On 16 February 2023, the Attorney-General's Department published the Privacy Act Review: Report 2022 (Report). Refer to our previous legal insight for more information about the Report.
The Attorney-General's Department sought public feedback on the Report following its publication, with a deadline of 31 March 2023. We are now waiting with keen anticipation for the Australian government's response to the Report and the likely introduction of legislation to significantly amend the Privacy Act.
A number of the proposals in the Report raised significant and complex policy changes that would strengthen and broaden the reach of Commonwealth privacy laws in Australia. Three significant areas for reform canvassed by the Report are outlined below.
Removal of small business and employee records exemptions (Proposals 6.1 and 7.1)
The Report proposed the removal of the "employee records" and "small business" exemptions, which have been a feature of the Privacy Act since the introduction of the National Privacy Principles in 2001.
If adopted, removal of the small business exemption would be a significant change and require businesses with an annual turnover of less than $3 million to introduce or uplift their current privacy compliance program to comply with the Privacy Act. Removal of the employee records exemption would require employers to handle employee records relating to the employment of employees in accordance with the Privacy Act.
Mandatory privacy impact assessments (Proposal 13.1)
The Report also proposed that all APP entities be required to complete a privacy impact assessment (PIA) prior to undertaking a “high privacy risk activity”. The Report noted a "high privacy risk activity" could be defined as any function or activity that is likely to have a significant impact on the privacy of individuals. This test would align with the circumstances when a PIA must be completed under the Australian Government Agencies Code.
Protection of de-identified information (Proposals 4.5, 4.6, 4.7 and 4.8)
Significantly, the Report contained a number of proposals aimed at protecting de-identified information and criminalising the malicious re-identification of de-identified information.
The protection of de-identified information is outside the scope of the Privacy Act. Bringing de-identified information within the scope of the Privacy Act, as proposed, would require APP entities to comply with APP 8 and 11.1 when handling de-identified information by:
- taking reasonable steps to protect de-identified information (APP 11.1); and
- ensuring overseas entities do not re-identify disclosed de-identified information or further disclose information in such a way as to undermine the effectiveness of the de-identification (APP 8).
The future of privacy law in Australia
The privacy reform pendulum is swinging towards more privacy regulation in Australia to better align with global privacy and data protection standards. While this may impose a greater regulatory burden on organisations, it may also help organisations to streamline compliance activities if Australian privacy laws move towards harmonisation with global standards, in particular the General Data Protection Regulation (GDPR).
The matrix of domestic and international privacy and data protection laws is complex, and we predict any attempt to align the Privacy Act with other global standards would be a welcome development.
All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.