Upcoming Australian Privacy Act changes
5 mins reading time
Australia’s Federal Privacy Act 1988 (Cth) (Privacy Act) was first introduced in 1988, with the aim of promoting and protecting the privacy of individuals in their dealings with government agencies. Since 2001, the Privacy Act has also applied to the personal information of individuals held by private sector business enterprises.
A key feature of the Privacy Act is its Privacy “Principles”, which set out basic guidance for businesses on how personal information is to be collected, held, stored, used, disclosed and destroyed.
With the continuing evolution of technology, cross-border business and consumer awareness and expectation, the Privacy Act has undergone significant reform in recent years, detailed below, but there’s still more to come.
Review of the Privacy Act
From 2021 to 2023, Australia’s Federal Attorney-General’s Department undertook a review of the Privacy Act, releasing a report of its findings in February 2023. The Privacy Act Review Report recommended 166 reforms, with a view to strengthening business privacy practices, giving individuals more robust rights and control over their personal information.
In late 2023, the Government released and consulted publicly on its response to the Privacy Act Review Report. Of the 166 recommendations, the Government has already agreed with 38 of the proposals.
What are the proposed changes?
Some of the key changes businesses should expect are:
- More stringent and specific requirements for the content of Privacy Policies, Privacy Notification Statements and requests for individual consent;
- More robust and more specific data security, retention and destruction obligations (especially in the wake of the Optus, Medibank and Latitude data breach incidents);
- Disclosure obligations related to automated decision-making technologies;
- A more rigorous framework for transfer of personal information to overseas recipients;
- Changes to direct marketing permissions;
- Reduction of the data breach reporting timeframe (down from the current 30 days, to just 72 hours like under the EU GDPR);
- Greater individual rights in relation to their personal information (including a limited right for deletion / erasure, and a direct right-of-action for interferences with privacy; and
- An even wider range of powers and penalties available to the Privacy Commissioner.
The Government has also committed to further consult on the impacts of potentially removing the current Privacy Act exemptions for:
- Small businesses (ie, under $3M annual turnover); and
- The treatment of employee records.
What’s the impact?
After many years of arguably sitting in the wings, privacy and data protection is now starting to take the centre-stage spotlight.
In anticipation of legislation implementing the Government’s agreed privacy reforms, businesses should take proactive measures, including the following:
- Spend time auditing and mapping your business’ privacy and data protection compliance – all too often, businesses do not spend enough time or resources in understanding their data flows, the type (and extent) of personal information actually held, and the risks to the business;
- Review existing privacy policies, documents and procedures – to ensure alignment with the current laws before the bar is raised even further; and
- Familiarise yourself with your business’ current framework for obtaining consent from individuals (and keeping it current).
MK can assist
Whilst the proposed changes are still exactly just that – proposals, not yet in law – it pays for businesses to start thinking now about the potential reforms, the impacts they will have on business, and the changes that will be required to the business’ policies, documentation, internal processes and staff knowledge.
For further detail on the proposed changes, or for advice and assistance on all aspects of your business’ current and future privacy and data protection compliance measures, contact our expert Trade team at Macpherson Kelley.
more
insights
stay up to date with our news & insights
Upcoming Australian Privacy Act changes
Australia’s Federal Privacy Act 1988 (Cth) (Privacy Act) was first introduced in 1988, with the aim of promoting and protecting the privacy of individuals in their dealings with government agencies. Since 2001, the Privacy Act has also applied to the personal information of individuals held by private sector business enterprises.
A key feature of the Privacy Act is its Privacy “Principles”, which set out basic guidance for businesses on how personal information is to be collected, held, stored, used, disclosed and destroyed.
With the continuing evolution of technology, cross-border business and consumer awareness and expectation, the Privacy Act has undergone significant reform in recent years, detailed below, but there’s still more to come.
Review of the Privacy Act
From 2021 to 2023, Australia’s Federal Attorney-General’s Department undertook a review of the Privacy Act, releasing a report of its findings in February 2023. The Privacy Act Review Report recommended 166 reforms, with a view to strengthening business privacy practices, giving individuals more robust rights and control over their personal information.
In late 2023, the Government released and consulted publicly on its response to the Privacy Act Review Report. Of the 166 recommendations, the Government has already agreed with 38 of the proposals.
What are the proposed changes?
Some of the key changes businesses should expect are:
- More stringent and specific requirements for the content of Privacy Policies, Privacy Notification Statements and requests for individual consent;
- More robust and more specific data security, retention and destruction obligations (especially in the wake of the Optus, Medibank and Latitude data breach incidents);
- Disclosure obligations related to automated decision-making technologies;
- A more rigorous framework for transfer of personal information to overseas recipients;
- Changes to direct marketing permissions;
- Reduction of the data breach reporting timeframe (down from the current 30 days, to just 72 hours like under the EU GDPR);
- Greater individual rights in relation to their personal information (including a limited right for deletion / erasure, and a direct right-of-action for interferences with privacy; and
- An even wider range of powers and penalties available to the Privacy Commissioner.
The Government has also committed to further consult on the impacts of potentially removing the current Privacy Act exemptions for:
- Small businesses (ie, under $3M annual turnover); and
- The treatment of employee records.
What’s the impact?
After many years of arguably sitting in the wings, privacy and data protection is now starting to take the centre-stage spotlight.
In anticipation of legislation implementing the Government’s agreed privacy reforms, businesses should take proactive measures, including the following:
- Spend time auditing and mapping your business’ privacy and data protection compliance – all too often, businesses do not spend enough time or resources in understanding their data flows, the type (and extent) of personal information actually held, and the risks to the business;
- Review existing privacy policies, documents and procedures – to ensure alignment with the current laws before the bar is raised even further; and
- Familiarise yourself with your business’ current framework for obtaining consent from individuals (and keeping it current).
MK can assist
Whilst the proposed changes are still exactly just that – proposals, not yet in law – it pays for businesses to start thinking now about the potential reforms, the impacts they will have on business, and the changes that will be required to the business’ policies, documentation, internal processes and staff knowledge.
For further detail on the proposed changes, or for advice and assistance on all aspects of your business’ current and future privacy and data protection compliance measures, contact our expert Trade team at Macpherson Kelley.