After many years of review it seems that amendments to the Privacy Act 1988 (Cth) (the Privacy Act) might be proposed later this year (2024) to better protect personal information.
To set the scene for where we are now, the Attorney-General’s Department published the Privacy Act Review Report in February 2023, which then underwent a public consultation process, culminating in the Government’s response to the Report being published in September 2023. Of the 118 recommendations, 38 were agreed to and legislative provisions have begun to be drafted. A further 68 recommendations were agreed to in-principle, meaning further consultation and analysis will be undertaken. A second round of targeted consultations occurred in February and March 2024. The targeted consultations focused on the small business privacy reforms, private sector employee privacy reforms and privacy reforms affecting journalism and research.
The most significant changes proposed by the Privacy Act Review Report that will impact businesses are detailed below.
The most significant and relevant change to the Privacy Act is the Government’s in-principle agreement to the removal of the small business exemption[1]. Currently, most businesses who have an annual turnover of $3 million or less in a financial year[2] are exempt, unless they fall into a non-exempt category such as being a health service provider, trading in personal information, or provides services under a Commonwealth contract.[3]
The Government estimates this proposal’s impact on businesses in the order of approximately $300 upon startup with ongoing annual costs being $400 each year.[4] Such costs include familiarisation with the Privacy Act, developing privacy plans, and staff training. Of course, if non-compliance with the Act occurs, the impact to businesses both financially and reputationally would increase significantly. The Government will also provide for a variety of transitional arrangements to reduce the burden on small businesses, but businesses should start seeking advice on how the Privacy Act might apply to them.
The Government has also agreed in-principle to include the collection of biometric information and the trading of personal information (even with customer’s consent) as categories where the small business exemption would not apply.[5]
Information about private sector employees is currently the subject of an exemption under the Privacy Act as it was originally thought that employee privacy was best regulated under workplace relations laws. The Government agreed to consult about how employee records should be handled[6] but this suggests that the Government is unsatisfied with how the Privacy Act and employment law interact. The focus of the consultation looked at providing enhanced transparency to employees about the purposes for which their personal and sensitive information is collected, used and disclosed – implying that businesses are not clear with their own employees how their personal information is used.
It seems possible that the private sector employee exemption will be abolished, but whether or not this translates into additional obligations for small businesses is yet to be confirmed.
A wide variety of changes to the way an organisation’s privacy policies are designed and implemented have been agreed to by the Government.
One agreed change is the standardisation of layouts for privacy policies and collection notices, as well as the terminology used in such notices.[7] Minor changes have been proposed to the matters required to be listed in an APP 5 collection notice, such as the circumstances of the collection, use or disclosure of personal information if it is for a high privacy risk activity, how the consumer may exercise their rights, and the types of personal information that may be disclosed to overseas recipients. Entities will also be required to determine and record the primary purpose for the collection, use, and disclosure of personal information at the time of collection, and similarly for any secondary purpose at the time of use or disclosure.[8]
Organisations subject to the Privacy Act will need to establish their own retention periods, taking into account the nature of the personal information and the organisation’s needs, to be reviewed periodically.[9] The Government has agreed to in-principal a proposal that would require a senior employee to be designated as the employee responsible for privacy within the entity.[10]
Such changes will result in businesses needing to review and update their privacy policies, especially regarding information retention, but many of the changes are designed to simplify the system[11] and codify pre-existing actions. It is unclear how an ‘employee responsible for privacy’ might be qualified, although it is likely that part of their responsibilities will be track data flows to ensure compliance with the legislation.
The Government has agreed that if personal information is used as part of automated decision-making, more onerous requirements may be placed on businesses. These would require them to disclose the types of data gathered and to be transparent regarding the use of that data in making a decision.[12]
On a similar theme, online privacy settings will be required to reflect privacy by default, and any privacy settings are clear and easily accessible.[13] Any consent to collect, use, or disclose information must be voluntary, informed, current, specific, unambiguous,[14] and withdrawable.[15] The Information Commissioner may provide guidance as to how these changes could be enacted by businesses,[16] but now is a good time to review your website and prepare for such changes ahead of time. Businesses proactively taking a ‘privacy by default’ approach now may benefit from goodwill in addition to future-proofing their website.
