The government is in the process of conducting a review of Australia's national Privacy Act. The review is broad and to date has considered a wide range of issues. At the time of writing, the review is still in the process of identifying issues and accepting submissions on how to address such issues. A key contributor to the dialogue is the Office of the Australian Information Commissioner (OAIC). This article looks at some of the key changes expected as a result of the anticipated reforms to the Privacy Act in Australia. It will then consider how they may impact your business' privacy obligations.
Currently, the majority of Australian businesses are exempt from compliance with the Privacy Act because of the small business exemption. The small business exemption is a monetary threshold that exempts businesses with an annual turnover of $3 million or less from the Privacy Act. The issue with the exemption is that in the current data-driven world, many small businesses are collecting and handling a lot of personal data. Therefore, it does not make sense for individuals' privacy to be at risk because a small business is handling the data. This also does not align with other similar jurisdictions which do not have this exception. For this reason, the OAIC has submitted that the exemption should be scrapped as one of many privacy reforms in Australia.
The Privacy Act also includes an exemption for employers handling employee records. The OAIC has suggested this exception be removed. This exemption exempts certain acts of employers by reducing the burden of dealing with employee information. However, businesses collect more employee information now than ever. This is due to things like GPS tracking of corporate vehicles and biometric scans for secure entry to workplaces. Furthermore, there has been an increase in the monitoring of employee health information, including as a result of COVID-19.
If this exemption is removed and you currently fall under the $3 million-plus threshold, your privacy obligations will change. You will need to upgrade your privacy processes and policies. If your business is currently subject to the Privacy Act, then you may rely on the employee records exemption. The removal of this exemption will require that you reassess how you handle employee personal information. Indeed, you will likely be required to introduce new steps for collecting information in a compliant fashion.
What Are the Expected Reforms to the Notice and Consent Requirements?
Another of the privacy reforms being considered by the review in Australia is notice. In particular, the concept of how and when businesses give notice under the Privacy Act. The OAIC is pushing for the use of a standardised form when notifying an individual about data collection.
There is also discussion about legislating the requirements for consent. These proposed changes would ensure it is clearer when consent is required. They would also define what amounts to true consent. For example, the review submits that the Privacy Act should define consent as a clear and affirmative act. Therefore, the act would define consent as informed, specific, voluntarily given and unambiguous.
The suggested changes to notice and consent are driven by a desire to give individuals more control of their personal information. These suggested changes will hopefully fulfil the aim of better aligning the Privacy Act with privacy laws in other jurisdictions.
Changes to notice and consent requirements will require an update of your privacy notices. You will also need to undertake a review of your current consents to ensure they are compliant.
What New Remedies Are on the Table?
Two major items form part of the review. These items are intended to update the remedies available where there is a breach of privacy under the Privacy Act. The first is an increase in the maximum fine. The second is a right for an individual to bring a direct action for breach of their privacy.
In March 2019 by the Digital Platforms Inquiry announced an increase in the maximum penalty. The increase aims to provide a greater incentive for businesses to comply with the Privacy Act. Part of the review is considering whether the current balance between investigating and mediating complaints and enforcement is effective. If penalties are increased, you are at increased risk as a business. Therefore, you should reassess your risk profile for each activity or function in which your business handles personal information.
Currently, there is no right under the Privacy Act for a person to bring a direct action for breach of their privacy. Instead, they have to complain to the OAIC. It is then up to the OAIC to investigate and decide what steps are appropriate. Therefore, the review considers whether individuals should have direct access to courts to enforce their privacy. The review considers how to provide this right while curtailing the risk of ill-considered claims tying up the courts' resources. Introduction of a right to bring a direct action for a privacy breach would significantly impact the risk to your business in the event of a security incident or other incorrect handling of personal information. As a result, it would be prudent for your business to enhance its privacy policies and processes and run updated training for staff.
The current review of the Privacy Act in Australia is broad and is considering a range of reforms. Some of the key updates the report considers are scrapping exemptions to compliance with the Privacy Act, changes to the notice requirements, a better definition of consent, higher fines and a direct right for an individual to take your business to court for breaching their privacy.
Changes to the Privacy Act will impact your risk profile and, therefore, will require that you reassess your privacy policies, both internal and external, and processes. In updating such documentation, you should also run staff training to ensure they are also up to speed with the changes.