Key steps in preparing for the amendments to the Australia Privacy Act

With the Attorney-General’s announcement that draft legislation to amend the Privacy Act 1988 (Cth) will be taken to Parliament in August this year, Australian organizations must focus on improving their data governance processes.

Organizations need to understand what they have, so they can comply with the proposed changes, which include new individual rights to access and delete data, data minimization, and a fair and reasonable test for collecting and using data.

The Privacy Act Review Report, released by the Australian Attorney-General in February 2023, is the result of multiple years of consultation and a comprehensive evaluation of Australia's Privacy Act.  The goal of the review is to align Australia with global privacy standards, such as those set by the EU's General Data Protection Regulation (GDPR), the UK, Brazil, and Japan.

If implemented, these changes would mark the most significant shift in Australia's privacy landscape since the introduction of the Australian Privacy Principles (APPs) in 2014. While we wait for the outcome, the best way to prepare is to focus on data governance processes, with a privacy-first mindset.

🎧LISTEN: FILED Podcast Civic Data director Chris Brinkworth on how privacy by design is key for preparing for privacy reform

‍

‍

‍

Key reforms proposed

While the Report included 116 recommendations, this analysis will focus on changes that have been agreed to — or agreed to in principle— by the government and are relevant to your data governance practices.

Expanded definition of personal information  

The current definition—criticized for its vagueness—requires that information be “about” an individual, and that the individual is easily identified or reasonably identifiable natural person.

The proposal is to change the definition to any information that “relates” to an individual, and provides a non-exhaustive list of examples, including name, date of birth, or address, location data, all the way through to inferred information, including predictions of behavior or preferences.

Most organizations lack a complete picture of the data they hold, across all their data sources, so these proposals may be worrying. A comprehensive data inventory will allow you to understand the data you hold relating to an individual, so you can protect it or follow other proposals in the Report.  

Remove exemption for private section employees

Currently, organizations are exempt from the Privacy Act for any act or practice directly related to their employment relationship with an individual, and employee records it holds relating to that individual. This reform would offer private-sector or employees more transparency as to what their information is being used for, but it would also add an extra burden on organizations to protect that information from misuse, loss, and unauthorized access. This means organizations will need to set minimum and maximum retention periods for this information and protect it the same way they would for customer information.

For some organizations, these are new concepts, as they may not hold personal information for customers, so they may not have established processes or tools. For such organizations, data management has now become a concern.

New rights for individuals: right to access, right to object, right to erasure

These proposed reforms are modelled on the GDPR. They include a right to access personal information held by an organization, the right to object to collection, use, or disclosure of personal information, and the right to erasure of personal information (in some jurisdictions, this is known as “the right to be forgotten.”)

To comply, organizations will again need to understand the data they possess by building a data inventory that encompasses all their data sources. When a customer requests access, amendment, or erasure of their data, they must be able to prove they can comply across their data estate.

Focus on data minimization as a protection mechanism

Here, the proposed reform involves organizations establishing their own minimum and maximum retention periods in relation to personal information, which must consider the sensitivity and purpose of the information, plus any legal obligations. These retention periods will need to be periodically reviewed.

Data minimization is a key element of strong data governance, and helps you to reduce risk, improve security, and lower costs. Learn more about why data minimization matters.

A fair and reasonable test

This is a new standard that would place the burden on organizations to justify their collection, use, and disclosure of personal information, replacing the status quo, where the burden is placed on users, who must read and understand lengthy and complex privacy notices.

More guidance on how businesses can meet their obligations

The proposed reform will involve the Office of the Australian Information Commissioner (OAIC) becoming more prescriptive, a major aspect of which may be a comprehensive review of all retention periods in federal legislation to ensure consistent requirements and clarity for complying organizations.  

This review will likely be a lengthy process and will involve disruption as industries adjust to these new requirements. The outcome will inevitably be less over-retention of data and enhanced data privacy.

More penalties for non-compliance

So, how would these new rules be enforced?

The Report proposes the introduction of multiple new enforcement methods that allow both the OAIC and individuals to bring actions in court against organizations and individuals that have breached privacy standards.

These penalties include:  

• A new criminal offence for malicious re-identification of de-identified information where there is an intention to harm another or obtain illegitimate benefits. Once information has been de-identified, you cannot re-identify that information. This practice is commonly used by hackers.
• New civil penalty provisions that cover interferences with privacy without a serious element, and a low-level penalty provision for administrative breaches of the Privacy Act.

The reforms also grant the Information Commissioner new powers to conduct investigations into civil penalty provision breaches: the power to search premises for evidence, make copies of information and documents, and seize material to assess if there has been a breach of the Privacy Act.

Individual action

Individuals will be empowered to seek remedies in court for interference with their privacy under the Privacy Act. These cases will be heard in the Federal Court, though they would first require a complaint to be lodged with the OAIC. The Federal Court will be entitled to decide the amount of damages awarded.

Civil tort

Finally, the proposed reforms would introduce a new statutory tort for invasion of privacy when the circumstances fall outside the Privacy Act. For example, an individual who had a private conversation recorded without their knowledge or consent. This acts as a catch-all for when an invasion of privacy is not expressly prohibited by the Privacy Act.

Taken together, these reforms will provide enhanced enforcement capabilities to bolster the Privacy Act. Meanwhile, the ability for individuals to bring actions in court, both for breaches of the Privacy Act or the statutory tort when invasions fall outside the Privacy Act, slightly eases the burden on the OAIC by sharing it with individuals.  

For organizations, this means that there is more of an incentive to have better information management, as they may face penalties for even low-level Privacy Act breaches.

Privacy impact assessments

Under this proposal, organizations will be required to undertake Privacy Impact Assessments for activities with high privacy risks. The OAIC will offer more guidance on what might constitute an activity with a high privacy risk.

Preparing for the reforms: understand what you have, remove what you don’t need

The above list of reforms is by no means exhaustive, yet complying with this list would require most organizations to overhaul their data governance practices. At the core of the response is to understand the data you have. Establishing a data inventory and classifying your data will allow you to make smarter decisions. You will be able to remove data you no longer need to keep, manage access to what remains, and ensure the truly sensitive data is protected.

These are things you should do now, even before the reforms become law.

If you don’t know how much sensitive data you possess, you are not alone. Through an analysis of millions of records, we found key trends that shed light on the rates of personal information that may be present in your own organization’s data estate. Our analysis showed that half of all records analyzed had some form of personally identifiable information (PII). For all organizations, understanding sensitive data is an urgent task they need to prioritize.

Discover a better platform

Understanding your data is a challenge no matter what industry you’re in. If you would like to investigate how RecordPoint can help, explore the platform now, or book a demo for a full walk-through.

‍