What Happened?
At the occasion of Privacy Awareness Week 2024, we thought it would be interesting to follow up on the Australia AG’s Privacy Act Review Report’s 116 recommended changes to the Privacy Act (initially published in February 2023) to see what proposals are being considered for reform.
On 28 September 2023, the Australian Government responded to the report. In its response, the Government has agreed to 38 proposals, agreed “in-principle” to 68 proposals and rejected 10 proposals.
The Government has not yet released any legislation for those agreed amendments. However, due to a large number of agreed “in-principle” proposals and their impact for individuals and businesses, we wanted to raise some awareness of what could come for privacy in 2024.
116 Proposals to change the Privacy Act
The 116 proposed reforms put forward to the Australian Government fall under the following focus areas:
- Bringing the Privacy Act into the digital age: Broadening the scope of the legislation to a wider range of entities and personal information (PI) in order to recognise public interest in protecting privacy
- Uplifting protections: Increasing the accountability of entities handling PI and enhancing security requirements to keep data secure and to destroy data when it is no longer required
- Increasing clarity and simplicity for entities and individuals: Improving clarity on obligations for entities on how to protect an individual’s privacy
- Improving control and transparency for individuals over their PI: Promoting individuals to have greater control over their PI through enhanced notice and consent mechanisms
- Strengthening enforcement: Increasing the enforcement powers of the Office of the Australian Information Commissioner (OAIC), allowing for an expanded scope of Court orders in civil penalty proceedings and empowering individuals to directly make applications for relief to the Court
38 Proposals Agreed On
The main areas of the Privacy Act which the Government has agreed to amend, and which are relevant for organisations are as follows:
Automated Decision Making
- Requiring that Privacy Policies identify the types of PI that will be used substantially in automated decisions, and which will have a significant effect on an individual’s rights
- Requiring the Privacy Act to include indicators on the types of automated decisions made which have a significant effect on an individual’s rights
- Granting a right to individuals to request meaningful information about how automated decisions are made
Security and Destruction of PI
- Strengthening existing security and data destruction obligations to clarify the ‘reasonable steps’ an entity is required to take to include both technical and organisational measures
- Enhancing the OAIC guidance for entities on the reasonable steps taken to better secure PI, as well as to destroy or de-identify PI
Children’s Privacy
- Introducing a Children’s Online Privacy Code applicable to online services that are likely to be accessed by children
Additional Protections
- Considering the use of risk assessments for high privacy risks relating to using facial recognition technology and other uses of biometric information
Enforcement
- Creating two tiers of civil penalty provisions to allow better regulatory responses:
- A mid-tier civil penalty to cover interferences with privacy without a ‘serious’ element
- A low-tier civil penalty for specific administrative breaches of the Privacy Act and Australian Privacy Principles (APPs)
68 Proposals Agreed In-Principle
The following proposed changes have been agreed in-principle, meaning they are subject to reforms and require further consultation:
Organisational Accountability
- Requiring an APP entity to determine and record the purposes for which it will collect, use, and disclose PI at or before the time of collection, and
- Requiring an APP entity to appoint a senior employee responsible for privacy
Consent Requirements for Collection Notices
- Clarifying that consent provided by the individual to the entity must be voluntary, informed, current, specific, and unambiguous
Direct Marketing
- Providing individuals with an unqualified right to opt out of direct marketing regarding its use of PI
Small Business Exemption Removal
- Requiring businesses with an annual turnover of under $3 million to strengthen their current privacy processes
Employee Records Exemption Removal
- Extending privacy protections to private sector employees, aiming to provide transparency on what their personal and sensitive information is being collected and used for
For more information on the Government responses to the Privacy Act reforms, read their report here.
How can you proactively prepare for the new changes?
Here are some actions companies can do to prepare for what could be Privacy Act reforms to improve transparency, accountability, and security:
- Conduct a data mapping exercise to develop a comprehensive understanding of all PI collection and processing, identify what information you are collecting, how it is being collected and how the information is stored, disclosed, and destroyed. This exercise should also include if PI is shared with overseas recipients.
- Undertake a Privacy Impact Assessment to better understand how privacy compliance is being managed via the APPs.
- Review what you classify as PI to be prepared for definition changes.
- Review where consent is required when collecting PI and align with the proposed changes once enforced.
- Disclose how individuals can exercise their privacy rights in your collection notice and Privacy Policy.
- Identify if there are any high-risk privacy activities and disclose that in privacy notices.
- Identify retention periods for all PI that is processed and ensure its specificity to align with future disclosure requirements. Additionally, ensure that the systems you have in place meet those defined retention periods.
Sekuro provides an extensive range of compliance and privacy services. Reach out to our Governance Risk and Compliance (GRC) experts for help or questions about the Privacy Act changes.
Martin Hossain
Governance, Risk and Compliance, Analyst, Sekuro