The Privacy Act 1988 is the key Australian law that dictates how organisations can collect, manage, use, and disclose personal information as part of their operations. The importance of data and information in business continues to grow rapidly while the risks of the improper use of data become only more painfully apparent. And so, the importance of this three-and-a-half-decade old legislation is clear, as is the need to ensure it is fit for purpose.
As a result, earlier this year the Attorney-General released a report reviewing the Act and compiling an extensive list of proposed reforms. The 116 proposals suggest a wide range of changes relating to what information is covered by the Act, what organisations are required to follow the Act, what is expected of those organisations in respect of personal information, and how the Act is to be enforced.
While there are a considerable number of proposals of varying significance, there are some which it is well worth being aware of:
Changes to Scope of the Privacy Act
1. Perhaps the most notable change proposed is the expansion of organisations which are impacted by the Act. At present, the main type of organisation required to follow the Act are businesses with an annual turnover of at least $3 million (although smaller business may also be included, such as those who collect health information). The report proposes to remove any exemption based on turnover, but to do so gradually and with support and resources provided to small businesses.
The impact of this change is clear, as it would make the obligations under the Act (from preparing a privacy policy to correctly storing personal information) a universal requirement for all businesses. The need for small and medium sized businesses to have access to resources to ensure their compliance will be critical.
2. Other proposals include tightening exemptions provided to registered political parties and journalists, as well as providing some protections to employee records which are otherwise largely outside the scope of the Act.
3. The definition of "collection" when it comes to personal information will be expanded, including information that has been inferred. For example, this would include information about a person that an algorithm has "guessed" based on other factors, such as certain items purchased, or websites visited.
Changes to the obligations of organisations
4. Organisations known as "APP Entities" (being any entity that falls within the scope of the Act) are set to have expanded privacy obligations, including:
a. Requiring information collection notices to be clear,
up-to-date, concise, and understandable;
b. Requiring the consent provided by individuals in respect of
their information to be "voluntary, informed, current,
specific, and unambiguous," and preventing the use of
so-called "dark patterns" in which website design and
technical language is employed to confuse users as to what they are
agreeing to;
c. Requiring a "Privacy Impact Assessment" where an
entity is involved in activity with a high privacy risk; and
d. Expressly requiring APP entities appoint an individual who must
oversee matters relating to privacy (e.g., a "Privacy
Officer").
Increased privacy protection for individuals
5. It is proposed to provide individuals with new or stronger rights in respect of their information, including:
a. A right to request access to the personal information held by
an organisation, as well as related information such as how the
information was collected;
b. A right to object to the collection of data (with APP entities
obliged to provide a written response to any such objection);
c. A right to request their personal information be erased (or
quarantined, where the information is required to be kept for law
enforcement reasons);
d. A right to request corrections for publications; and
e. An unqualified right to individuals to opt out of their personal
information being used or disclosed for direct marketing
purposes.
Changes to the enforcement of the Privacy Act
6. Introducing a civil privacy tort, which would allow individuals to sue organisations for privacy-related infringements and seek compensation;
7. Introducing a Direct Right of Act for individuals to seek relief relating to privacy interference, with proposed remedies being any order the court sees fit, including compensation and "broad remedial powers to adequately address non-pecuniary losses."
8. New tiers of offences to provide enforcement options for lower-level infringements.
Being a review there is no clear indication which of the proposals will be made into law, and the timeframe for any amendments. However, it is plainly evident that the scope of privacy and information regulation can only expand in the future and these proposals recommended by the Attorney-General's Department provide a clear outline of what might be expected in this space in the near-future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.