Change is on the horizon

Change is on the horizon for businesses and their approaches to privacy, with the Australian Federal Government responding to the Privacy Act Review Report on September 28, 2023.

38 out of the 116 proposals for improvement made in the report have been endorsed, signalling a commitment to increased privacy protections, transparency, and control of personal information.

What does this mean?

As part of the response to the large-scale data breaches that occurred in 2022, the Privacy Act review proposed significant changes. These include introducing a positive obligation for fair and reasonable personal information handling, enhancing the powers of the Office of the Australian Information Commissioner (OAIC), and removing certain exemptions to provide greater privacy protection for individuals.

The proposed changes aim to strengthen the protection and fairness of personal information handling by organisations.

While the legislation to implement these changes is yet to be drafted, businesses can proactively prepare for the impending alterations, potentially minimising costs and disruptions when the new legislation takes effect.

The reforms

The government has agreed upon key reforms, encompassing various aspects of privacy regulations. These reforms aim to address critical areas, ensuring robust protection of personal information and enhancing accountability.

Agreed-upon reforms:

• Security and destruction of personal information:
  • Strengthening existing security and data destruction obligations, specifying that ‘reasonable steps’ include both technical and organizational measures.
  • The OAIC will provide additional guidance on reasonable steps, drawing on technical advice from the Australian Cyber Security Centre.
• Automated decision-making:
  • Privacy policies will be required to outline the types of personal information used in substantially automated decisions with a significant impact on individuals’ rights.
• Children’s privacy:
  • Introduction of a Children’s Online Privacy Code applicable to online services likely to be accessed by children.
  • Defining ‘child’ in the Privacy Act as an individual who has not reached 18 years of age.
• Enforcement:
  • Introduction of tiers of civil penalty provisions, including midtier provisions for interferences with privacy lacking a ‘serious’ element and low-level provision for administrative breaches.
  • Courts will have expanded powers to issue appropriate orders following the establishment of a civil penalty provision related to interference with privacy.
  • The Commissioner gains authority to issue declarations requiring entities to identify, mitigate, and redress actual or foreseeable losses suffered by individuals.
  • Granting additional powers to the Information Commissioner for investigations, including the ability to conduct public inquiries and reviews on approval or direction by the Attorney-General.
• APP codes:
  • Empowering the Commissioner to establish APP Codes for specific industries where an appropriate industry representative is unlikely to develop the code.
    • An APP code is a written code of practice about information privacy.

These reforms collectively represent a comprehensive effort to adapt privacy regulations to the evolving landscape, aiming to enhance the protection of personal information and uphold accountability principles in the digital era.

The government has tentatively agreed to key reforms ‘inprinciple’, that necessitate further consideration. These include:

• Removing the small business exemption:
  • The potential removal of the small business exemption is under consideration.
• Extending privacy protections to private sector employees:
  • Expanding privacy protections to encompass private sector employees is on the agenda for further examination.
• Amending the definition of consent:
  • The definition of consent is slated adjustment, specifying that it must be voluntary, informed, current, specific, and unambiguous.
• Ensuring fair and reasonable handling of personal information:
  • Another aspect under scrutiny is the requirement that the collection, use and disclosure of personal information must be fair and reasonable, irrespective of whether consent has been obtained.

What do you need to do?

To prepare for the upcoming changes, businesses should familiarise themselves with the 38 proposals endorsed by the government, which will be prioritised for drafting and implementation. This serves as the foundation for future privacy regulations.

Crucially, reviewing existing privacy policies and procedures is necessary, identifying areas that may need updating to ensure compliance with the proposed changes. This involves assessing current practices such as data collection, storage, access, consent mechanisms, and breach response protocols. Equally important is ensuring that employees handling personal information are privacy-aware. As changes are introduced into draft legislation, specific obligation training can be provided to keep the workforce informed.

As a final risk mitigation step, businesses should conduct a data audit and establish or refresh a data retention regime. Given the occurrence of data breaches, organisations need to minimise the data they hold and how long they hold it.

By taking these proactive steps, businesses can successfully navigate the evolving privacy regulations, not only avoiding potential legal issues but also building trust and confidence with customers by demonstrating a commitment to responsible data-handling practices.