Privacy Act Review Report - a game changer for how boards manage cyber risk

In brief - Today, the Commonwealth Government released its 312 page Privacy Act Review Report (Report), a culmination of two years of consultation and review

A common theme in submissions recognised by the Report was that the principles-basis of the Privacy Act should be retained but supplemented with more detailed prescriptions where required. 

Proposals in the Report

The Report proposes new principles, such as the fair and reasonable test, as well as more detailed rules to provide greater certainty where needed.

Importantly, the Report proposes: 

• that the exemption from the Privacy Act for small businesses be abolished (currently the exemption applies to businesses with less than $3M annual turnover);
• a new overarching requirement that the collection, use and disclosure of personal information must be fair and reasonable in the circumstances;
• clarification that personal information is an expansive concept that includes technical and inferred information, such as IP addresses and device identifiers, where it relates to a reasonably identifiable individual;
• individuals having the right to directly claim for serious breaches of privacy (statutory tort);
• security protections to apply to de-identified information, recognising that de-identified information can be re-identified;
• better alignment with international rules, with a number of individual rights modelled on the EU GDPR to be brought in (such as ‘data subject rights’, rights to object, right to request erasure aka "the right to be deleted" which is currently not a right in Australia) and to have search results deindexed);
• that the quality of privacy collection notices and consents obtained from individuals should be improved and that entities periodically review the periods of time they hold personal information;
• regulation of ‘targeting’ and additional controls on precise geolocation data with individuals having the ability to opt out of targeted ads;
• mandatory Privacy Impact Assessments before commencing an activity which is likely to have a significant impact on individuals' privacy; and
• transparency requirements for automated decisions that use personal information and have a significant effect on individuals. Entities would need to provide information about the types of personal information used in automated decision-making systems and how such decisions are made.

Based on the Report, we believe that it is non-partisan, considered, and designed to align with international privacy rules and trends, while also meeting the expectations of the Australian community. For example, we anticipate that removing the small business exemption will not create significant concerns as most small businesses have already put privacy frameworks into place to meet the expectations of their consumers and larger commercial clients. We see the right to take direct action being the key game changer as that will prompt boards to elevate the importance and investment on their cyber risk mitigation strategies.