Privacy Act Review Report Released Today: Feedback on the proposed reforms sought by 31 March

Privacy Act Review Report Released Today:  Feedback on the proposed reforms sought by 31 March

The Privacy Act Review Report finalised by the Attorney-General’s Department and provided to the AG last year has today been released and is available here.

Feedback is now being sought by 31 March 2023 on the 116 proposals contained in the report, to inform the Government’s response.

IAB will digest the 320 page report and provide further information and analysis here, however very briefly, the key recommended reforms include:

Changes to the definition of ‘personal information’ and de-identification

1. Amendments to the definition of ‘personal information’ so it is clear that technical and inferred information is included, but the information must still ‘relate to a reasonably identifiable individual’.  What amounts to a person being ‘reasonably identifiable’ is to be set out in a non-exhaustive list of circumstances.
2. Amend the definition of ‘de-identified’ to make clear that de-identification is a process, informed by best available practice.
3. Introduce a prohibition on APP entities re-identifying de-identified information obtained from third parties.
4. Remove the small business exemption and make amendments to include additional protections in relation to the other exemptions.

Consent related obligations on organisations

5. Amend the definition of consent so that must be ‘voluntary, informed, current, specific and unambiguous’.
6. Introduce a new requirement that all collections, uses and disclosures of personal information must be ‘fair and reasonable’ in the circumstances.
7. New express requirement for collection notices to be clear, up-to-date, concise and understandable, with some new mattes required to be included.
8. Recognise that collection, use, disclosure and storage of precise geolocation data as a practice which requires consent.
9. Introduce a new requirement to conduct a Privacy Impact Assessment for activities with high privacy risks.
10. Require organisations to determine and record the purposes for which an organisation collects, uses and discloses personal information.

Children

11. Include additional protections for children, including introduction of a Children’s Online privacy Code that applies to online services ‘likely to be accessed by children’.
12. ‘Child’ to be defined as persons under 18 years of age.

New rights for individuals

13. New rights for individuals to:

1. 1. access their Personal Information,
   2. object to the collection, use and disclosure of personal information; erase their personal information; and
   3. de-index online search results containing personal information. 

14. These rights will be subject to exceptions for: competing public interests, relationships with a legal character, and technical exceptions for example, where it would be technical impossible or unreasonable for the organisations to comply.
15. Requirement for privacy policies to set out the types of personal information that will be used in substantially automated decisions which will have a significant effect on an individuals’ rights.

Direct marketing, targeting, trading of PI

16. New definitions for direct marketing, targeting and trading of personal information and new unqualified rights for individuals to opt-out of direct marketing and targeted advertising. 
17. Consent will be required to be obtained for trading personal information. 
18. Direct marketing to a child; targeted advertising to children and trading of personal information of a child to be prohibited.
19. Targeting based on sensitive information to be prohibited except “for socially beneficial content”. Targeted advertising will be subject to the fair and reasonable requirement. 
20. Organisations will be required to provide information about targeting, including the use of algorithms and profiling to recommend content to individuals.

Retention/destruction of personal information

21. The requirement on entities to only collect personal information that is ‘reasonably necessary’ and to destroy personal information when it is no longer required to be reinforced and supplemented by OAIC guidelines which will set out the reasonable steps that need to be taken. 
22. Organisations to establish their own maximum and minimum retention periods taking into account the type, sensitivity and purpose of that information as well as the organisation’s needs and any other legal obligations to retain information which apply.

Other changes

23. Introduce concepts of ‘controllers’ and ‘processors’ into the Act.
24. New tiers of civil penalty provisions to allow for better targeted regulatory responses.
25. Direct right of action to enable individuals to seek remedies in the courts for breaches of the act which cause harm.
26. A federal statutory tort for serious invasions of privacy, as put forward by the ALRC.
27. New data breach reporting obligations including notification to the Information Commissioner within 72 hours.
28. Additional protections in relation to companies disclosing personal information overseas – obligations to ensure similar protections are in place in those jurisdictions.