The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and processing Australians’ personal information, as well as the introduction of a right of direct action for individuals and a new tort of serious invasion of privacy.
These recommendations, if implemented, will significantly change the impact of privacy laws on Australian companies and individuals. In a move reflecting the complexity and importance of the review on the Australian economy as a whole, the Commonwealth Government has opened the report to consultation, requesting feedback from stakeholders by 31 March 2023. Interested parties should review the report and its recommendations, analyse the impact on their business operations and consider whether to make submissions to the government.
In this article, we highlight four proposals in the report that Australian companies should consider reviewing immediately to understand the impact on their operations, in addition to the more headline grabbing proposals. We believe that some of these less attention grabbing proposals will have a greater impact on the day-to-day operations of Australian companies and warrant closer inspection.
The report positively endorses the adoption of the concepts of data controller (the entity that determines the nature, type and purposes of collecting and processing personal information) and data processor (entities that process data on the basis of instructions from controllers). The difficulty in introducing those concepts while certain exemptions remain is recognised but interim measures are proposed to bridge the gap.
Processor obligations would include transparency (APP 1), Security (APP 11) and the Notifiable Data Breach scheme (NDB scheme) and, importantly, a contract would be required between the controller and processor governing the processing service. While many businesses already put contracts in place, it is likely that specific requirements will be prescribed by the reforms to ensure that the parties are aware of their respective obligations and to ensure that individuals’ rights are preserved.
For many organisations across Australia that utilise the services of small businesses in their data processing activities, it is likely that additional contracts and contractual requirements may need to be introduced, or existing contracts amended, to comply with this proposal. For those entities that will be processors, they will need to implement the appropriate organisational controls to manage the security and NDB scheme obligations.
The report recognises the small business exemption as anomalous when compared with other mature jurisdictions. Further, it acknowledges the potential impact the exemption may be having on Australia’s ability to efficiently trade in digital assets and services. While acknowledging the historic reasoning for the exemption and assessing other options, the report ultimately concludes that the small business exemption should be removed.
This recommendation is caveated by the need to do so only after an impact analysis is completed to inform the development of an appropriate support package for small business, and guidance or a code developed to enable small businesses to comply with their obligations in a manner proportionate to the risk.
For organisations that deal with small businesses frequently, this may be cause for cautious optimism as small businesses are often characterised as a weak link in the chain when it comes to security of personal information. Combined with the introduction of the controller-processor concept, the removal of the small business exemption will likely be welcomed by the community generally, even if not by small business owners. The impact of these additional compliance obligations on the cost of doing business will need to be determined.
The removal or modification of the employee record exemption was, and remains, a highly contentious topic that divided stakeholders during the consultation, and this division is reflected in the report. While balancing the views of each side, the report concludes that there are legitimate concerns regarding the volume and nature of personal information being collected from employees and prospective employees, the limited transparency about what the information is being used for, how long it is being retained, and difficulties with consent in an employment relationship.
Consequently, the report concludes that enhanced privacy protections should be extended to private sector employees, to balance employee transparency and protection requirements while ensuring employers have adequate flexibility to collect and disclose information necessary to administer the employment relationship. In addition, the report recommends fixing an anomaly in respect of the NDB scheme where, currently, employers are sometimes not required to inform their employees about serious data breaches that have affected their employee records.
However, despite recognising the need for reform, the report recommends a round of further consultation to determine the most appropriate approach to implementing the reforms in legislation, particularly recognising the need to consider the impact on workplace relations laws. For all Australian businesses, these proposals, and the consultation as to how to implement them, will be critical.
The report recommends amending the definition of ‘consent’ to provide that it must be voluntary, informed, current, specific and unambiguous. This recommendation reflects the current guidance of the OAIC. Taking these each in turn:
In addition, the report recommends expressly recognising the ability to withdraw consent and to do so in as easy a manner as it was provided in the first instance, a standard already seen in many international privacy laws.
The impact of such a definition of consent on activities such as facial recognition technology in a security context does not appear to have been explicitly considered by the report. Organisations are encouraged to consider the impact of these enhanced consent requirements on data collection and processing activities where consent was previously inferred from behaviour, such as entering premises subject to a prominent notice that facial recognition and biometric scanning are being used for security purposes.
These are just some of the technical changes recommended by the report that will have a significant impact on Australian businesses. Our next article will consider another set that we see as equally important for clients to assess in the context of their business operations. As stated above, should any of these changes concern your organisation, the Commonwealth Government has opened a consultation on its response to the report with submissions needing to be made prior to 31 March 2023.
Publication
A Victorian parliamentary inquiry report published in August 2024 concerning workplace drug testing (the Report) contains key recommendations relating to medicinal cannabis for both the Victorian Government and WorkSafe Victoria.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
