Privacy Act reforms
29 November 2024On 29 November 2024, a significant milestone was reached with the Privacy and Other Legislation Amendment Bill 2024 (the Privacy Amendment Bill) passing both the Senate and the House of Representatives and on its way for royal assent.
The Privacy Amendment Bill was first introduced to Parliament on 12 September 2024 and proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act) (and a number of other laws) to address privacy risks in the digital age (read our alert here).
While the scope and substance of the original Privacy Amendment Bill is largely unchanged, there are some key changes.
Compliance notices
The Office of the Australian Privacy Commissioner (OAIC) can now issue compliance notices compelling entities to address certain privacy breaches before it takes further enforcement action. Compliance with a notice is not a finding (or concession) of having breached an Australian Privacy Principle (APP).
Failure to comply with a compliance notice can result in significant penalties, including fines of up to $66,000 (200 penalty units) for individuals and $330,000 (1,000 penalty units) for organisations.
Statutory tort
The statutory tort for serious invasions of privacy has been amended to provide that courts be required to consider artistic expression (as a defence) when assessing whether there was a public interest in the invasion of privacy.
Injunctions
Courts can now, at any stage of the proceedings, explicitly grant an injunction restraining a defendant from invading a plaintiff’s privacy.
The Privacy Amendment Bill will likely commence the day after royal assent.
What next for APP entities?
As discussed in our recent alert (here), APP entities should continue to pro-actively monitor their personal information holdings to ensure they have a complete understanding of the personal information they hold and the systems it is sorted in. Take the time to update your Privacy Management Plan to document your personal information holdings.
We recommend APP entities take the following practical measures to promote Privacy Act compliance:
- Review your Privacy Policy and collection notices to ensure they are up to date and accurately reflect the work of your organisation or agency.
- Spend this time to revisit projects that rely on an ‘opt-out’ for the collection of personal information—these types of arrangements are likely to subject to higher scrutiny in the current climate.
- Review processes and consider whether personal information is required or whether the outcome can be achieved with de-identified information. Where personal information is required, satisfy yourself the minimum personal information is being collected to achieve the outcome.
- Engage with your IT/Cyber teams to ensure technical controls are in place to protect personal information from misuse, interference or loss or unauthorised access.
- Review legacy systems and actively take steps to decommission them so you are not storing personal information for any longer than is absolutely necessary.
- Critically review your agency or organisation’s higher privacy risk activities and consider whether a Privacy Impact Assessment (PIA) should be undertaken to assess the privacy risks associated with the project. The OAIC’s recent determination in Bunnings (discussed in our alert) found that a PIA should have been undertaken and Bunnings’ failure to do so contributed to a breach of APP 1.2.
Please reach out to discuss the impact of these amendments on your agency.