2023 State of Play – Australian Privacy Reform

What to expect this year

Attorney-General Mark Dreyfus confirmed receipt of the final report in mid-December 2022. Mr Dreyfus’ office will now review the recommendations for reform before providing a response and releasing the report publicly. Speaking at the IAPP ANZ Summit in Sydney in November 2022, Angelene Falk (Australian Information Commissioner and Privacy Commissioner) said she anticipates this process would be completed in the first half of 2023, with the revised Privacy Act then passing through parliament and being enacted prior to 2024.

What will likely change

Given the last significant reform of the Privacy Act occurred in the year 2000 with the introduction of the Australian Privacy Principles (APPs), as well as the current cyber threat landscape and the criminal value of individuals’ personal information, it is anticipated that a considerable number of reforms will be proposed. At the IAPP ANZ Summit, Ms Falk also outlined some of the key changes she anticipates in the Privacy Act which included:

• OAIC mandated audits: Ms Falk spoke about the benefits of a model in which the OAIC could require organisations to undergo an audit of their privacy processes and activities upon request. A similar provision has been included in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 and it is envisaged that the audits would follow a defined methodology and be performed by an approved independent third-party, somewhat similar to APRA’s CPS 234 tripartite assessment model.
• Standardised privacy notices and consent mechanisms: It is anticipated that the revised Privacy Act will contain stricter conditions and clearer guidance on how consent to process individuals’ personal information must be collected. This could potentially follow the European GDPR model and prohibit consent for processing personal information being bundled with other terms and conditions, and banning mechanisms such as pre-ticked boxes to collect consent. Additionally, a standardised format for privacy notices for organisations to clearly inform individuals how their personal information is processed is expected.
• Mandatory PIAs: Similar to the European GDPR model, the revised Privacy Act could make PIAs (Privacy Impact Assessments) mandatory in certain situations. This would require organisations to conduct a formal privacy assessment of particular personal information processing activities to identify risks involved and develop appropriate mitigation strategies. For example, GDPR requires organisations to perform a risk assessment of any processes which involve the large scale monitoring of a publicly accessible area on a large scale, large scale processing of sensitive personal information, or any process which involves automated decision making or profiling which could significantly impact an individual.
• Removal of exemptions: A popular topic in the discussion and issues papers previously published by the Attorney-General’s Department considered the removal of certain exemptions in the current Privacy Act, notably the employment exemption. Currently, any personal information collected and used by an organisation in relation to an employment relationship with an individual is exempt from the current Privacy Act, meaning the APPs and other protections do not necessarily need to be applied to this information. However, it is widely anticipated that this exemption will be amended or removed as part of the reform. This would greatly increase the extent of an organisation’s privacy compliance obligations, as the removal of the exemption will bring personal information such as past, current, and prospective employee records into scope.
• Right to be forgotten: Speaking in January 2023, Mr Dreyfus indicated the proposed reform will recommend additional rights for individuals be included in the revised Privacy Act. In particular, the right to erasure/right to be forgotten is expected to be included which will afford individuals the right to request organisations destroy all personal information they retain pertaining to that individual. This will obviously create a challenge for many organisations to ensure they have effective processes and technology to accurately identify all relevant personal information, securely and permanently destroy the information, and ultimately comply with any valid requests.

What you can do now to get ready

With the reform expected to be approved and enacted by 2024, the clock is ticking for organisations to ensure their privacy programs are well established and operating effectively. Whilst the exact provisions of the reform will not be known until Mr Dreyfus’ office publishes the final report and government response, organisations can prepare by undertaking the following key activities in 2023:

• Internal audit: Ms Falk also spoke about the value of utilising the organisation’s internal audit function or engaging external specialists to conduct a comprehensive assessment of the organisation’s privacy program. Identifying improvement opportunities and compliance gaps with the current Privacy Act as soon as possible will streamline compliance when the reformed Privacy Act is enacted.
• Data destruction: The importance of having an effective data management program and adhering to a defined data retention schedule cannot be understated. The Privacy Act in its current-state requires organisations to destroy personal information when it is no longer required. As most organisations will have a number of data retention requirements from other applicable legislation (such as the Fair Work Act 2009 and Corporations Act 2001), it is essential to define a retention and destruction schedule for all categories of data and personal information and implement appropriate controls and tools to adhere to these schedules.
• Data minimisation: It is recommended to review and where necessary amend privacy practices to ensure personal information that is not strictly necessary for the purpose in which it was originally collected is destroyed and not collected in future. This is best achieved through performing a PIA on specific business processes, assessing all categories of personal information which are collected as part of the process and identifying any personal information which is not strictly necessary as part of the process.

How Protiviti can help

To find out more about Protiviti’s data privacy consulting services, please click here.