The Federal Government’s report on its review of the Privacy Act includes 116 proposed improvements to the law. This report is the result of an extensive privacy law review that began in 2020.
Give feedback on the report
The Government is now seeking feedback from the public as well as from public and private sector entities on the proposals.
You can give your feedback by completing the survey on the Attorney-General’s website. The deadline to give feedback is 31 March 2023.
Why are changes being proposed?
Our Privacy Act needs updating to keep up with advances in technology and to give people more control over their personal information.
Will more entities be covered by the Privacy Act?
If the proposed changes become law, it’s likely that more entities will need to comply with the Privacy Act.
At present, some entities don’t have to comply with the Privacy Act – for example, certain entities that have an annual turnover of less than $3 million. The removal of some of these exemptions is being considered.
In particular, it’s proposed that the exemption on small businesses ultimately be removed. And changes to certain exemptions that apply to the handling of employee records by an organisation are being contemplated.
Further extensive consultation is planned to support small businesses (and other entities currently subject to exemptions) before any exemptions are removed.
Will your organisation need to update its processes and policies?
If the proposed changes become law, your organisation will need to update its processes and policies for collecting, using, and storing personal information. While there will probably be a grace period before compliance is required, you may want to plan for the likely changes.
What are some of the proposed changes?
We have summarised some of the proposed changes to the Privacy Act below. For details of all the proposed changes, refer to the report on the Attorney-General’s website.
Expanded definition of personal information
If your organisation deals with ‘personal information’, it may have obligations under the Privacy Act.
To address confusion around what is ‘personal information’, the meaning of this term will be clarified. For example, it will be made clear that personal information includes technical and inferred information where it relates to a reasonably identifiable individual. Technical information includes IP addresses and device identifiers, while personal information could be inferred from an internet profile.
Because de-identified information can be re-identified, security protections for personal information that has been de-identified are also proposed.
Fair and reasonable test
An overarching new ‘fair and reasonable’ test is proposed to apply to entities covered by the Privacy Act when they handle personal information.
Things which may be considered in determining whether a collection, use or disclosure of personal information is fair and reasonable in the circumstances include:
- whether an individual would reasonably expect the personal information to be collected, used, or disclosed in the circumstances
- whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency
- whether the impact on privacy is proportionate to the benefit
Additional protections are also proposed to apply where entities engage in high privacy risk practices, including for children and for people experiencing vulnerability. For example, the report proposes that all entities covered by the Privacy Act should conduct a Privacy Impact Assessment before starting an activity which is likely to have a significant impact on the privacy of individuals.
Collection notices and consent
The report contemplates improvements to the quality of privacy collection notices and consents obtained from individuals.
For example, an express requirement that collection notices be clear, up-to-date, concise, and understandable is proposed. Collection notices will also be required to include the following information:
- circumstances of the collection, use or disclosure (in certain circumstances)
- reference to the entity’s privacy policy that contains details on how an individual may exercise any applicable rights, and
- the types of personal information that may be disclosed to overseas recipients
Standardised templates and layouts for privacy policies and collection notices, as well as standardised terminology and icons, could be developed by relevant sectors, possibly with guidance from the Office of the Australian Information Commissioner.
It’s also proposed that :
- the definition of consent be amended to provide that consent must be voluntary, informed, current, specific, and unambiguous, and
- the ability to withdraw consent will need to be expressly recognised
Rights of individuals
It’s proposed that an entity covered by the Privacy Act will need to give individuals a right to access the personal information the entity holds about an individual, including information about:
- the source of the personal information the entity has collected indirectly, and
- an explanation of what the entity has done with the personal information
An organisation will be allowed to charge a ‘nominal fee’ for providing access and explanation if the organisation is responding to an individual’s request.
An individual will also have a general right to object to the collection, use or disclosure of personal information, and to erasure of any of their personal information.
Direct marketing, targeted advertising, and online content
The report considers potential harms arising from direct marketing, targeted advertising and online content and includes proposals to:
- give individuals an unqualified right to opt-out of their personal information being used or disclosed for direct marketing purposes
- give individuals an unqualified right to opt-out of receiving targeted advertising
- introduce a requirement that an individual’s consent must be obtained to trade their personal information.
- prohibit direct marketing to a child (unless the personal information used for direct marketing is collected directly from the child and the direct marketing is in the child’s best interests), targeting to a child (with an exception for targeting that is in the child’s best interests), and trading in the personal information of children
- require entities to provide information about targeting, including clear information about the use of algorithms and profiling to recommend content to individuals
For more information about privacy laws in Australia, see our privacy guide.
