Privacy Act Review Report

There is uncertainty about what information should be protected in accordance with the Privacy Act. Privacy risks arise out of a broad range of information relating to individuals as a result of digital technologies.

Current exemptions from the Act require recalibration to address contemporary privacy risks and meet current community expectations. Greater flexibility in the Privacy Act would enable it to respond to a broader range of circumstances, including emergency situations.

The proposals would:

• recognise the public interest to society of protecting individuals’ privacy
• clarify what information should be protected under the Privacy Act
• ensure de-identified information is protected from misuse
• require risks associated with holding and using information relating to individuals to be considered and protections applied accordingly
• regulate ‘targeting’ of individuals based on information which relates to them but that may not uniquely identify them
• enable privacy codes to be made by the Information Commissioner in certain circumstances
• ensure risks to privacy resulting from the small business, employee records, political and journalism exemptions are addressed in a proportionate and practical way.

Entities should take appropriate responsibility for ensuring that their information handling practices are fair and not harmful. There should be greater protections for personal information before it is used in ways which have high privacy risks. Individuals need more transparency about what is being done with their information and more control over what happens with it.

The proposals would:

• improve the quality of information available to individuals about how their information is collected and used to ensure individuals make informed and genuine choices
• require entities to take appropriate responsibility for handling personal information fairly and reasonably
• require entities to identify and mitigate risks before engaging in high privacy risk practices
• strengthen privacy protections for children and people experiencing vulnerability
• improve individuals’ control over their personal information, including through a right to seek erasure of personal information
• give individuals more transparency and control over direct marketing, targeting and sale of their personal information
• strengthen the requirement on entities to keep personal information secure and destroy or de-identify it when it is no longer needed
• facilitate overseas transfers of personal information whilst ensuring that it is properly protected.

Enforcement of privacy obligations needs to be strengthened. Individuals have limited ways to take action when their privacy has been breached, including for serious invasions of privacy not covered by the Privacy Act.

The Notifiable Data Breaches scheme should be strengthened and streamlined with other mandatory reporting schemes. Entities would benefit from reduced regulatory complexity between different privacy frameworks.

The proposals would:

• equip the Regulator with more options to enforce privacy breaches
• enhance the Regulator’s ability to proactively identify and address privacy breaches
• provide the Courts with enhanced powers to make orders against entities that have breached their privacy obligations
• provide new pathways for individuals to seek redress in the Courts for privacy breaches, including through a new tort for serious invasions of privacy
• improve how entities respond when a serious data breach occurs and simplify reporting processes for entities
• reduce regulatory complexity by working with states and territories to harmonise key aspects of privacy laws