Australia’s Privacy Act is fundamentally changing: What this means for your organisation

116 recommendations – key takeaways

The 116 recommendations in the Report are grouped into three key areas:

1. Scope and application of the Privacy Act
2. Protections
3. Regulation and enforcement

Scope and application of the Act

31 amendments have been proposed in this area. Some of the key recommendations, and Protiviti’s perspective on each, include the following:

This amendment would provide clarity for organisations in identifying personal information and gaining a clear understanding of their compliance obligations, but may also broaden the scope of personal information by bringing related or associated data sets such as web browser cookies for example into scope.

Interestingly, the Report does not propose to remove the existing employee records exemption but instead afford more protections and transparency to employees. The recommendation proposes organisations must apply the same level of security to employee records as they would other personal information they hold, and also provide employees with clear and concise notice as to how their personal information is being handled, where it is stored, who it is disclosed to, etc.

Protections

The bulk of the Report focuses on protections afforded to individuals regarding their personal information, with 64 recommendations included in this section. Some notable recommendations include:

Recommendations to amend consent requirements in the Report incorporate some key elements of the European GDPR (General Data Protection Regulation) model in that consent must be voluntary, informed, current, specific and unambiguous. This is likely to invalidate consent provided under the current Act that permits organisations to collect express or implied consent from individuals, meaning organisations may have to refresh and collect consent again from individuals in a manner that is compliant with the new requirements if adopted.

The Report recommended that organisations should be required to perform an objective test before collecting, using or disclosing personal information to determine if the processing is fair and reasonable. The test should consider factors such as the sensitivity of the information, whether the impact on privacy is proportionate to the benefits, whether an individual would reasonably expect their information to be processed, and whether the processing is necessary for the functions and objectives of the organisation.

Similar to the EU GDPR, the Report recommends introducing a mandatory requirement for organisations to conduct a Privacy Impact Assessment (PIA) prior to commencing high-risk activity. High-risk activity for example may include processing sensitive personal information or children’s personal information on a large scale, use of biometric information, profiling or delivery of personalised advertising content to individuals, etc.

As was widely expected, the Report proposes a right to erasure for individuals, mirroring the European model. This recommendation would permit individuals to request an organisation destroy all personal information the organisation holds pertaining to them. Organisations will face the challenge of implementing appropriate procedures and technologies to accurately identify all personal information they hold relating to a request, securely destroy such information, and to notify all third parties with access to the information of the request and their obligation to destroy the information.

A welcome sight in the Report was the proposal for the introduction of security requirements to be applied to protect personal information from unauthorised access, misuse, disclosure, etc., as well as additional guidance to be published by the Office of the Australian Information Commissioner (OAIC). This will potentially remove some ambiguity from the current requirements of the Australian Privacy Principle (APP) 11.

Another recommendation derived from EU GDPR proposes introducing the concept of data controllers and data processors. Controllers would be deemed the party that dictates how the personal information is processed, while processors would only process personal information upon the instructions of a controller. This proposal would also assist in enforcing an organisations’ third party provider compliance with the Act.

Regulations and enforcement

The final area of the Report includes 21 recommendations regarding the regulatory environment and enforcement actions, with some key recommendations including:

This proposal expands on the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 in November 2022 which increased maximum penalties for privacy compliance breaches from $2.2m to a potential $50m. A tiering system for penalties is proposed, with a potential penalty of 2,000 penalty units (currently $5.5m) for mid-tier offences and 20% of the maximum amount of the related civil penalty for low-tier offences being considered. For example, failure to maintain a clear and up to date privacy policy, or respond to individuals’ requests in a timely manner may constitute a low-tier offence.

The Report also recommends introducing a direct right of action for individuals or groups of individuals (class actions) to seek compensation through the courts for breaches of privacy. The Report proposes all claims are initially assessed by the OAIC or an External Dispute Resolution scheme, and where no resolution can be found the complainant(s) would have the option to pursue the matter further in court.

What should I do now?

While final amendments and enactment timeframes are currently undefined (late 2023/early 2024 may be a realistic target), the clock is still ticking for organisations to uplift their privacy practices. Making the following activities a priority for your privacy program in 2023 is recommended to uplift capabilities and comply with key areas of the reformed Act:

Understand your data: Identify and inventory how your organisation collects, uses, stores, discloses, and retains personal information. Conduct discovery sessions across the business and apply data discovery tools where applicable to identify personal information processes across your organisation. Develop, document and maintain results in a formal record of processing. This will also enable compliance with proposal 15.1 and the requirement for organisations to record the purposes for how they collect, use and disclose personal information.

Focus on data minimisation: Remove any instances of collection, use or disclosure of personal information that is not strictly necessary and for a defined purpose. Securely destroy personal information that is no longer relevant or outside its defined retention period.

Build out your security capabilities: Recent high-profile data breaches have shown that inadequate data security capabilities and excessive data retention practices can be extremely costly. Investing in security technologies and resources and maintaining and regularly testing data breach response plans will help reduce the likelihood and impact of any incidents.

Kate Robinson contributed to this piece.