The Government has agreed in-principle to a proposed requirement that the collection, use or disclosure of information be fair and reasonable in the circumstances.[17] That we do not already have such a test may come as a surprise. The current privacy regime allows individuals to self-manage their privacy based on an expectation that they “engage and comprehend” the privacy policies of the organisations they interact with. The Government now concedes that this is a somewhat optimistic presumption. The proposed requirement acknowledges that what is fair and reasonable in any given transaction depends on the surrounding context. As such, it ostensibly aims to accommodate the business models of data driven enterprises while requiring those businesses to consider the impact of data collection on users.
The Government has also agreed in-principle to a list of factors which would be considered when assessing whether the handling of data was fair and reasonable in the circumstances.[18] The test will likely appear in the final legislation, albeit in a slightly altered form. The Government seems to be relying on OAIC guidance and enforcement, as well as judicial decisions, to ‘map the contours’ of the fair and reasonable test over time.
The extent to which the new test will require businesses to revise their due diligence is yet to be seen, although it can be assumed that different modalities of data handling will come with their own duties to consumers. For example, the Government has agreed in principle to a requirement that individuals not be targeted for advertising unless it is fair and reasonable in the circumstances and that targeted advertising cannot select individuals for their political opinions, associations or membership.[19]
Entities holding personal information are currently required to take ‘reasonable steps’ to protect that information. The Government has agreed that the term ‘reasonable steps’ should be amended to include technical and organisation measures. It has also agreed that the OAIC should provide more information on what steps an entity needs to take to secure, destroy and/or de-identify personal information. The goal here will be to encourage better practices regarding the security of personal information.
Given a number of recent high-profile data breaches, it is little surprise that the Government has agreed in-principle to a series of proposals requiring more transparency when personal information is compromised.
After a notifiable data breach occurs, entities will be required to provide a comprehensive statement to the Information Commissioner no later than 72 hours after the entity becomes aware of the incident, and also notify individuals whose information relates to as soon as practicable.[20] Businesses should not only look to have robust information security practices, but also have appropriate response procedures to comply with disclosure requirements. This will ensure that they satisfy the ‘reasonable steps’ requirement to respond to data breaches.[21]
The Government has also agreed in-principle to the strengthening of individual rights under the new Privacy Act. Entities must provide individuals with a right to access and an explanation about their personal information upon request,[22] as well as the rights to erase, correct, or object to further collection of their information,[23] and a similar right would exist in regards to direct marketing as well.[24] Exceptions to these rights may be granted if a competing public interest or law exists.[25] Furthermore, entities must notify individuals about their rights, provide them reasonable assistance in exercising their rights, and respond to such an exercise reasonably.[26] This will likely require substantial action from businesses to ensure that adequate policies and processes are implemented in response to these requirements, and the need to ensure sufficient staffing and training exists to respond to exercises of their rights.
The reforms will introduce a broader suite of enforcement powers. New mid and low-tier civil penalty provisions will be introduced to target specific offences with increased frequency.[27] Section 13G of the Act will be amended to clarify the scope of a ‘serious interference with privacy’.[28] The Information Commissioner will receive additional powers to investigate and prosecute civil penalty provisions, while certain courts will be empowered to make orders with respect to breaches of those same provisions.[29] APP Entities being investigated by the Commissioner may soon be required to proactively identify, mitigate and redress actual or reasonably foreseeable loss of injured parties, with OAIC to publish guidelines on how best to achieve this.[30] Nevertheless, we advise any organisation that routinely handles personal information to familiarise themselves with these new enforcement provisions early so as to adopt the appropriate compliance procedures.
