The Attorney-General’s Department publicly released the Privacy Act Review Report on 16 February 2023 and are currently calling for feedback to inform the government’s response to the report.
The report puts forward 116 proposals aimed at strengthening and modernising Australia privacy law to better protect personal information. These proposals cover:
- What information should be protected and who should protect it?
- What privacy protections should apply?
- What should breach of privacy be enforced?
There’s a lot of information to cover coming from the report, so we’ve put together a high level summary calling out some of the
items Digital Service Providers (DSPs) should be aware about. Note that the proposals are still subject to “legislative process”
and in some cases require broader consultation.
Removing the small business exemption
The report has recommended removing the small business exemption as feedback provided throughout the review raised concerns about the
increasing privacy risks faced by small businesses. While the report makes this recommendation, the proposal outlines steps that should be
taken to understand the impact on small businesses before officially removing the exemption.
Providing more protection to employees
The review considered whether the personal information of employees is adequately protected and examined approaches to better protect this information. The proposal put forward in the report is to extend enhanced privacy protections to private sector employees with the aim of:
- Providing enhanced transparency to employees around what their information is being collected and used for.
- Ensuring employees still have flexibility to collect, use and disclose employees' information to administer the employment relationship.
- Ensuring employees’ personal information is protected and destroyed when no longer required.
- Notifying employees and Information Commissioner of data breaches involving employees’ personal information which is likely to result in serious harm.
The proposal does note that further consultation is needed especially around how privacy and workplace relations laws should interact.
Clarifying the definition of “personal information”
There is a proposed change to the definition of personal information to remove ‘about’ and replace it with ‘relates
to’. This update would better reflect that personal information can include both technical and inferred information that is connected
to an individual. It has been recommended that explanatory materials and OAIC guidance will provide more details and examples on personal
information.
The report also considers when an individual can be identified or reasonably identified given that de-identified information can be
re-identified and puts forward a proposal to extend protections to de-identified information.
Improving collection notices and privacy policies
The report puts forward proposals to improve the quality of collection notices and privacy policies. This includes:
- Introducing a requirement for collection notices to be clear, up to date, concise and understandable with the appropriate accessibility measures in place.
- Developing standardised templates for privacy policies and collection notices.
Consent
There is a proposal to amend the definition of consent in that consent must be voluntary, informed, current, specific and unambiguous. It is
noted that the OAIC could provide guidance on how online services design consent requests.
New fair and reasonable test
The review proposes a new fair and reasonable test that will underpin the activities of entities when handling personal information. This would include the following factors:
- Reasonable expectations
- Kinds, sensitivity and amount of personal information
- Functions and activities of entity
- Risks of unjustified adverse impact or harm
- Whether the impact on privacy is proportionate to the benefits
- Transparency of the collection, use or disclosure
- Best intrests of children
- The objects of the Privacy Act
Organisational accountability
The report includes the following two proposal for organisations subject to the Privacy Act:
- Must determine and record the purposes it collects, uses and discloses personal information at or before the time of collection; and
- Appoint or designate a senior employee responsible for privacy.
New rights to access, object and erasure
There are proposals to introduce individual rights modelled on GDPR including:
- The right to access personal information if requested (with an explanation or summary if also requested)
- The right to object to the collection of personal information
- The right to erasure of personal information
There is further proposal for individuals to be notified at the point of collection about their rights and how to obtain further information
on their rights and how to exercise them.
Security requirements, destruction and retention
The report puts forward a number of proposals around security measures and the destruction and retention of personal information. These proposals include:
- Stating that reasonable steps for protecting personal include technical and organisational measures.
- Including a set of baseline privacy outcomes.
- Undertaking a review of all legal provisions that require retention of personal information.
- Requiring entities to establish their own maximum and minimum retention periods for personal information.
Introducing controllers and processors
There is a proposal to introduce the GDPR concepts of controllers and processes into the Privacy Act. However, this proposal is dependent on
whether the small business exemption is removed given that it would be difficult to apply with the exemption still in place.
Creating tiered civil penalties
The report suggests creating two new civil penalties and therefore a tiered approach to penalties. This would involve a mid-tier penalty to
cover privacy interferences without a ‘serious’ element and a low-level penalty for specific administrative breaches of the
Privacy Act and Australian Privacy Principles.
Data breach reporting
The report recognised that many organisations have multiple security and data breach reporting obligations. To support these organisations,
the report included a recommendation to undertake further work to better facilitate the reporting processes for notifiable data
breaches.
A further proposal would require entities to notify the Information Commissioner within 72 hours of becoming aware of a data breach.
DSPANZ is currently drafting a response to the proposals put forward in the report and welcome any feedback from our members. Please get in touch with us before Wednesday 22 March 2023 to provide your feedback.
The deadline for feedback is 31 March 2023.