Privacy Act Review Report – in a nutshell

by | Mar 8, 2023 | Health Blog

In February 2023, the Commonwealth Attorney General released the long-awaited Privacy Act Review Report, outlining 116 proposed changes to our privacy laws. The main aim of the review was to ensure that Australia's privacy laws are fit for purpose in a rapidly evolving digital landscape. Some of the key proposals contained in the report are:
  1. Strengthening privacy rights: The report recommends the introduction of a new “right of erasure” which would allow individuals to request that their personal information be deleted in certain circumstances. This would align Australia’s privacy laws with those of the European Union, which has had a similar provision in place since 2018. The report also recommends strengthening individuals’ rights to access and correct their personal information.
  2. Increased enforcement powers: The report recommends that the Office of the Australian Information Commissioner (OAIC) be given stronger enforcement powers, including the ability to issue fines of up to $10 million for serious or repeated breaches of privacy. The OAIC would also be able to issue binding remedial orders, such as requiring an organisation to delete or correct personal information.
  3. New statutory tort of privacy: allowing individuals to seek redress in the courts through a new tort for serious invasions of privacy that are intentional or reckless. It is proposed that the invasion of privacy need not cause actual damage and damages may be claimed for emotional distress.
  4. Mandatory data breach notification: The report recommends that all organisations be required to notify individuals if their personal information is involved in a data breach that is likely to result in harm. Currently, only organisations covered by the Privacy Act’s mandatory data breach notification scheme are required to do so.
  5. Simplifying privacy policies: The report recommends that organisations be required to provide “concise and easily understood” privacy policies, rather than lengthy and complex documents that are difficult for individuals to understand. It also recommends requiring explicit consent for sensitive information and ensuring that individuals are able to withdraw their consent at any time.
  6. Privacy impact assessments: The report recommends that organisations be required to undertake privacy impact assessments (PIAs) before implementing new systems or processes that involve the handling of personal information. PIAs would help organisations identify and mitigate privacy risks before they arise.
  7. Clarifying the definition of “personal information”: it is recommended that the definition of “personal information” be updated to reflect technological developments and changes in the way personal information is collected and used. For example, the definition could be amended to include biometric data such as facial recognition.
  8. Strengthening protections for children: The report recommends that additional protections be introduced for the personal information of children, including the requirement for parental consent before their information can be collected or used. The development of a Children’s Online Privacy Code for services children are likely to access.

If the proposed changes are implemented, individuals would have stronger privacy rights, and organisations would face tougher penalties for breaching those rights. The proposed changes would also bring Australia’s privacy laws into closer alignment with international standards.

The report is now open for public consultation, and the Government has indicated that, in light of the multiple significant data breaches in 2022, legislation amending the Act will be passed within this term of Government. It remains to be seen how many of the proposals outlined in the Report will be included in the legislation.

Gemma McGrath

Gemma McGrath