In December 2019, the Attorney-General announced that it would conduct a review of the Privacy Act 1988 (Cth) (Act) with a view to modernisation and strengthening of privacy principles.
The review commenced in October 2020 and after reforms to the Act in December 2022 which served as an initial response to several high-profile data breaches, the Privacy Act Review Report 2022 (Report) was released on 16 February 2023.
The Report contains 116 proposals for privacy law reform. Among these, it recommends:
- clarifying the definition of “personal information” and broadening it to include any information that “relates to” an individual as well as including a list of information which may be personal information to assist APP entities in identifying which information will meet the definition;
- removing or narrowing several of the exemptions under the Act, including the exemption for employee records held by organisations and the small business exemption;
- reviewing the definition of consent under the Act and amending it to provide that consent must be “voluntary, informed, current, specific, and unambiguous”;
- amending the Act to require that the collection, use and disclosure of personal information be fair and reasonable in the circumstances;
- introducing a requirement that APP entities appoint a senior employee responsible for privacy within the entity;
- affording greater rights to individuals to access their personal information, including the source of the information, and explanations as to what the information has been used for;
- implementing a right of erasure for individuals;
- adding tiers to civil penalty provisions to allow for better targeted regulatory responses;
- introducing a mandatory 72-hour reporting timeframe for eligible data breaches under the Notifiable Data Breaches scheme;
- introducing a direct right of action which would permit individuals whose privacy has been interfered with to apply directly to the courts for relief; and
- introducing a statutory tort for serious invasions of privacy.
What happens next?
The Government is now seeking public feedback on the Report. This consultation period closes on 31 March 2023, after which the Government will commence reviewing the feedback and provide a response to the Report. It is clear that the Government intends to proceed with broad and comprehensive privacy law reform in the near future. We will keep you updated through our monthly Cyber Security and Privacy Bulletin.
What do you need to do?
Although the above proposals are not law yet, it is likely they will be soon. Before the amendments come into effect, you need to ensure:
- your organisation’s privacy policy and data governance policy comply with the new privacy laws;
- your organisation has a detailed cyber security incident response plan, which reflects the new notifiable data breach scheme; and
- your organisation has appointed a privacy officer and has clearly defined the scope of this role by reference to the new privacy laws.
Page Seager is able to assist you with all of the above. We are also available to provide advice and deliver educational sessions to your employees, executives and directors to ensure everyone at your organisation understands and is familiar with the new privacy laws, including:
- the definition of personal information and consent under the Act;
- how to determine whether the collection, use and disclosure of personal information is fair and reasonable in the circumstances;
- the right of erasure;
- the exemptions available under the Act; and
- the penalties for non-compliance under the Act.
More information
If you have any queries or would like further information about this article, please contact:
Sarah Standen
Lawyer
T: (03) 6235 5147
E: sstanden@pageseager.com.au
Luke Phillips
Lawyer
T: (03) 6235 5184
E: lphillips@pageseager.com.au
Kathryn Speed
Principal
M: 0408 446 013
E: kspeed@pageseager.com.au
Published: 23 February 2023
