Privacy Act Review – Report released!

The Australian Government has released the Attorney-General Department’s review of the Privacy Act. The Report proposes reforms to:

  • strengthen the protection of personal information and the control individuals have over their information.

  • support digital innovation and enhance Australia’s reputation as a trusted trading partner.

In overview, the Report seeks to address three critical questions:

  • What information should be protected and who should protect it?

  • What privacy protections should apply?

  • How should breaches of privacy be enforced?

Key proposals for reform include:

What information should be protected and who should protect it?

  • clarifying what information should be protected under the Privacy Act.

  • regulating ‘targeting’ of individuals based on information which relates to them but that may not uniquely identify them.

  • enabling privacy codes to be made by the Information Commissioner.

  • ensuring risk to privacy resulting from the small business, employee records, political and journalism exemptions are addressed in a proportionate and practical way. The Report proposes that small businesses should, but only after an impact analysis is undertaken regarding the removal of the current small business exemption, be covered by the Privacy Act.

What privacy protections should apply:

  • requiring entities to take appropriate responsibility for handling personal information fairly and reasonably. The Report proposes a new “fair and reasonable” test to underpin the activities of APP entities’ when handling personal information.

  • strengthening privacy protections for children and people experiencing vulnerability.

  • improving individuals’ control over their personal information, including through a right to seek erasure of personal information.

  • strengthening the requirement on entities to keep personal information secure and destroy or de-identify it when it is no longer needed. The Report proposes enhancements to the Notifiable Data Breach scheme (NDB scheme) so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals and also proposes new data breach reporting obligations, including a requirement to notify the Information Commissioner within seventy-two hours of becoming aware of a data breach.

  • facilitating overseas transfers of personal information whilst ensuring that it is properly protected.

How should breaches of privacy be enforced?

  • equip the Regulator with more options to enforce privacy breaches.

  • enhance the Regulator’s ability to proactively identify and address privacy breaches.

  • provide the Courts with enhanced powers to make orders against entities that have breached their privacy obligations.

  • provide new pathways for individuals to seek redress in the Courts for privacy breaches, including through a new tort for serious invasions of privacy (as recommended by the Australian Law Reform Commission in its Serious Invasions of Privacy in the Digital Era Report (Report 123, 2014).

  • improve how entities respond when a serious data breach occurs and simplify reporting processes for entities.

  • reduce regulatory complexity by seeking to harmonise key privacy laws with the States and Territories.

The Australian Government is seeking feedback regarding the 116 proposals and submissions can be made by 31 March 2023.

Current privacy and cybersecurity protections in Australia are complex and the proposed reforms, if implemented, will require effective consideration, training, monitoring and reporting. Professional assistance to address these questions and to provide expert training is available and should be sought, as appropriate.

Dr Nigel Wilson is an Australian lawyer and privacy and cybersecurity specialist with nearly thirty years’ experience.  He is the author of the international, award-winning Teaching Professionals and is also a professional workplace trainer and educator for corporations, legal practices, governments, critical infrastructures and national judicial colleges on law, cybersecurity, privacy, regulation, governance, technology, insurance and risk.

 

Dr Nigel Wilson, Australis Chambers

 

LLB (Hons), BEc, BCL Oxford, Cybersecurity Harvard, PhD

 

wilson@australischambers.com         www.australischambers.com             0413 807 585

 

Liability limited by a scheme approved under the Professional Standards Legislation

Nigel Wilson