Privacy Act Review Report proposes sweeping changes to privacy protections and extending privacy obligations to small businesses.

The Report and its objectives

The Commonwealth Government released this morning its report on the review of the Privacy Act which has been undertaken over the past two years.

The Privacy Act Review Report 2002 contains proposals for changes in relation to the following:

• what information personal information should be protected and by whom;
• the nature and extent of privacy protections required of organisations; and
• enforcement and rights of individuals to bring claims for breaches of privacy obligations.
  
  

The proposals set out in the Report have significant implications for organisations currently covered by the Privacy Act and for small businesses who would be covered by the Act for the first time. The Government is seeking feedback on the proposals in the Report with submissions due on 31 March 2023.

The objective of the proposed changes is to:

• strengthen the protection of personal information and the control individuals have over their information; and
• promote digital innovation and enhance Australia as a trusted trading partner through stronger privacy protections.
  
  

Key changes proposed

A number of the key proposals in the Report have been given impetus by recent high profile data breaches such as Medibank and Optus. Those incidents highlighted, amongst other things, the enormous amount of personal information which is collected and retained where there may not be any need or proper reason for doing so (and thus exposing the affected individuals to the risk of disclosure arising from cyber breaches and the criminal exploitation of their sensitive data).

Key proposals for change include:

• removal of the exemption for small businesses (with turnover below $3M per annum) so that those small businesses will be covered by the Act;
• the introduction of a new requirement that entities take “fair and reasonable” action in handling and protecting personal information;
• new specific additional protections for information concerning vulnerable people including children;
• a requirement that organisations undertake a Privacy Impact Assessment before taking any action which may significantly impact the privacy of individuals;
• requirements to minimise the amount of personal information collected and retained;
• the introduction of guidelines on what steps entities should take to destroy or de-identify information;
• a requirement to periodically review the period of time that information is retained;
• new rights of individuals to control their personal information such as in relation to requiring the erasure of information – in line with the European Union’s General Data Protection Regulation (GDPR);
• new provisions to enable entities to comply with overseas disclosure requirements.
  
  

With regard to enforcement the Report proposes a number of significant changes. These include:

• new penalties for breaches of the Act and additional powers of the Office of the Information Commissioner (OAIC) to investigate, hold public enquiries and make determinations;
• a new direct right for individuals to take legal action and remedies for breaches of the Act;
• the creation of a new enforceable right for protection against serious invasions of privacy.
  
  

Next steps

Given the extensive consultation that has already occurred with respect to these and other proposals, the timeframe for any submissions on the Report and the imperative for change highlighted by recent and continuing data breaches we can expect the reforms to be fast tracked and that businesses will need to adapt their data collection and retention policies and processes accordingly.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.