Privacy Act Reforms – will individuals’ rights impact your business?

It has only been three months since the Attorney General’s Office released its report (Report) on the proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act). The Report made 116 recommendations for reform. The recommended reforms are extensive and will, if implemented, have a substantial effect on how businesses regulated under the Privacy Act (APP entities) may lawfully collect, use and disclose personal information.

In this article, we deal with the Report’s proposals for the introduction of new rights of individuals in relation to their personal information.

Six Rights for Individuals – a challenge for APP entities

The Report has proposed six rights for individuals whose personal information is collected, used or disclosed:

1. Right of Access and Explanation – the right to know what information is held about them its sources, and what is being done with it (Proposal 18.1),
2. Right to Object – the right to challenge whether the APP entity’s handling of their personal information complies with the Privacy Act (Proposal 18.2),
3. Right to Erasure – the right to require that personal information about them is deleted (Proposal 18.3),
4. Right to Correction – the right to require that personal information held about them is relevant, accurate, complete, up to date, and not misleading (Proposal 18.4),
5. Right to De-index internet search results – the right to require that internet search results about them is de-indexed in certain circumstances (Proposal 18.5); and
6. Direct Right of Action – the introduction of a right of action for individuals who have suffered loss or damage as a result of an interference with their privacy (Proposal 26).

While privacy advocates welcome the strengthening of individual rights, APP entities may find compliance with the changes challenging – particularly the first four rights listed above.

Access, objection, erasure and correction

Many people may believe it is inevitable that their information will be made public, misused or stolen in a data breach. The first four rights proposed as listed above aim to empower individuals to take control of the information APP entities hold about them.

The first step to empowerment is knowledge. It is important for individuals to know what information APP entities hold about them, and how it is used. Once they gain an understanding of what there is and how it’s used, individuals can exert greater control over their information.

The ability to object to the collection, use or disclosure, and to request erasure, of personal information offers individuals the ability to minimise the volume of information that’s in the wild and outside their control.

An individual’s right to request that an APP entity should correct inaccurate, incomplete or misleading personal information already exists as Australian Privacy Principle 13. The Report proposes to extend this right to generally available publications online that are controlled by an APP entity. The extension of this right of correction could throw up issues in the context of subjective information (e.g. an opinion about the individual).

If the individual rights above are actually introduced, an APP entity will need to map out where data are held, ensure that the data can be erased, and map data flowing to third parties. The APP entity would also need to prepare processes for dealing with each type of request, and train its personnel tasked with managing personal information in relation to those processes.

The right to have search results de-indexed is rather narrow and won’t be addressed in this article.

The direct right of action

Currently, individuals have very narrow avenues available to them if they wish to take action for interferences with their privacy. Individuals may submit a complaint to the Information Commissioner, apply to the Federal Court for injunctive relief and/or, in relation to credit reporting, apply to the Federal Court for compensation depending on the situation.

Under the Privacy Act in its present form, individuals do not have the ability directly enforce their privacy rights in court, aside from participating in a class action.

The introduction of the ability for individuals to enforce their privacy rights against APP entities and to take direct action in relation to interferences with their privacy, would improve individuals’ control of their information. If introduced into law, the right would be available to any individual, or group of individuals, that have suffered loss or damage as a result of an APP entity’s interference with their privacy rights. Importantly, the concepts of ‘loss or damage’ would include injury to the individual’s feelings or feelings of humiliation. The direct right of action if introduced into law would clearly incentivise APP entities to comply with the Privacy Act, particularly where it collects, uses and/or discloses numerous individuals’ personal information.

A ‘gateway’ model is likely to be adopted for the direct right of action. A complainant would first have to submit a complaint to the Office of the Australian Information Commissioner (OAIC) or another body to be assessed for conciliation. If the submission is successful and the matter is conciliated, but the conciliation of the matter was unsuccessful the complainant could elect to take action in court. Utilising the OAIC as a first step gateway would reduce potential cost barriers for enforcement of individual rights, and would also reduce the risk of overloading the court system.

How should businesses prepare for enhancement of individuals’ rights?

With the introduction of some or all of the rights of individuals, APP entities will need to reassess and strengthen their Privacy Act compliance. There are several things APP entities can do in order to get ahead:

• Map existing data practices and flows
  Do you know where personal information is held and how it can be permanently deleted?

• Update information request processes and related privacy documents
  Do your processes accommodate the new request types?
  Does your privacy policy reflect these changes?

• Review existing privacy practices in light of increased liability risk
  Do you need to uplift your privacy practices to prevent breaches of the amended Privacy Act?
  Do insurances need to be updated/notified?

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Antoine Pace, Partner
Clare Smith, Associate
Freya vom Bauer, Associate