On 28 September, the government released its long-awaited response to the Privacy Act Review Report. This response follows the 2023-2030 Australian Cyber Security Strategy, which committed the government to uplifting privacy protections, to help Australian’s be “secure” by 2030 and to address the 116 proposed reforms set out in the Privacy Act Review Report.
The reforms to the Privacy Act 1988 (the Act) are as important as ever, given the sharp rise in financial scams and fraudulent activity. However, the Attorney General’s response to the Privacy Act Review Report has taken a somewhat measured approach to reforms, with the response having agreed:
- only 38 of the 116 proposed reforms as set out in the Privacy Act Review Report (8 of which being proposals for further consultation or consideration);
- “in-principle” 68 of the 116 proposed reforms (with further consultation to follow); and
- to “note” 10 proposals (with a majority of these relating to legislative changes to the Privacy Act for political entities).
Key Reforms – What has been agreed?
The key proposed reforms that have been agreed by the government include:
- enhanced enforcement, with civil penalties and enhanced court powers to be introduced. We will see this enforcement uplift amend the serious interference with privacy provisions of the Act, to include events affecting sensitive information of larger groups and vulnerable persons (including failure to take proper steps to protect personal data);
- enhanced reporting processes for notifiable data breaches, with the Act to be amended to allow for information sharing between entities to reduce the risk of harm in the event of a data breach;
- the introduction of a privacy code for children. More immediately, the Act will be amended to classify anyone under 18 as a child and will provide that notices to children must be clear;
- an amendment to the Act to give the Information Commissioner enhanced powers to make the APP code;
- the introduction of an individual right to request information about substantially automated decisions, with high level indicators of the types of decisions to be included in the Act;
- the provision of guidance from OAIC as to vulnerable individuals, capacity, and consent;
- the amendment of the APP to provide for ‘reasonable steps’ to secure personal information and to destroy and de-identify personal information;
- a consultation process regarding the criminalisation of malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit; and
- a consultation in relation to overseas data flows, to demonstrate the requirements of an ‘Australian Link’ to personal information.
What has been agreed “in principle”
Notably, the following items were “agreed in principle” only, with further consultation to follow in 2024:
- proposals to remove the small business exemption from the Act;
- amending the definition of consent to be voluntary, informed, current, specific and unambiguous, and expanding the current definition of personal information;
- requiring the collection, use and disclosure of personal information to be fair and reasonable;
- proposals to provide guidance to financial institutions as to identification options for vulnerable customers potentially experiencing financial abuse or with capacity issues; and
- amendments for a “Best Interest” duty to be owed to children regarding collection of their information.
2024: What to expect
Whilst the Federal Government has taken a very conservative approach to the overhaul of the privacy framework, it has committed to introducing legislative amendments to the Privacy Act in 2024. On this announcement, we should expect to see some draft legislative proposals out for consultation for those agreed reforms.
We can also expect any proposals agreed “in-principle” to be progressed through:
- targeted consultation to reach “in principle” agreement with key groups, which include small business, employers and employer representatives;
- Government engagement with entities in relation to implementation of agreement in principle;
- developed impact analysis, to determine potential compliance and economic costs for regulated entities -v- consumer benefits; and
- advice to be progressed to Government in 2024.
Need to know more?
If you have questions, or require assistance, in relation to how the proposed reforms to the Privacy Act may impact your business, please contact the Financial Services & Advisory team at HWL Ebsworth.