2023 Privacy Act Review Report

The highly-anticipated report of the Attorney-General’s Department’s review of the Privacy Act 1988 (Cth) has finally landed. Two years in the making, the Report has put forward 116 proposals that, if implemented, will be the most dramatic change to the Australian privacy and data protection landscape since the introduction of the APPs.

We have broken down the key themes and issues in the existing legislation, and some of the key reforms proposed by the Report.

38 Proposals ‘agreed

Additional guidance to be provided by OAIC such as the reasonable steps to secure and dispose personal information, publishing practice-specific guidance for
new technologies and emerging privacy risks (e.g. facial recognition and biometric data), and updating guidance on capacity and consent to protect vulnerable individuals.
More transparency for automated decisions, including rights to request information about how these decisions are made.
Increased privacy protections for children and vulnerable individuals, including development of a Children’s Online Code.
Enhanced enforcement measures for the regulator and new penalty provisions for privacy interferences.
Additional powers for investigations related to civil penalty provisions.
New measures to allow ongoing effectiveness of OAIC.
Give power to the Information Commissioner to make an APP code.

68 Proposals ‘agreed in-principle’

A positive standard of fairness and reasonableness for the collection and use of personal information.
Obligations to appoint or designate a senior employee as having specific responsibility for privacy.
Privacy Impact Assessments required for high-risk activities such as facial recognition.
Broadening definition of personal information to include generated or inferred information (e.g. IP addresses).
Removal of small business exemption and employee records exemption.
72-hour notification requirement in relation to the NDB Scheme.
Requirement to record the purposes for the collection, use and disclosure of personal information.
Enhancements to the consent process, including ensuring consent should be “voluntary, informed, current, specific and unambiguous”.
Stricter requirements on what should be detailed in a privacy policy collection notice.
Expansion of individual rights to enhance transparency and control over their own data, including direct right of action and statutory tort for serious invasions of privacy.
Introduction of a mechanism to identify countries with substantially similar privacy laws.

10 Proposals ‘noted’

Increased protections for de-identified information.
Changes to the political exemption.
Individuals are provided unqualified right to opt-out of receiving targeted advertising.

What should organisations do?

38 agreed

Organisations should consider the ‘agreed’ reforms immediately in the context of their business to determine if further compliance uplift is required. These changes are more limited in nature, reflecting a measured and cautious approach in refreshing Australia’s privacy regime.

68 agreed in principle

There is appetite for longer term uplift to the Privacy Act, and organisations should be working towards compliance with these wider range of reforms using lessons learned from global best practices (e.g. GDPR). We believe many of these are simply good governance and be considered to manage organisational data risks.

10 noted

The Government acknowledges the importance of these proposals however will give further consideration to how these can be achieved. There may be privacy risks associated with targeted advertising and de-identified information that organisations should not overlook, as the Government adjusts its position with these proposals.

Key questions for Boards and Executives

Do we have a clear understanding of who is accountable for the organisation’s privacy management capability, and have we defined our risk appetite for privacy breaches?
Have we baselined our current capabilities and understood the gaps against increasing consumer, shareholder, regulatory, and supply chain expectations?
Does the board understand and support the uplift required to drive strategic uplift across privacy policies, processes, technology and people?
Do oversight and control mechanisms exist to monitor the effective implementation of privacy capabilities on an ongoing basis? Have we adopted risk reduction strategies such as data minimisation and retention?
Are we prepared to respond to a data breach, and have we tested our response readiness? Have we considered scenarios that can impact our highest risk personal information holdings?