On 28 September 2008, the Federal Government published its formal response (Response) to the Privacy Act Review Report, which was published in February of this year. The Response “agrees” or “agrees in principle” with the vast majority of the 116 proposals made in the Privacy Act Review Report. This is significant as the sheer volume of proposals generated around 500 submissions from businesses, industry groups and academics to the Privacy Act Review Report, representing a wide range of stakeholder views.
The Government’s response sends a clear message to businesses that while the legislation to implement these changes has not yet been drafted, we can expect it in the near future.
This is important as many of the changes will affect the way organisations are structured and the way existing IT systems and information management channels are organised within businesses. Organisations should be prepared for the lead time required to change and update systems.
What are the changes?
The Government’s position on the full list of proposals is set out in the response (see page 23, Annex A). While some of the changes primarily strengthen the rights of individuals under the Privacy Act, the key issues for business are
- broadening the definition of ‘personal information’; and
- Strengthening the obligations around policies, collection notices
- The introduction of a requirement for the processing of personal information to be ‘fair and reasonable’.
The requirement that the collection, use and disclosure of information should be fair and reasonable in all the circumstances is a new test and a higher bar than previously applied. While it is “agreed in principle” – and as such will take some time to consult on before draft legislation is issued – it provides a sound basis on which organisations should review their existing practices and improve them where necessary.
Improved enforcement powers for the OAIC
One of the issues not addressed in the response is the funding of the regulator, the Office of the Australian Information Commissioner (OAIC). It is widely recognised that the OAIC is currently underfunded and will require significant resources to undertake the additional work envisaged by the Privacy Act Review and the Government’s Response. Any additional funding for the OAIC would likely be addressed in the next Federal Budget or in the mid-year economic forecast.
Some of the agreed proposals give the OAIC greater enforcement powers. For example, the Government has agreed to introduce a tiered system of civil penalties to allow for more flexible application of sanctions. This will include the introduction of ‘speeding ticket’ notices of non-compliance, similar to those used by other regulators, and a tightening of the definition of ‘serious interference with privacy’ in the Privacy Act.
As a result, businesses will be held to a higher standard and, subject to adequate funding for the OAIC, will face an increased risk of enforcement action.
Changes to the Data Breach Scheme
There are also changes to the Data Breach Scheme to require faster notification in line with the General Data Protection Regulation (GDPR), and to allow businesses to stagger their notifications to individuals as information becomes available.
Next steps.
While the report highlights other significant changes, prudent businesses could start implementing a number of systems measures now to minimise the cost of system upgrades when the new changes are enacted into law.
If you would like to discuss how your business can begin to prepare for these changes, please contact one of our team members below.
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we cannot guarantee that the information in this article is accurate at the time of publication or that it will continue to be accurate in the future.