The Australian Government has released its response to the Privacy Act Review Report released in February 2023.
Of the 116 proposals in the Privacy Act Review Report, the Government response agrees to 38 proposals, agrees in-principle to 68 proposals and notes 10 proposals
The Attorney General’s Department will now prepare a Bill and engage in further consultation.
The Government is committed to introducing legislation to Parliament in 2024.
Reforming Australia’s privacy framework will complement other reforms being progressed by the Government, including the 2023-2030 Australian Cyber Security Strategy, Digital ID, the National Strategy
for Identity Resilience, and Supporting Responsible AI in Australia.
Agreed reforms
The Proposals agreed to include:
- Proposal 3.1 Amend the objects of the Act to clarify that the Act is about the protection of personal information;
- Proposal 4.7 Consult on introducing a criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit, with appropriate exceptions;
- Proposal 9.1 To benefit from the journalism exemption a media organisation must be subject to:
(a) privacy standards overseen by a recognised oversight body (the ACMA, APC or IMC), or
(b) standards that adequately deal with privacy; - Proposal 13.2 Consider how enhanced risk assessment requirements for facial recognition technology and other uses of biometric information may be adopted;
- Proposal 17.1 Introduce, in OAIC guidance, a non-exhaustive list of factors that indicate when an individual may be experiencing vulnerability and at higher risk of harm from interferences with their personal information;
- Proposal 17.2 OAIC guidance on capacity and consent should be updated to reflect developments in supported decision-making;
- Proposal 19.1 Privacy policies should set out the types of personal information that will be used in substantially automated decisions which have a legal or similarly significant effect on an individual’s rights;
- Proposal 21.1 Amend APP 11.1 (security obligation) to state that ‘reasonable steps’ include technical and organisational measures;
- Proposal 25.1 Create tiers of civil penalty provisions to allow for better targeted regulatory responses:
(a) Introduce a new mid-tier civil penalty provision to cover interferences with privacy without a ‘serious’ element, excluding the new low-level civil penalty provision.
(b) Introduce a new low-level civil penalty provision for specific administrative breaches of the Act and APPs with attached infringement notice powers for the Information Commissioner with set penalties; - Proposal 25.2 Clarify that a ‘serious’ interference with privacy may include:
(a) those involving ‘sensitive information’ or other information of a sensitive nature
(b) those adversely affecting large groups of individuals
(c) those impacting people experiencing vulnerability
(d) repeated breaches
(e) wilful misconduct, and
(f) serious failures to take proper steps to protect personal data.
Proposals Agreed in-principle
The Proposals agreed in-principle include:
- Proposal 6.1 Remove the small business exemption, but only after an impact analysis has been undertaken to better understand the impact removal of the small business exemption will have on small business;
- Proposal 6.2 In the short term:
(a) prescribe the collection of biometric information for use in facial recognition technology as an exception to the small business exemption, and
(b) remove the exemption from the Act for small businesses that obtain consent to trade in personal information; - Proposal 7.1 Enhanced privacy protections should be extended to private sector employees, with the aim of:
(a) providing enhanced transparency to employees regarding what their personal and sensitive information is being collected and used for
(b) ensuring that employers have adequate flexibility to collect, use and disclose employees’ information that is reasonably necessary to administer the employment relationship, including addressing the appropriate scope of any individual rights and the issue of whether consent should be required to collect employees’ sensitive information
(c) ensuring that employees’ personal information is protected from misuse, loss or unauthorised access and is destroyed when it is no longer required, and
(d) notifying employees and the Information Commissioner of any data breach involving employee’s personal information which is likely to result in serious harm. - Proposal 15.2 Expressly require that APP entities appoint or designate a senior employee responsible for privacy within the entity. This may be an existing
member of staff of the APP entity who also undertakes other duties. - Proposal 26.1 Amend the Act to allow for a direct right of action in order to permit individuals to apply to the courts for relief in relation to an interference with privacy.
- Proposal 27.1 Introduce a statutory tort for serious invasions of privacy in the form recommended by the ALRC in Report 123. Consult with the states and territories on implementation to ensure a consistent national approach.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.