On 28 September 2023, the Federal Government released its formal response (Response) to the Privacy Act Review Report published in February this year. The Response “agrees” or “agrees in principle” with the vast majority of the 116 proposals made in the Privacy Act Review Report. This is significant as the sheer volume of proposals generated around 500 submissions by businesses, industry groups and academics to the Privacy Act Review Report, representing a broad range of stakeholder views.
The government in the Response is sending a clear message to businesses that while the legislation to implement these changes is not yet drafted, we can expect it to happen in the near future.
This is important as many of the changes will affect the way organisations structure themselves and the way existing IT systems and information management channels are organised within businesses. Businesses should embrace the lead time to change and update systems.
The Federal Government’s position on the full list of proposals is set out in the Response (see page 23, Attachment A). While some changes primarily strengthen individuals’ rights under the Privacy Act , the key issues for business are around:
The requirement that the collection, use and disclosure of information should be fair and reasonable in all of the circumstances is a new test and a higher bar than has applied in the past. While it is “agreed in principle” – and as such will take some time to engage in consultation prior to issuing draft legislation – it creates a sound basis on which organisations should review their existing practices and if necessary, uplift them.
One of the issues not dealt with in the Response is the funding of the regulator, the Office of the Australian Information Commissioner (OAIC). It is generally recognised that the OAIC is currently underfunded and will require significant funds to complete the additional work contemplated by the Privacy Act Review and the government’s Response. Any additional funding for the OAIC would likely be dealt with in the next Federal Budget or the mid-year economic forecast.
Some of the agreed proposals give the OAIC greater enforcement powers. For example, the government has agreed to introduce tiers of civil penalty provisions to allow for more agile implementation of sanctions. This will include the introduction of ‘speeding ticket’ infringement notices, similar to those used by other regulators, as well as strengthening the definition of ‘serious interferences with privacy’ in the Privacy Act.
Accordingly, businesses will face higher standards and, subject to appropriate funding of the OAIC, will also face increased risk of enforcement action.
There are also changes to the Data Breach Scheme to require quicker notice in line with the General Data Protection Regulation (GDPR) and to allow entities to stagger their notifications to individuals as information becomes available.
While the Report flags other significant changes, prudent businesses could begin implementing a range of system measures now to minimise the cost of system uplifts when the new changes are legislated.
If you would like to talk about how your business might start preparing for these changes, please get in touch with one of our team members below.
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.