Other proposals have sought to bring ‘new’ kinds of data under the Privacy Act. The Government has agreed in-principle that the definition of ‘sensitive information’ should be amended to include genomic (or genetic) information.[31] As a part of this change, the Government is also considering a definition which acknowledges that sensitive information can be derived from otherwise ‘non-sensitive’ data. Another proposal which has received a tentative ‘in-principle’ agreement is a requirement that consent be obtained before geolocation tracking data is collected and that geolocation tracking be reclassified as sensitive information.[32] The extent to which these proposals will survive bill drafting process will probably depend on whether the OAIC can be expected to affect the same outcomes through the publishing of more detailed guidance.
The Government will also consider special privacy protections for ‘vulnerable groups’. In many ways, these proposals seek to bring Australia up to speed with other countries. For example, the Government has agreed to emulate the UK’s ‘Age Appropriate Design Code’, which applies to online services that are ‘likely to be accessed by children’. The code is relatively new but requires settings to be ‘high privacy’ by default with only the minimum amount of personal data to be collected and retained, children’s data should not usually be shared, and geolocation services should be switched off by default.
As part of the overarching approach to protect children, an entity might be required to assess whether an individual under the age of 18 has the capacity to consent to their privacy terms. If that is not practicable, as we imagine will often be the case, an entity may assume that anyone over the age of 15 has the capacity to consent.[33] This is part of a slew of proposals that aim to ensure that ‘consent to terms and conditions’ represents a genuine comprehension of the types and modality of information being disclosed. In the context of children, that means presenting collection notices and privacy policies in a way that they will understand.[34] It is possible that the Government will further require that entities only disclose, use or collect data from children where it is fair and reasonable in the circumstances and, if this is the case, the relevant circumstances will almost certainly include age as a factor.[35]
It is also worth noting the proposals that seek tighter regulation of direct marketing, targeting and profile trading. The Government has agreed in-principle that these terms should be defined, that entities undertake additional disclosure in relation to these activities and that individuals should be armed with a greater right to opt-out.[36] A blanket prohibition of direct marketing, targeting or trading using children’s personal information is also being considered, with the vague carve-out that the prohibition be lifted where ‘in a child’s best interests’.[37]
With all of these proposals, whilst no immediate action need be taken, businesses would do well to prepare for upcoming changes to the legislation to ensure compliance with the Privacy Act and reduce their risk of exposure to breaches.
If you have any queries or require further advice, please get in touch with the Business & Commercial team on 02 6274 0999 to discuss further.
Katie would like to acknowledge Jack Andrighetto for his assistance in writing this article.
[1] Proposal 6.1
[2] Section 6D(1) of the Privacy Act
[3] Section 6D(4) of the Privacy Act
[4] Privacy Act Review Report, p.61
[5] Proposal 6.2
[6] Proposal 7.1
[7] Proposal 10.3
[8] Proposal 15.1
[9] Proposal 21.7-21.8
[10] Proposal 15.2
[11] Privacy act review report, p.100
[12] Proposals 19.1-19.3
[13] Proposal 11.4
[14] Proposal 11.1
[15] Proposal 11.3
[16] Proposal 11.2
[17] Proposal 12.1
[18] Proposal 12.2
[19] Proposal 20.8
[20] Proposal 28.2
[21] Proposal 28.2
[22] Proposal 18.1
[23] Proposals 18.1-18.4
[24] Proposal 20.1
[25] Proposal 18.6
[26] Proposals 18.7-18.10
[27] Proposal 25.1
[28] Proposal 25.2
[29] Proposals 25.3, 25.4, 25.6
[30] Proposal 25.5
[31] Proposal 4.9
[32] Proposal 4.10
[33] Proposal 16.2
[34] Proposal 16.3
[35] Proposal 16.4
[36] Proposals 20.1, 20.2, 20.3, 20.9
[37] Proposal 20.7
[1] https://www.cdpp.gov.au/prosecution-policy