy settings for online services should reflect the ‘privacy-by-default’ framework of the Privacy Act, as determined by what is fair and reasonable in the circumstances, and be clear and easily accessible for users (proposal 11.4).
  • The Government agrees the Privacy Act’s existing security obligations should be enhanced by specifying that ‘reasonable steps’ in the context of APP 11 include both technical and organisational measures (proposal 21.1), and agrees in-principle that entities should be required to comply with a set of baseline privacy outcomes, aligned with relevant outcomes of the Government’s 2023–2030 Australian Cyber Security Strategy (proposal 21.2). The Government agrees the OAIC should provide additional guidance to entities about what reasonable steps an entity should take to keep personal information secure (proposal 21.3), and what reasonable steps an entity should take to destroy or de-identify personal information (proposal 21.5).
  • The Government agrees in-principle that entities should be required to establish their own maximum and minimum retention periods for personal information they hold (proposal 21.7) and specify these retention periods in privacy policies (proposal 21.8). Retention periods should take into account the type, sensitivity and purpose of the information being retained as well as the entity’s organisational needs and any obligations they may have under other legal frameworks.
  • The Government agrees in-principle that entities should be required to (proposal 28.2): notify the Information Commissioner as soon as practicable, and not later than 72 hours, after becoming aware that there are reasonable grounds to believe there has been an eligible data breach, but will further explore appropriate timeframes with stakeholders and alignment with other relevant reporting frameworks; notify individuals as soon as practicable, including providing information to individuals in phases if it is not practicable to provide the information at the same time; and take reasonable steps to implement practices, procedures and systems to respond to a data breach.
  • The Government agrees in-principle that entities should be required to determine and record the purposes for which they will collect, use and disclose personal information at or before the time they collect it and record secondary purposes at or before the time of undertaking the secondary use or disclosure (proposal 15.1). Determining and recording the primary and secondary purposes for which personal information is collected, used and disclosed will assist entities with internal measures to assess the adequacy of current practices and comply with new obligations. To improve information management governance processes and systems, the Government agrees in-principle that entities should be required to appoint or designate a senior employee as having specific responsibility for privacy within the organisation (proposal 15.2). The Government also agrees in-principle that entities should be required to take reasonable steps to ensure personal information collected by third parties was collected lawfully (proposal 13.4)
  • The Government agrees in-principle that targeting (for marketing) should be subject to the following requirements (proposal 20.8): targeting individuals should be fair and reasonable in the circumstances, and targeting individuals based on sensitive information should be prohibited, with an exception for socially beneficial content.
  • To prevent individuals from losing control of their information, the Government agrees in-principle that an individual’s consent should be required in order to trade their personal information (proposal 20.4), subject to refining the scope of what is considered to constitute ‘trading’.
  • The Government agrees in-principle that individuals should have greater transparency and control over their personal information through the creation of new individual rights which would enable them to: request an explanation of what personal information is held and what is being done with it through an enhanced right to access (proposal 18.1); challenge the information handling practices of an entity and require the entity to justify how its information-handling practices comply with the Act (proposal 18.2) ; require an entity to delete (or de-identify) personal information through a right to erasure (proposal 18.3) ; request correction of online publications over which an entity has control (proposal 18.4), and require search engines to de-index certain online search results (proposal 18.5).
  • The Government agrees in-principle that individuals should have more direct access to the courts to seek remedies for breaches of the Act through a direct right of action (proposal 26.1).
  • the Government agrees section 13G of the Privacy Act which deals with ‘serious or repeated’ breaches of privacy should be amended to remove the word ‘repeated’ and clarify that a ‘serious’ inference can include repeated interferences with privacy (proposal 25.2). The Government agrees a new mid-tier civil penalty provision should be introduced to cover interferences with privacy which do not meet the threshold of being ‘serious’ and a new low-level civil penalty provision for specific administrative breaches of the Act and APPs should be introduced with attached infringement notice powers for the Information Commissioner with set penalties (proposal 25.1).

So, in a nutshell, if you are storing customer data in Salesforce (and that would be close to all Salesforce customers), you need to take security and privacy of data seriously.

The exemption for small business will mean all Salesforce customers need to comply with the Privacy Act.

The requirement for you to protect data, even if you bought it, following the OAIC (Office of the Australian Information Commissioner) guidelines on the reasonable steps to protect. You will also will need to verify that the data you bought was collected legally. It will be interesting to see what these reasonable steps are…

Marketers need to be very aware of the greater transparency and control over their personal information that consumers will get, including the ability to request deletion of their data, as well as the retention period of data collected or bought.

And every company will need to have a Privacy Officer…

If you are a company that has looked at becoming GDPR compliant as you are working in the EU/UK, then you are pretty much there with the proposed changes. However, technology may be required for you to be aware of breaches and the ability to understand what data was taken is key. This capability is only available with Salesforce’s Event Monitoring and you will need to keep these logs for a reasonable timeframe.

And getting an assessment of the security of your Salesforce environment will highlight any data privacy issues and technical shortcomings which would need to be addressed to be compliant with the Act.

Please let me know your thoughts below and please reach out if you have any questions on how to protect your Salesforce data.



Doug Merrett

I worked for Salesforce as a Security Specialist for 13 years before starting my own consultancy — a Salesforce Consultancy Partner