Daily, we are handing over and using our personal information to do simple tasks such as online shopping, using apps, signing up to services and in the current COVID-19 climate, when signing in at restaurants and venues. Though how is our personal information protected, and how can it be used? In turn, what obligations do agencies and organisations have concerning personal information? The Privacy Act 1988 (Cth) promotes the protection of individuals’ privacy and personal information.
After the ACCC’s Digital Platforms Inquiry – final report (2019), the Australian Government committed to review the Act. In October 2020, the Attorney-General’s Department released a Privacy Act Review – Issues Paper which detailed areas of review and invited submissions, which can now be reviewed on the A-G’s website. The issues paper looks at the adequacy and effectiveness of the Privacy Act, particularly in a time where we rely on technology, and some people are increasingly concerned about their privacy rights.
Personal Information – obligations, breaches and definition
The Act has thirteen Australian Privacy Principles that set out how an entity or organisation can use, collect, manage and store personal information; it also sets out other obligations and enforcement mechanisms. In particular, the Act includes a notifiable data breach scheme which states when an organisation must notify the Office of the Australian Information Commissioner and affected individuals of a breach of personal information. As part of the review, the AG’s Department will be looking at the scheme and how it is currently working.
The definition of personal information will also form part of the review. Currently, the Act sets out a broad definition of personal information; personal information can range from an individual’s name, phone number and date of birth to their health information and religious views. Opinions also fall under personal information, irrespective of whether they are “true or not”. Definitions of personal information in overseas jurisdictions vary.
Other areas of review
The AG’s Department has also stated that the review will consider:
- the scope and application of the Act – including any current exemptions;
- if the Act adequately protects personal information and has a practical and proportionate framework to promote good privacy practices – including erasing data, consent to default privacy settings and overseas data flows;
- the introduction of a statutory tort for serious invasions of privacy;
- if individuals should be entitled to direct rights of action for the enforcement of privacy obligations;
- the standard of enforcement and the interaction of the Act with other regulatory frameworks; and
- the viability of an independent certification scheme.
Following the Issues Paper, the AG’s Department has indicated the release of a discussion paper this year. The discussion paper will ask for further feedback about any preliminary outcomes and proposed reforms. The review will be an area to watch to see what reforms will be presented and potentially introduced under the Privacy Act.
Author: Sharna White, Graduate Lawyer. Sharna has recently finished her time with us to take up a great position – we wish her all the best!