Changes to the Data Protection Act – now is the time to prepare – Data Protection

You only need to register or log in to to print this article.

On September 28, 2023, the federal government released its formal response (Response) to the Privacy Act Review Report published in February this year. The answer is “agree” or “generally agree” with the vast majority of the 116 suggestions made in the Privacy Act Review Report. This is significant because the sheer volume of proposals generated approximately 500 contributions from businesses, industry groups and academics to the Privacy Act Review Report, representing a wide range of stakeholder views.

The Government in Reaction is sending a clear message to businesses that while the legislation to implement these changes is not yet ready, we can expect it to happen in the near future.

This is important because many of the changes will affect the way organizations structure themselves and the way existing IT systems and information management channels are organized within businesses. Businesses should use the time to change and update systems.

what are the changes

The position of the federal government on the full list of proposals is given in the document Response (see page 23, Appendix A). While some of the changes primarily strengthen the rights of individuals under the Data Protection Act, the key issues for businesses relate to:

  • expanding the definition of “personal data”

  • strengthening obligations regarding policies, collection notices

  • introducing a requirement that the processing of personal data be “fair and proportionate”.

The requirement that the collection, use and disclosure of information be fair and reasonable in all circumstances is a new test and a higher bar than in the past. While this is “agreed in principle” – and as such will take some time to engage in consultation before the draft legislation is issued – it creates a firm basis on which organizations should review their existing practices and upgrade them where necessary.

Enhanced enforcement powers for the OAIC

One of the questions not addressed is the funding of the regulator, the Australian Information Commissioner’s Office (OAIC). It is generally accepted that the OAIC is currently underfunded and will require significant funding to complete the additional work envisaged by the review of the Privacy Act and the Government’s response. Any additional funding for the OAIC would likely be addressed in the next federal budget or half-yearly economic forecast.

Some of the approved proposals give the OAIC greater enforcement powers. For example, the government has agreed to introduce civil penalty provisions for third parties to enable more agile enforcement of sanctions. This will include the introduction of ‘speeding’ infringement notices, similar to those used by other regulators, as well as strengthening the definition of ‘serious invasions of privacy’ in the Privacy Act.

Accordingly, businesses will face higher standards and, subject to adequate OAIC funding, will also face an increased risk of enforcement action.

Changes to the data breach scheme

There have also been changes to the Data Breach Scheme, which requires faster notification under the General Data Protection Regulation (GDPR) and allow entities to distribute their notifications to individuals as information becomes available.

Next steps

While the Report outlines other significant changes, prudent businesses could begin implementing a number of systemic measures now to minimize the cost of systemic improvements when the new changes are approved.

This publication does not address every important topic or change in the law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader’s particular circumstances. If you are interested in this publication and would like to know more or would like to obtain legal advice regarding your situation, please contact one of the individuals listed.

POPULAR ARTICLES ON: Privacy from Australia

Leave a Comment