The Privacy Act 1998 (Cth): The Future is Now
The Privacy Act 1998 (Cth) (‘Privacy Act’) has evolved in the face of our digital age. While it has adopted many important privacy protections, there is room to grow, especially in the way data is collected, handled, shared, and destroyed. The increase in Australian cyberattacks has illustrated the need for strengthened protections and accountability. Alarmingly, the Office for the Australian Information Commissioner (‘OAIC’) reports that “76% of those whose data was involved in a breach said that they experienced harm as a result”.
The Government has been active in the privacy sector by progressively expanding the legislation and conducting reviews and consultations on the Privacy Act. Areas of interest have been considered throughout this article.
Right to be Forgotten
A report was released earlier this year by the Attorney-General that assimilates progressive laws already in place in the European Union. A revolutionary concept mentioned in the report, and one that is missing from our legislation, is the right to erasure (‘right to be forgotten’) which is a core part of the European Union’s GDPR. This right to erasure can prevent organisations from hoarding personal data. Many are likely familiar with the scenario of making an online purchase, being required to provide unnecessary personal information (while not wanting to) and doing so out of necessity only to now have that data held on file indefinitely.
The closest Australian legislation gets to individual rights over personal data held by organisations can be seen with the opt-out options for direct marketing, the Australian Privacy Principles; Principle 12: access to personal information on request and Principle 13: correction of personal information. All fall short of the right to be forgotten and have limitations as to what organisations they apply to.
2022 Legislative Changes
The ropes have already been tightening on organisations covered by the Privacy Act, and in December 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) was assented to. This expanded the powers of the OAIC and imposed harsher penalties on organisations to which the act already applied.
Current Scope of the Privacy Act
The scope of the Privacy Act is mired with exceptions, threshold questions, and the like.
For example, the OAIC states that responsibilities under the Privacy Act are (most notably) required by organisations with an annual turnover of more than $3 million.
If you are an organisation with a turnover of $3 million or less, you could still fall under the scope of the act if you fit the following criteria:
An organisation that provides a health service which includes:
a traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
a complementary therapist, such as a naturopath and a chiropractor
a gym or weight loss clinic
a child care centre, a private school and a private tertiary educational institution
a business that sells or purchases personal information
a credit reporting body
and others
If an organisation itself does not fall into a prescribed category, its activities could still be encompassed by the legislation, such as practices to do with the operation of a residential tenancy database or specific persons that handle Tax File Numbers.
2023 Report – Key Recommendations and Governmental Responses
The Attorney-General has published a comprehensive government response to the recommendations on 28 September 2023, and two of the points contained therein we have focused on below:
Recommendation | Governmental Response |
Removal of the small business exemption | While the Government agrees in-principle to its removal, they have stated further consultation would be required. This would balance the regulatory burden on businesses and the interests of those whose data is collected. |
Individual rights to erasure or data control | While the Government agrees in-principle to strengthened rights for individuals and their data, they have proposed that there should be exceptions to this given that a blanket application could be burdensome, unreasonable, and in some cases inconsistent with other legislation that may require data to be kept for periods of time. |
At this stage, the report is a response, and it will be a waiting game to see how, if and/or when these changes come into effect.
What can businesses do now?
- Review their terms and conditions, privacy policies and privacy collection notices
- Determine if they are currently under the jurisdiction of the Privacy Act
- Incorporate data breach protocols that are compliant with legislation
Our firm offers comprehensive and adaptive options for businesses and can assist in compliance by drafting a privacy suite of documents including:
- Terms and conditions
- Privacy Policy
- Data Breach Response Plan
- Collection Notice
For further information, please contact our office on 1300 ARROWW (277 699) or make an enquiry on our webform here.
Disclaimer: This publication is intended for general and informative use only and is not to be relied upon as professional financial or legal advice.
Get in Contact with our team today for a free quote by clicking here or calling us on 1300 277 699.
Matthias Klepper
Matthias Klepper is an accomplished commercial lawyer with over 10 years of experience advising businesses on Corporate, Property and Litigation based matters. His deep knowledge of corporate law, combined with a client-focused approach, has made him a trusted advisor to many leading companies. As an expert in business law, Matthias regularly contributes insights on legal developments and strategies for navigating complex legal frameworks. His dedication to providing clear, actionable legal advice ensures clients remain compliant and informed, fostering long-term success.