Express Law No. 313

20 February 2023

Privacy Act Review Report released

The Government has released the report of the review of the Privacy Act 1988 which contains 116 proposals.

Following an expansive review of the operation of the Privacy Act 1988 (Act), the Government has published its 320-page report.

The report makes wide-ranging recommendations to strengthen privacy laws in response to the changing nature of digital services and recent large-scale data breaches.

The Government is seeking feedback on the report’s proposals before deciding what steps to take, with submissions due on 31 March 2023.

Key recommendations which may impact on the operation of government agencies are summarised below.

The report proposes updates to the objects of the Act to recognise the public interest in protecting privacy (Proposal 4.2) and to the definition of key terms, including ‘personal information’, ‘sensitive information’ and ‘collects’ (Proposal 4). It also proposes defining the terms ‘reasonably identifiable’, ‘de-identified’ and ‘disclosure’ (Proposal 4, Proposal 23.6).

Amendments are also suggested to remove the small business exemption (Proposal 6) and extend the operation of the Act to private sector employees in certain circumstances (Proposal 7). Amendments in relation to the application of the Act to political parties and journalism are also proposed, extending obligations in respect of transparency, security of personal information and data breach notification (Proposals 8 and 9).

Increased protections to privacy are suggested through codifying the definition of consent, and through the development of standard consent forms and privacy notices. While generally consent requirements will be more stringent, it is suggested a broad consent for research purposes be permitted in certain circumstances (Proposal 14.1).

If implemented, amendments to the Australian Privacy Principles (APPs) in Sch 1 to the Act would:

• apply a ‘fair and reasonable’ test to collection, use and disclosure (Proposal 12.1)
• require an APP entity to determine and record the purpose for which it will collect, use or disclose personal information at or before the time it handles the information (Proposal 15)
• introduce a right to request meaningful information about how automated decisions are made and require inclusion of information about such decisions in entity privacy policies (Proposal 19)
• increase protections in relation to direct marketing, targeting and trading (Proposal 20)
• provide more specific detail regarding the measures required to secure personal information and impose a requirement to protect de-identified information (Proposal 21)
• require APP entities to set minimum and maximum retention periods for personal information and include details of the periods in its privacy policy (Proposals 21.7-21.8)
• provide greater clarity around when overseas disclosure will be permitted, with further consultation to occur as to whether online publication of personal information in the public interest should operate as an exception to APP 8.1 (Proposal 23).

Other key proposals modelled on the European Union’s General Data Protection Regulation (GDPR) ‘data subject rights’ would expand the rights of individuals to request access, correction, de-indexing and erasure, or otherwise object to the collection, use or disclosure of their personal information (Proposals 18.1-18.5). Exceptions to individual rights are also proposed including where there are competing public interests, relationships with a legal character and it would not be technically possible or unreasonable to implement the request (Proposal 18.6).

Consistent with 2022 reforms to the Act, the report proposes enhanced enforcement provisions, including new ‘mid’ and ‘low’ tier civil penalty provisions for non-serious and administrative breaches respectively. Expanded investigations and new inquiry powers are also proposed for the Information Commissioner (Proposal 21).

The report also proposes a direct right of action to the courts to permit individuals to apply for relief in relation to an interference with privacy (Proposal 26.1), as well as implementing a statutory tort for serious invasions of privacy (Proposal 27.1).

Proposed amendments to the Notifiable Data Breaches Scheme would require APP entities to notify data breaches no later than 72 hours after the entity becomes aware of the breach (Proposal 28.1) and enable the Attorney-General to permit the sharing of information to appropriate entities to reduce the risk of harm in the event of an eligible data breach (Proposal 28.4).

Text of the report is available at: Privacy Act Review Report | Attorney-General's Department (ag.gov.au)