The Government released its response to the Review of the Privacy Act (Review)1 on 28 September 2023 (Response)2. The Response sets out changes that the Government proposes to make to the Privacy Act 1988 (Cth) (Privacy Act) which will strengthen the protection of personal information and the control individuals have over their information. These changes to the Privacy Act still need to be introduced into the Parliament and many of the proposals also note that significant consultation is required to finalise the details of particular measures. Consequently, we expect that any changes to the Privacy Act may take more than a year to come into force.
In this Insight, we will summarise the key changes being proposed by the Government and suggest some key actions that organisations, large and small can take now, to prepare for the changes when they come about.
Key changes being proposed by Government
Small business exemption: Currently the Privacy Act applies only to businesses with an annual turnover above $3 million. The Response proposes that this limit should be removed, meaning that all businesses no matter how small that collect data from individuals must be compliant with the Privacy Act. These changes will be the subject of consultation with small businesses and relevant representatives, but the Response clarifies that where the information being captured represents higher risks that the Government expects to bring those small businesses into the Privacy Act regime quickly.
Employee record exemption: Enhanced privacy protections to be extended to private sector employees. The Government aims to provide improved transparency to employees regarding their personal information and extend the Data Breach Notification Scheme to apply to employee records. As this change will impact all businesses, the Government intends to conduct further consultation.
Fair and reasonable personal information handling: The Review proposed that the Privacy Act should no longer rely entirely on individuals taking responsibility for managing the information they provide to businesses. This is because the Review determined that many services and companies could not provide many of these services without that data and at least some of those circumstances included essential goods and services. The Response proposes that the Privacy Act be amended to include a new requirement that collection, use and disclosure of personal information must be fair and reasonable in the circumstances. The OAIC will provide guidance about what is fair and reasonable. The Government considers that this will assist with protecting individuals from ‘dark patterns’ which guide individuals to select privacy settings which are intrusive when using digital services and that privacy settings for online services should be ‘privacy-by-default’. This means that the simple act of presenting a collection statement will, in some cases, no longer be satisfactory and that businesses will have to consider what is “fair and reasonable“ information to be collected in the circumstances.
A new right of erasure: A right for individuals to request the erasure of any of their personal information held by a business is proposed in the Response. Along with the existing rights to access and seek amendment of information held by a business about a person, the Response proposes that, individuals will have a right to require the deletion of information held about them by a business. Any such amendment will need to be considered in light of the existing credit related provisions of the Privacy Act and in the context of other laws like the Anti-Money Laundering and Counter Terrorism Financing Act.
Direct marketing, targeting and trading: Some businesses yield revenue from user engagement with targeted content and advertising, which enables them to provide consumers with access to content or services for free or at a lower monetary cost. The trading of personal information underpins these activities. The Response proposes to define direct marketing, targeted advertising, targeting and trading and to place new controls on how advertisers can use, and trade data acquired by (or that use) those marketing techniques. These may include an obligation to provide individuals with an unqualified right to opt-out of receiving targeted advertising.
Consent: It is unlikely that the requirement for consent to a collection will be substantially expanded, the view being that individuals may become overwhelmed by frequent consent giving and thus pay too little attention to circumstances where sensitive information (which currently requires consent) is being collected. However the Response proposes to more clearly require that consent should be voluntary, informed, current, specific and unambiguous. This may impact on how businesses manage sensitive information collection and the maintenance of such information, especially in circumstances where facial recognition technology is in use.
A new direct right of action: The Response proposes that people who have had their privacy interfered with should have a direct right of action, with their complaint being heard by the Federal Court (after first making a complaint to the OAIC or through an external dispute resolution scheme and having the complaint assessed as being unsuitable for conciliation) The Government believes that a direct right of action would increase the avenues available to individuals, who suffer loss or damage as a result of an interference with their privacy to seek compensation.
A new statutory tort for serious invasions of privacy: The Response proposes that the new cause of action be available where there is a serious intrusion into an individual’s seclusion or a serious misuse of private information. The tort would be based on the model proposed by the Australian Law Reform Commission in Serious Invasions of Privacy in the Digital Age (Report 123)3. Consultation with media organisations on further safeguards to protect public interest journalism will occur.
Greater organisational accountability: The Response proposes that businesses will be required to enhance the records of decisions that are made and kept about the collection, management and use of information about individuals. Organisations will also be required to appoint or designate a senior employee as having specific responsibility for privacy within the organisation.
Other changes: Some other changes proposed by the Response:
- notifiable data breaches will have to be reported to the OAIC within 72 hours;
- privacy policies will be required to set out the types of personal information that will be used in substantially automated decisions;
- require businesses to conduct privacy impact assessments for activities they wish to conduct which have high privacy risks (for example if the activities involve sensitive information);
- enhancements to privacy rights for vulnerable people and children;
- clarification of a range of definitions and simplifying some obligations especially by formally recognising the distinction between data processors and data controllers;
- expand the use and flexibility of privacy “Codes” made by the Privacy Commissioner; and
- additional capability will be given to the OAIC to enforce the Privacy Act.
Some ways to prepare for the changes when they become law
- Review your existing privacy and cyber security approaches. Any business that relies on customer data should already have robust privacy and cyber security policies and controls. These should be reviewed to ensure that they are up to date and are commensurate with the risks associated with the data your business holds.
- Conduct a detailed assessment of what information you hold and whether you really need or use it. Having high quality systems to manage data governance and data accuracy will be critical defences against some of the expanded rights and the proposed rights of action.
- If you are a small business owner start considering what kind of information you collect about customers and whether it really adds value to your business. When (and if ) the Privacy Act is extended to small businesses the compliance costs you face will increase, so it is critical that you have a clear view of the value add from the information you hold. If it doesn’t add value, then you should consider not collecting that information any longer.
- Consider how you will enhance the processes you use for making decisions about information collection, management and use, including the records that you make and keep about these matters. The earlier you start to build the muscle necessary to do this well, the lower your risk will be when these matters become compliance obligations.
- Appoint a Privacy Officer soon. Before the proposals in the Response become law you should designate a Privacy Officer and ensure that whoever is charged with that responsibility has the skills and capability to assist not only in the transition to the new privacy rules but can also support the organisation in the long run.
- Start to consider whether your business will need to reconsider the technologies it has available for storing and managing information about individuals. This may be especially relevant in respect of employee data in view of enhanced privacy protections being extended to private sector employees, particularly given the prevalence of outsourced HR operations.
The changes being proposed by Government will still be the subject of substantial consultation and detailed policy development which can be time consuming and mean any changes that must be complied with by businesses are some way off. However, taking some preparatory actions now will limit the impact of legislative changes and smooth the implementation processes in your business.
1 Review of the Privacy Act 1988 | Attorney-General’s Department (ag.gov.au)
2 Government response to the Privacy Act Review Report | Attorney-General’s Department (ag.gov.au)
3 Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123), https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-alrc-report-123/