In a digital world where personal data is constantly at risk, the Australian government has announced its intention to push forward with significant reforms to the Privacy Act in Parliament’s spring sessions. These reforms aim to enhance Australia’s privacy framework and protect personal information from emerging threats.
To help you navigate these changes, we’ve put together a comprehensive guide. This first instalment covers the Privacy Act’s essentials, key components and what’s changing.
What is Australia’s Privacy Act?
The Privacy Act 1988 is the fundamental legislation governing how organisations in the Commonwealth of Australia handle, manage and protect personal information. The Act primarily safeguards individuals’ privacy rights while enabling businesses and government agencies to use information for legitimate purposes within a regulated framework.
What does the Privacy Act cover?
The Privacy Act is built upon several key components that define organisations’ responsibilities when handling personal information:
- Australian Privacy Principles (APPs) – 13 principles form the core of Australia’s privacy framework and cover the collection, use and disclosure of personal information. They ensure data quality and security, promote openness and transparency, and give individuals access and correction rights.
- Coverage – The Act applies to a broad range of entities, including most Australian government agencies, private sector companies and not-for-profit organisations with an annual turnover of more than AUD 3 million. It also applies to some small businesses and private health service providers.
- Information Commissioner – The Act establishes the Australian Information Commissioner, which oversees the enforcement of privacy standards and handles complaints related to the misuse of personal information.
- Credit reporting – Specific rules regulate the handling of personal credit information, ensuring credit providers and reporting bodies adhere to strict standards when collecting, using and disclosing credit-related information.
- Tax File Numbers – Stringent rules govern the use and security of Tax File Numbers to prevent identity theft and misuse.
- Privacy Codes of Practice – The Act allows for the development of legally binding codes of practice tailored to industries, thereby enhancing sector-specific privacy practices and compliance.
- Complaints and investigations – Individuals have the right to lodge complaints about how their personal information is handled. The Office of the Australian Information Commissioner (OAIC) investigates and resolves them.
- Civil penalties – The Act includes provisions for civil penalties in cases of significant privacy breaches or repeated non-compliance.
- Exemptions – Certain exemptions exist within the Act, such as those for small businesses with an annual turnover below AUD 3 million, political acts and practices, and specific activities conducted by media organisations.
These components create a comprehensive privacy framework, ensuring organisations handle personal information responsibly and transparently.
What are the consequences of non-compliance?
Failing to comply with the Privacy Act can lead to severe consequences. The OAIC may conduct investigations and enforce corrective measures, which could include mandates for compliance, payment of damages or implementation of practices to prevent future breaches.
Individuals found in breach could face penalties of up to AUD 2.5 million. Companies might incur fines of up to AUD 50 million, 3 times the benefit obtained from the breach or 30% of adjusted turnover during the period of the breach.
Why is the Privacy Act Being reformed?
Data breaches and cybersecurity risks are escalating in Australia, so the government wants to reassess privacy laws in the context of the evolving threat landscape.
It aims to strengthen the privacy framework to keep pace with these evolutions and protect public interests in the digital age.
What’s changing in the Privacy Act?
In 2022, the Attorney General’s Department conducted a comprehensive review of the Privacy Act, resulting in the Privacy Act Review Report. This report proposed 116 changes to modernise the Act and ensure its continued effectiveness. The government has agreed to implement 21 of the proposals, notably:
- Transparency on automated decision making – Organisations must now include detailed information in their privacy policies about how personal data is used in automated decision-making processes. They must also explain how these decisions are made.
- Enhancements to the notifiable data breaches scheme – New provisions allow the attorney general to authorise information sharing with relevant entities to mitigate harm caused by data breaches.
- Simplified penalties – The criteria for imposing penalties for privacy breaches have been relaxed. Breaches no longer need to be repeated, making it easier to impose fines for single serious breaches.
- Stronger enforcement – The courts now have expanded authority to issue appropriate orders following a confirmed privacy breach (alongside enhanced OAIC powers).
- Children’s privacy protection – A new Children’s Online Privacy Code will be introduced to protect the privacy of children using internet services.
- Guidelines for new technologies – The OAIC will develop guidelines to address privacy threats posed by new and emerging technologies.
- Protection for vulnerable groups – New guidelines will identify vulnerable groups at higher risk of harm from data misuse and establish best practices for obtaining their consent.
- Enhanced information security guidelines – The OAIC will expand guidelines on information security, detailing what constitutes ‘reasonable’ measures for securing, destroying or de-identifying personal information.
Although the government decided not to implement the report’s other 95 proposals at this stage, the 21 changes represent a significant shift towards enhancing privacy protections and adapting to modern digital challenges.
How should organisations prepare for compliance?
To prepare for the upcoming changes and ensure compliance with the reformed Privacy Act, organisations should:
- Maintain clear and updated privacy policies
- Collect only necessary personal information directly from individuals, where possible
- Inform individuals about the collection of their information and the purposes behind it
- Use or disclose personal information only for primary purposes or with explicit consent
- Obtain consent for direct marketing activities and provide clear opt-out options
- Ensure overseas recipients handle information in compliance with the APPs
- Take reasonable steps to keep personal information secure, accurate and up to date
- Assess and, within 30 days, report any data breaches that may cause serious harm
With the proposed reforms on the horizon, you also need to stay informed and be proactive:
- Regularly review and update your privacy practices to align with the new requirements
- Conduct privacy impact assessments
- Train staff on the importance of data protection
- Consider seeking expert advice to navigate the complexities of the updated legislation
In our next blog post, we’ll delve deeper into practical strategies for preparing for upcoming Privacy Act reforms. Stay tuned!
