ARTICLE
26 October 2023

Privacy law changes – now is the time to prepare

HR
Holding Redlich

Contributor

Holding Redlich, a national commercial law firm with offices in Melbourne, Canberra, Sydney, Brisbane, and Cairns, delivers tailored solutions with expert legal thinking and industry knowledge, prioritizing client partnerships.
Businesses should begin to implement a range of system measures, before the privacy law changes are legislated.
Australia Privacy

On 28 September 2023, the Federal Government released its formal response (Response) to the Privacy Act Review Report published in February this year. The Response "agrees" or "agrees in principle" with the vast majority of the 116 proposals made in the Privacy Act Review Report. This is significant as the sheer volume of proposals generated around 500 submissions by businesses, industry groups and academics to the Privacy Act Review Report, representing a broad range of stakeholder views.

The government in the Response is sending a clear message to businesses that while the legislation to implement these changes is not yet drafted, we can expect it to happen in the near future.

This is important as many of the changes will affect the way organisations structure themselves and the way existing IT systems and information management channels are organised within businesses. Businesses should embrace the lead time to change and update systems.

What are the changes?

The Federal Government's position on the full list of proposals is set out in the Response (see page 23, Attachment A). While some changes primarily strengthen individuals' rights under the Privacy Act , the key issues for business are around:

  • the extension of the definition of 'personal information'
  • the strengthening of obligations around policies, collection notices
  • introducing a requirement for processing of personal information to be "fair and reasonable".

The requirement that the collection, use and disclosure of information should be fair and reasonable in all of the circumstances is a new test and a higher bar than has applied in the past. While it is "agreed in principle" – and as such will take some time to engage in consultation prior to issuing draft legislation – it creates a sound basis on which organisations should review their existing practices and if necessary, uplift them.

Improved enforcement powers for the OAIC

One of the issues not dealt with in the Response is the funding of the regulator, the Office of the Australian Information Commissioner (OAIC). It is generally recognised that the OAIC is currently underfunded and will require significant funds to complete the additional work contemplated by the Privacy Act Review and the government's Response. Any additional funding for the OAIC would likely be dealt with in the next Federal Budget or the mid-year economic forecast.

Some of the agreed proposals give the OAIC greater enforcement powers. For example, the government has agreed to introduce tiers of civil penalty provisions to allow for more agile implementation of sanctions. This will include the introduction of 'speeding ticket' infringement notices, similar to those used by other regulators, as well as strengthening the definition of 'serious interferences with privacy' in the Privacy Act.

Accordingly, businesses will face higher standards and, subject to appropriate funding of the OAIC, will also face increased risk of enforcement action.

Changes to the Data Breach Scheme

There are also changes to the Data Breach Scheme to require quicker notice in line with the General Data Protection Regulation (GDPR) and to allow entities to stagger their notifications to individuals as information becomes available.

Next steps

While the Report flags other significant changes, prudent businesses could begin implementing a range of system measures now to minimise the cost of system uplifts when the new changes are legislated.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More