The proposed amendments to Australia's Privacy Act 1988

The Privacy Act 1988 governs how personal information is handled in Australia. In 2019, the Digital Platforms Inquiry by the Australian Competition and Consumer Commission highlighted several privacy issues, prompting a review of the Act — titled ‘Privacy Act Review Report.’ The review aims to ensure that the Act remains effective and adaptive to the way Australians interact with technology and digital services.

Additionally, it aims to update and align the Act with global privacy standards, enhancing protections for individuals and ensuring Australia remains a trusted participant in global data ecosystems.

Read on as we cover eight key amendments proposed to reshape and strengthen privacy governance.

1. Strengthening user consent and control

The review proposes major changes to consent mechanisms under the Privacy Act: consent must be explicit, informed, and easily reversible — making sure that users understand and agree to how their data is used.

To achieve this, privacy notices must be clear, concise, and written in plain language. The review notes the need for users to have greater control over their personal data, proposing stricter guidelines for privacy notices and the conditions under which consent is obtained and managed.

2. Expanding scope of the Privacy Act

The proposed amendments to the Privacy Act 1988 aim to expand its scope by revising current exemptions that have limited the Act’s applicability.

One notable proposed change is the modification of the small business exemption: The current exemption excludes small businesses with an annual turnover of less than $3 million from most of the Act’s requirements. The review suggests removing this exemption to ensure that all businesses, regardless of size, are accountable for protecting personal information.

Similarly, the review proposes adjustments to the exemptions for political parties and employee records. Bringing these entities under the Act’s purview means closing gaps in protection that have become more apparent with the evolution of data use and technology.

3. Enhancing protections for sensitive data

The review proposes enhancements to the protections for sensitive data, particularly focusing on children and vulnerable populations — such as Indigenous Australians, older Australians, people from culturally and linguistically diverse communities, and people with disabilities who have reported record-high losses to scams. It introduces a 'fair and reasonable' test for data handling, requiring that practices be justifiable and not excessive in relation to the benefits they provide.

For children, the review suggests specific measures ensuring any data collection or processing acts in their best interest, aligning with principles similar to those in the UK's Age Appropriate Design Code.

Vulnerable populations are afforded additional safeguards, with proposed requirements for entities to recognise signs of vulnerability and adjust their data handling practices accordingly. These proposals aim to prevent exploitation and reduce the risks of harm from data misuse.

4. Introducing new compliance and enforcement mechanisms

The review recommends the introduction of tiered civil penalties for breaches of privacy.

This is complemented by strengthened powers for the Information Commissioner, including enhanced authority to conduct investigations and enforce compliance. New provisions would allow the Commissioner to address non-compliance through direct enforcement actions and potentially public inquiries.

5. Improving transparency in data handling

The review suggests several amendments to improve the transparency of organisational data handling. It focuses on enhancing the clarity and accessibility of privacy notices and the conditions for obtaining consent.

Organisations are required to provide privacy notices that are not only clear and concise but also understandable by the general public, ensuring that individuals can easily comprehend how their personal information is being collected, used, and disclosed. The proposed amendments specify that these notices must detail:

• The types of personal information collected.
• The purposes of collection.
• How the data is processed or used.

Additionally, the review proposes changes to the framework governing how organisations obtain consent for collecting personal data. Consent must be informed and explicitly obtained, meaning that individuals have a clear awareness and understanding of data handling practices before agreeing to them.

7. Enhancing data breach response protocols

The review of the Privacy Act includes amendments to the Notifiable Data Breaches (NDB) scheme to enhance response protocols for data breaches. Key changes involve a requirement for entities to notify the Information Commissioner within 72 hours of discovering a data breach.

Additionally, the amendments call for entities to provide more comprehensive details in their notifications, including clear explanations of the breach's nature, the type of information compromised, and specific steps individuals can take to protect themselves.

8. Facilitating safer international data transfers

The review proposes new frameworks for international data transfers under the Privacy Act, aimed at enhancing the safety of cross-border data movements. These include mechanisms to prescribe countries and certification schemes that provide protection substantially similar to Australia's Privacy Principles.

Additionally, the review suggests using standard contractual clauses for international transfers to ensure compliance with Australian privacy standards abroad, aiming at facilitating smoother data transfers while maintaining high privacy standards.

How your organisation can ensure compliance with the new Privacy Act regulations

Here are steps and measures your business can adopt to stay ahead of regulatory changes.

Enhance data and information governance practices: Implement comprehensive data and information governance frameworks that include risk assessment procedures, such as data classification, data mapping, and regular audits. Ensure all personal data is accurately inventoried, with clear documentation of data flows and storage locations. Furthermore, utilise data management tools to enforce policies, monitor compliance across all data sources, and ensure only authorised personnel can access sensitive information.

Adopt data minimisation strategies: Conduct periodic reviews of all collected data to identify and remove unnecessary or redundant information. Additionally, implement strict data retention policies that define maximum retention periods based on the sensitivity and purpose of the data. Employ data anonymisation and pseudonymisation techniques to reduce the risk associated with storing personal information. Lastly, develop and enforce protocols for secure data deletion and destruction.

Validate data collection practices: Ensure all data collection methods comply with legal requirements and are documented in clear, accessible privacy policies. Similarly, use clear and plain language to explain data collection practices to consumers. Moreover, obtain explicit and informed consent, ensuring individuals are fully aware of what data is being collected, how it will be used, and their rights regarding the data.

Perform privacy impact assessments: Conduct Privacy Impact Assessments (PIAs) for all high-risk data processing activities to identify potential privacy risks and devise appropriate mitigation strategies. Ensure thorough documentation of the PIA process, capturing the rationale behind decisions and the measures taken to address risks. Regularly revisit and update PIAs, especially following significant changes to data processing activities. Throughout this process, actively engage with stakeholders, including data subjects, to understand their privacy concerns and integrate their feedback into your assessments.

By partnering with Iron Mountain, you can leverage our seven decades of expertise in data and information storage and protection along with our technology including Policy Centre, our record retention policy management platform and InSight Digital Experience Platform which enables you to access your physical and digital data with audit-ready compliance to ensure your organisation meets the proposed stringent requirements set forth by the new Privacy Act amendments. We provide robust support in managing the lifecycle of sensitive information, from secure storage solutions to compliant destruction practices. In doing so, we specialise in helping organisations — through tailored solutions — maintain compliance with updated privacy regulations.

Learn about the full range of Iron Mountain’s services. Or, to learn about how Iron Mountain can work with you to ensure your data management practices are both secure and compliant, contact our team today.