What the Federal Government's Response to the Privacy Act Review Report could mean for your practice

Key takeaways

  • Most proposals recommended in the Privacy Act Review Report (Review) received favourable treatment in the Government's Response
  • The Government has agreed to implement mid- and low-tier civil penalties for privacy infringements which do not constitute a serious breach of the Act.
  • The Australian Securities and Investments Commission (ASIC) has indicated its intention to pursue company directors who fail to properly discharge their duties to manage their company's cyber risks.
  • Health practices should review their practice's privacy protections and procedures to ensure they are not vulnerable to penalties under the Act.

Background

On 28 September 2023, the Federal Government released its response (Response) to the Review which we reported on here. Although the Response is favourable to most of the proposals, the government has currently only committed to implementing a limited number of the proposals set out in the Review. However, it has agreed in principle with the majority of the proposals, which may be implemented pending discussion with relevant industry members.

Below, we provide an analysis of key proposals that have been either agreed upon or agreed in principle. These proposals are likely to impact how healthcare practices may operate. In light of the Federal Government's responses, we recommend that health practices review their privacy policies and data protection controls to ensure they are meeting their obligations under the Privacy Act 1998 (Cth) (Act) and, consider whether their current infrastructure would be compliant with the requirements which have been proposed to be implemented in the Response.

Agreed Proposals

Introduction of low- and mid-tier civil penalty provisions

The Response agreed to introduce low-tier and mid-tier civil penalty provisions for breaches of the Act which do not constitute a 'serious' interference with the privacy of an individual, and to grant the OAIC the power to issue low-level infringement notices which can be paid without requiring any admission of guilt to be made by the infringing entity. Currently, the Court may award a civil penalty only for serious or repeated breaches of the Act. This will likely see an increase in the Office of the Australian Information Commissioner (OAIC)'s investigation and enforcement activities and given the high number of recent data breaches in the health industry, health practices should review their current privacy practices to ensure they are compliant with the Act and have structures in place to mitigate the risk of any breaches of the Act.

Stronger investigative powers for the OAIC

The Response agreed to grant the OAIC further powers to investigate possible data breaches, including the right to enter premises, seize evidence, operate electronic devices, and make copies of documents. Given the recent public attention to privacy, this will likely see the OAIC take a stronger approach to investigating and enforcing the Act. Health practices should be vigilant in their handing of patient data, particularly considering the new civil penalty provisions discussed above.

Proposals Agreed-in-Principle

Expanded definition of 'personal information'

The Response agreed-in-principle for the proposed expanded definition of 'personal information' to include information which is sufficient to distinguish an individual from others, even if it may not specifically identify the relevant individual. For example, if a health practice uses unique identifiers such as persistent (stored) cookies or device fingerprinting to track website views, collected data could be classified as 'personal information' and therefore subject to the Australian Privacy Principles ("APPs") even if the user's IP address or other identifying information is not collected.

Removal of employee records exemption

The Response agreed-in-principle to remove the exemption of private-sector employee records from the scope of the APPs. The Response indicated that prior to implementing this change, further consultation will be required to assess how workplace relations laws which currently regulate employee privacy will interact with the Act. If implemented, this proposal would require that health practices comply with the APPs with respect to any personal information which may be collected regarding their employees in the course of their employment.

Privacy Impact Assessments for high-risk privacy activities

The Response agreed-in-principle to the proposal to extend the requirements to undertake a privacy impact assessment (PIA) for a high-risk privacy activity to private entities. Currently, only government agencies are required to undertake PIAs under the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Code) each time they perform a project or activity which the agency reasonable believes to pose a high privacy risk. Although 'high risk' is not currently defined in the Code or Act, the OAIC currently advises agencies to consider projects which involve the transferring of sensitive information between agencies as 'high risk'. If the amended legislation adopted a similar position, health practices would likely be captured under the scope of this proposal and would be required to perform PIAs before transferring any patient information as all information collected to provide or in providing a health service is currently considered 'sensitive information' under the Act.

Direct right of action and statutory tort for breaches of the Act

It was agreed in principle that individuals should be granted a direct right of action, and a statutory tort for serious invasions of privacy. Both proposals aim to increase the scope for enforcement and remedies for breaches of individuals' privacy. The direct right of action would increase the avenues available to individuals who suffer damage as a result of a breach of the Act by enabling to commence proceedings against the breaching APP entity. Currently, only the OAIC holds the ability to monitor, investigate, and enforce suspected breaches of the Act, with no scope for an individual to seek remedy themselves.

The proposed statutory tort would also grant additional standing for individuals to pursue breaches of privacy which would otherwise fall outside the scope of the Act. This remedy would be made available for serious intrusions into seclusion or for serious misuses of private information where the individual has a reasonable expectation of privacy. The implementation of these proposals is likely to significantly increase health practices' risk profiles in relation to their collection, use and disclosure of personal information.

What does this mean for your practice?

As no legislative amendments have been tabled, the specific details as to how each of the above proposals will be implemented is not yet clear. However, the Response's favourable treatment to most of the proposals reflects the Government's intention to crack down on privacy compliance. In addition, the ASIC chairman recently announced that it would be looking to increase its enforcement activity against directors with respect to infringements of individuals' privacy and are looking for the 'right case' in which a company's board of directors may have breached their director's duties by failing to take reasonable steps to prevent breaches of the Act.

In light of these increased risks, and with the reforms to the Act imminent, practices should take the opportunity to ensure that they have (so far as possible) reviewed their data collection processes and have appropriate risk mitigation strategies in place to prevent any potential data breaches.

For a privacy assessment or for expert advice on Australian Privacy legislation, contact Avant Law for a consultation with a member of our Commercial & Corporate team.

We can help you

If you have any questions, or would like more information about how we can assist your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here.

About the Author

Anthony Ha is a Senior Associate in Avant Law's Commercial and Corporate law practice, based in Sydney. Anthony has over seven years' experience advising clients in both the private and public sectors on all aspects of commercial and corporate law. His practice includes privacy, regulatory enforcement, governance, and risk and compliance matters. Before joining Avant Law, Anthony held the role of senior legal counsel in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. He has also worked as a senior lawyer within one of New South Wales's largest primary and secondary education providers.

Matthew Brooks is a Paralegal who works with the employment and workplace, commercial and corporate, property and estate planning teams. Matthew is in his fifth year of studying a Bachelor of Commerce – Professional Accounting with a Bachelor of Laws at Macquarie University. Prior to joining Avant Law in 2022, Mathew worked in the service industry for six years, in which time he developed a passion for problem solving and client satisfaction.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.