open it

The Attorney-General’s Department publicly released the Privacy Act Review Report on 16 February 2023 and are currently calling for feedback to inform the government’s response to the report.

The report puts forward 116 proposals aimed at strengthening and modernising Australia privacy law to better protect personal information. These proposals cover:

  • What information should be protected and who should protect it?
  • What privacy protections should apply?
  • What should breach of privacy be enforced?

There’s a lot of information to cover coming from the report, so we’ve put together a high level summary calling out some of the items Digital Service Providers (DSPs) should be aware about. Note that the proposals are still subject to “legislative process” and in some cases require broader consultation. 

Removing the small business exemption

The report has recommended removing the small business exemption as feedback provided throughout the review raised concerns about the increasing privacy risks faced by small businesses. While the report makes this recommendation, the proposal outlines steps that should be taken to understand the impact on small businesses before officially removing the exemption.

Providing more protection to employees

The review considered whether the personal information of employees is adequately protected and examined approaches to better protect this information. The proposal put forward in the report is to extend enhanced privacy protections to private sector employees with the aim of:

  • Providing enhanced transparency to employees around what their information is being collected and used for.
  • Ensuring employees still have flexibility to collect, use and disclose employees' information to administer the employment relationship.
  • Ensuring employees’ personal information is protected and destroyed when no longer required.
  • Notifying employees and Information Commissioner of data breaches involving employees’ personal information which is likely to result in serious harm.

The proposal does note that further consultation is needed especially around how privacy and workplace relations laws should interact.

Clarifying the definition of “personal information”

There is a proposed change to the definition of personal information to remove ‘about’ and replace it with ‘relates to’. This update would better reflect that personal information can include both technical and inferred information that is connected to an individual. It has been recommended that explanatory materials and OAIC guidance will provide more details and examples on personal information. 

The report also considers when an individual can be identified or reasonably identified given that de-identified information can be re-identified and puts forward a proposal to extend protections to de-identified information.

Improving collection notices and privacy policies

The report puts forward proposals to improve the quality of collection notices and privacy policies. This includes:

  • Introducing a requirement for collection notices to be clear, up to date, concise and understandable with the appropriate accessibility measures in place. 
  • Developing standardised templates for privacy policies and collection notices.


There is a proposal to amend the definition of consent in that consent must be voluntary, informed, current, specific and unambiguous. It is noted that the OAIC could provide guidance on how online services design consent requests.

New fair and reasonable test

The review proposes a new fair and reasonable test that will underpin the activities of entities when handling personal information. This would include the following factors:

  • Reasonable expectations
  • Kinds, sensitivity and amount of personal information
  • Functions and activities of entity
  • Risks of unjustified adverse impact or harm 
  • Whether the impact on privacy is proportionate to the benefits
  • Transparency of the collection, use or disclosure
  • Best intrests of children
  • The objects of the Privacy Act

Organisational accountability

The report includes the following two proposal for organisations subject to the Privacy Act:

  • Must determine and record the purposes it collects, uses and discloses personal information at or before the time of collection; and
  • Appoint or designate a senior employee responsible for privacy.

New rights to access, object and erasure

There are proposals to introduce individual rights modelled on GDPR including:

  • The right to access personal information if requested (with an explanation or summary if also requested)
  • The right to object to the collection of personal information
  • The right to erasure of personal information

There is further proposal for individuals to be notified at the point of collection about their rights and how to obtain further information on their rights and how to exercise them.

Security requirements, destruction and retention

The report puts forward a number of proposals around security measures and the destruction and retention of personal information. These proposals include:

  • Stating that reasonable steps for protecting personal include technical and organisational measures. 
  • Including a set of baseline privacy outcomes.
  • Undertaking a review of all legal provisions that require retention of personal information.
  • Requiring entities to establish their own maximum and minimum retention periods for personal information.

Introducing controllers and processors

There is a proposal to introduce the GDPR concepts of controllers and processes into the Privacy Act. However, this proposal is dependent on whether the small business exemption is removed given that it would be difficult to apply with the exemption still in place.

Creating tiered civil penalties

The report suggests creating two new civil penalties and therefore a tiered approach to penalties. This would involve a mid-tier penalty to cover privacy interferences without a ‘serious’ element and a low-level penalty for specific administrative breaches of the Privacy Act and Australian Privacy Principles.

Data breach reporting

The report recognised that many organisations have multiple security and data breach reporting obligations. To support these organisations, the report included a recommendation to undertake further work to better facilitate the reporting processes for notifiable data breaches.  

A further proposal would require entities to notify the Information Commissioner within 72 hours of becoming aware of a data breach. 

DSPANZ is currently drafting a response to the proposals put forward in the report and welcome any feedback from our members. Please get in touch with us before Wednesday 22 March 2023 to provide your feedback. 

The deadline for feedback is 31 March 2023.


Be the first to hear about the latest business software industry news, updates, and events.

Online Forum

Get involved in the discussion! Post your comments and have your say!

Go To Forum

Member Directory

Browse through DSPANZ Members and learn more about them here.

Browse List