The Attorney General has released the Privacy Act Review Report after a 2 year review process. Feedback is being sought for the Government’s response to the Report.

If implemented, the 116 proposals would broaden the information protected under the Privacy Act, provide greater protections for personal information before it is used in ways that have high privacy risks and strengthen the enforcement of privacy obligations and the Notifiable Data Breaches scheme.

The proposals include:

• ensure de-identified information is protected from misuse;
• regulate ‘targeting’ of individuals based on information that relates to them but that may not uniquely identify them;
• review the risks to privacy resulting from the small business, employee records, political and journalism exemptions;
• strengthen privacy protections for children and people experiencing vulnerability;
• improve individuals’ control over their personal information, including through a right to seek erasure of personal information;
• give individuals more transparency and control over direct marketing, targeting and sale of their personal information;
• strengthen the requirement on entities to keep personal information secure and destroy or de-identify it when it is no longer needed;
• provide new pathways for individuals to seek redress in the Courts for privacy breaches, including through a new tort for serious invasions of privacy;
• reduce regulatory complexity by working with states and territories to harmonise key aspects of privacy laws.

Financial services and credit providers will be affected by specific proposals relating to privacy policies and collection notices including that standardised templates and layouts for privacy policies and collection notices, as well as standardised terminology and icons, should be developed by reference to relevant sectors.

The Report also recommends that the OAIC could develop guidance on how online services should design consent requests and that privacy policies should set out the types of personal information that will be used in substantially automated decisions which have a legal or similarly significant effect on an individual’s rights.

To avoid duplication of complaint frameworks, the Report recommends that the Information Commissioner be given the discretion not to investigate privacy complaints where a complaint has already been adequately dealt with by an EDR scheme.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.