Government advances with Privacy Act changes

The long-awaited Federal Government response to the Privacy Act Review Report was published in late September. Here we outline what directors need to know.

The government response addresses all 116 proposals for reform of the Privacy Act 1988 (Privacy Act) outlined in the report, with the government agreeing, or agreeing in-principle, with 106 of the recommendations.

The AICD made an extensive submission on a number of the proposals in the report, available here.

What is the Government’s agenda for privacy reform?

The response outlines the government’s pathway for privacy reform with a focus on five key objectives:

• Bringing the Privacy Act into the digital age: Enhancing privacy protections, in respect of new applications such as in automated decision-making and artificial intelligence (AI)
• Uplifting protections: Aligning privacy protections with community expectations, including on the handling and mishandling of individuals’ information
• Increasing clarity and simplicity for entities and individuals: Improving clarity on how to protect individual’s privacy and improve alignment with other frameworks that include privacy protections
• Improving control and transparency for individuals over their personal information: Improving transparency related to the use of data in automated decision-making and developing avenues to seek redress for privacy breaches, including a direct right of action and a new statutory tort for serious invasions of privacy
• Strengthen enforcement: Increasing enforcement powers of the Office of the Australian Information Commissioner (OAIC)

The government has committed to ensure reforms to the Privacy Act will be complementary to other reforms underway, including the 2023-2030 Australian Cyber Security Strategy, Digital ID, the National Strategy for Identity Resilience and Supporting Responsible AI in Australia.

Understanding the government’s response

In its response, the government has “agreed” to 38 of the proposals, “agreed in-principle” to a further 68 proposals and “noted” the remaining 10 recommendations.

An understanding of these three-tiers of responses provides insight into the government’s approach to implementation. ‘Agree’ indicates the government’s commitment to implement the proposal, whilst an ‘agree-in-principle’ conveys acceptance of the underlying policy intent of the proposal but further work will be undertaken before the government proceeds to implementation.  Conversely, ‘notes’ is a non-committal response.

What are some implications directors should be aware of?

The first tranche of reforms that are likely to be developed and legislated are expected to predominately focus on the ‘agreed’ proposals, including:

• New obligations related to use of data in automated decision-making: A new requirement for regulated entities to update their privacy policies to improve transparency on what personal information will be used in ‘substantially automated decisions’ with legal effect on an individual’s rights, such as financial lending. Individuals will also have a right to request meaningful information on how automated decisions that have legal effect of their rights are made,
• Expansion of the OAIC’s enforcement powers: The OAIC will be assigned code-making powers related to the Australian Privacy Proposals (APPs), and
• Increased measures to increase clarity and guidance to businesses: The OAIC will develop a suite of guidance material in key areas, including what constitutes reasonable steps to keep personal information secure, identifying people experiencing vulnerabilities, capacity and consent and new technologies and emerging privacy risks.

Several of the ‘agreed in-principle’ proposals are more contested and are likely to be developed over a longer period. These include:

• Removal of the small business exemption: Removing the current exemption for most small businesses (less than $3 million in annual turnover),
• New direct right of action: Creating a direct right of action for individuals to seek compensation through the courts, where they have suffered loss or damage (extending to hurt feelings and humiliation) as a result of a serious breach of privacy,
• A new ‘fair and reasonable’ test for use of personal information: Introducing an overarching legal test for entities to consider in their collection, use and disclosure of personal information, and
• Statutory tort for privacy: Establishing a tort of privacy, enabling individuals to sue for serious invasions of privacy committed “intentionally and recklessly” in circumstances that fall outside the Privacy Act.

Suggestions for boards

In anticipation of the new privacy requirements, boards should familiarise themselves with the organisation’s existing approach to data collection, use and storage, as well as related policies and frameworks on privacy, cybersecurity, information technology, including cloud computing, and emerging technologies such as AI.

Key questions boards may want to consider in preparing for the proposed privacy changes include:

1. Does the organisation need a specific data and privacy strategy?
2. Do directors understand the current requirements of the Privacy Act (including the Notifiable Data Breaches scheme) and understand the proposed changes to privacy protection?
3. Does the board or the risk/audit committee regularly consider data and privacy risks and issues, including data breaches and privacy complaints?
4. Have suitable metrics been developed for the board to monitor and assess privacy compliance and performance by management and at the board level?
5. When was the last time the organisation carried out a data stocktake?

Organisations that proactively take action to uplift their data protection will be better placed to meet the proposed requirements.

What’s next for reforms to the Privacy Act?

It is anticipated that draft legislation will be developed in 2024 covering the less contentious reforms and these are unlikely to take effect until 2025, at the earliest.

Proposals which the government has deemed not yet ready to be implemented as indicated by an ‘agreed in-principle’ position are expected to be consulted over the longer term to ensure the additional privacy protections do not outweigh the costs on businesses.

The AICD will continue to engage and advocate on behalf of our membership on proposed reforms of concern including the removal of the small business exemption and introduction of a widely-cast direct right of action.

Any feedback on the proposals can be sent to policy@aicd.com.au