On 30 October 2020, the Federal Government released the terms of reference and issues paper for a review of the Privacy Act 1988 (Cth).
The objective of the review is broad: to consider whether the scope of the Privacy Act and its enforcement mechanisms remain fit for purpose.
The announcement follows the final report of the ACCC into the Digital Platforms Inquiry and the Government's response to the final report, in which the Government accepted the "overriding conclusion that there was a need for reform".
The terms of references include a review of:
- the scope and application of the Privacy Act, including the definition of "personal information" – particularly, whether the definition of "personal information" ought to include metadata as "personal information" [1];
- whether the Privacy Act is effective in protecting personal information and promoting good privacy practices;
- whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act and have the benefit of a statutory tort for serious invasions of privacy under the Privacy Act;
- the impact of the introduction of the notifiable data breach scheme and its effectiveness in meeting its objectives;
- the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks; and
- the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The proposed reforms would increase the administrative duties and burdens of entities subject to the Privacy Act and their liability for any breaches of privacy. Other matters of practical significance which may flow from the review include:
- the removal, or narrowing of the scope, of the employee records exemption, particularly as it relates to the sensitive information of employees and whether it applies at the point of collection or only once an "employee record" has been generated [2];
- the requirements of obtaining valid consent, including in the context of that consent being a condition of service;
- the strengthening of the requirements in the Australian Privacy Principles with regards to collection notices; and
- the possible introduction of a right of erasure.
Such matters have the capacity to significantly alter the manner in which organisations handle personal information and compliance with the Privacy Act more generally, including the costs associated with that compliance.
Those interested in helping shape the discussion have been encouraged to file submissions in response to the issues paper by the deadline on 29 November 2020.
[1] Metadata is data about data. For example, the review will consider whether location data produced by your phone constitutes "personal information" on the basis that you are likely to be at that same location. Back to article
[2] In Lee v Superior Wood Pty Ltd [2019] FWCFB 2946, the Full Bench of the Fair Work Commission cast doubt on the application of the employee records exemption to the collection of information from an employee. Our discussion of this case can be found here.Back to article