Under the European General Data Protection Regulation (GDPR) the Irish Data Protection Commission (DPC) recently fined TikTok 345 million euros. The fine was the result of a inquiry launched by the DPC regarding TikTok’s processing of children’s personal data.

The DPC’s decision demonstrates the growing focus from privacy regulators on how organisations handle children’s personal information.

Brief Background: The DPC’s inquiry into TikTok

The decision is the result of an own-volition inquiry launched by the DPC in September 2021. The inquiry covered solely the period between 31 July 2020 -31 December 2020. Since then, TikTok Technology Limited (TTL) has made several service modifications addressing most of the criticisms within the decision.

TikTok’s terms do not allow users under the age of 13 to use the platform. The decision focuses on the processing of personal data relating to users aged 13-17, but also examines TTL’s compliance regarding personal data of children under 13 in the context of the company’s age-verification measures.

The case went through the GDPR’s dispute resolution mechanism under Article 65. While there was general consensus to the DPC’s proposed findings in its draft decision, objections were raised by the Italian and the Berlin supervisory authorities. Despite the fact that these objections were a small minority opinion among the collective EDPB, the Article 65 process mandates that even just one unresolved objection must trigger the whole machinery of the GDPR’s process, thus these objections were referred to the EDPB for determination.

The EDPB adopted its binding decision on these objections 2 August 2023, requiring the DPC to include a new finding of infringement of the fairness principle and an order to bring the relevant processing operations into compliance, while also requiring the DPC to amend its conclusion regarding its draft determination on whether TTL’s age-verification measures were GDPR-compliant. 

It should be emphasized that the relevant period of the DPC’s inquiry pre-dated the DPC’s guidance on children’s data, The Fundamentals for a Child-Oriented Approach to Data Processing. The decision therefore assesses TTL’s compliance by reference to the GDPR itself and does not refer to the Fundamentals — however, the DPC carefully clarifies that the Fundamentals introduce “child-specific data protection interpretative principles” and that it would still be permissible to refer to principles derived from the GDPR. 

Family pairing and direct messaging

The “Family Pairing” feature gave certain parental-type controls over the child user’s account to another user. Notably, the DPC acknowledged that, in general, the “Family Pairing” options allowed the paired account user to make privacy settings more strict for the child user’s account — by narrowing available content, disabling search and direct messages, making the account private and limiting comments.

However, the other user could also enable direct messages for accounts of child users over the age of 16 (although, based on the quoted TTL submissions to the DPC, this was only with regards to “Friends”) where the child user had themselves switched off this feature. The accounts were paired so that a QR code was generated to the nonchild user. This code had to then be scanned by the child user, who confirmed if they wished for the accounts to be linked. The DPC took the view that despite this process, there was no verification of the relationship between the two users. 

The DPC considered that allowing a user, who was not a verified parent/guardian, to enable direct messages in this way for child users over age 16 posed risks. This enabled third parties to contact the child user and would thereby constitute unauthorised processing of their personal data, since they had not selected to have their data processed in this manner. 

On this basis, the DPC concluded that TTL failed to apply appropriate technical and organisational measures to effectively implement the integrity and confidentiality principle and to integrate safeguards to meet GDPR requirements. 

This finding again demonstrates the increased risk to children that the DPC associates with being able to directly contact children, whether through the comments function or via direct messaging. 

Age verification

TikTok had age-verification measures in place to prevent users under 13 from accessing the platform. These consisted of an age gate requesting the user’s birthdate, along with technical measures to prevent users from re-submitting an older age, and ex-post measures to identify and remove accounts of underage users.

TTL’s data protection impact assessment on age-appropriate design did not identify the specific risks of users under age 13 accessing the platform and the further risks arising from this, which was viewed by the DPC as a lack of appropriate measures to demonstrate and ensure compliance with the GDPR, contrary to Article 24(1). This is an important indicator of the regulatory expectation that digital services with minimum user thresholds must still account for risks to users under the service’s permitted minimum age for use, including via DPIAs.

The DPC proposed in its draft decision to find that TTL’s age-verification measures otherwise complied with the GDPR. Following an objection from the Italian supervisory authority, the EDPB analysed this point, concluding there was not sufficient information to conclusively assess TTL’s compliance on this point, and instructed the DPC to amend its finding accordingly.

As such, the DPC’s decision included a statement to the effect that it could not be concluded that the age-verification measures deployed by TikTok infringed the GDPR. In other words, the positive statement in the draft decision expressing the DPC’s view that TikTok had complied with Article 25 in this regard was removed at the direction of the EDPB.

The decision also contains a comment on requiring hard identifiers as a method of age verification. The DPC accepted TTL’s contention that this would be a disproportionate measure. The DPC’s view was given that children are unlikely to hold or have access to hard identifiers, this would act to exclude or lock out child users who would otherwise be able to utilise the platform.

EDPB’s view on age verification  

For organisations with mixed-age user populations of both adults and children on their services that impose minimum user ages, the portion of the decision relating to age verification is potentially the most significant. This is due to the fact that the EDPB carried out a lengthy analysis of TTL’s age-verification measures, taking into account — as required by Article 25(1) of the GDPR — the nature, scope, context and purposes of processing, the risks to child users, the state of the art and the costs of implementation.

In its analysis, the EDPB pointed out that regarding the requirement for “appropriate” technical and organisational measures under Article 25, appropriate means effective and this in turn requires a robustness of measures. The EDPB expressed serious doubts on the effectiveness of TTL’s neutral age gate as an age-verification solution given the high risk of the processing. The EDPB noted that the age gate can be easily circumvented, that presenting the age gate in a neutral manner does not itself sufficiently discourage users from entering an incorrect birth date, that once a method of circumvention is known this can be easily shared with peers, and that since TikTok was rated for age 12+ in the Apple store, users could easily infer they had to enter a birth date above the age of 12 to use the platform.

Similarly, the EDPB expressed doubts on the effectiveness of TTL’s ex-post measures to identify and remove users under age 13 from the platform. Despite these concerns, the EDPB considered it did not have sufficient information to conclusively assess the state-of-the-art element related to TTL’s age-verification measures, and as such, it could not conclusively assess TTL’s compliance with data protection by design.

While the EDPB’s decision does not explain why it felt there was not enough information to reach a conclusion here, it is worth noting that its analysis concerned the six months between July and December 2020 and it is possible that the need to carry out a historical examination some three years back may have been a factor.

It’s worth noting the EDPB’s view that the appropriateness of age-verification measures changes regularly, due to the link to the state of the art and the associated risks, and a controller must periodically review whether such measures remain appropriate. 

Overall, though, controllers should not read the lack of an infringement finding concerning the use of the age gate in this case as a green light to use this means of age verification.

Fairness and design choices

The last finding in the DPC’s decision, regarding the infringement of the fairness principle, was not a finding originally proposed by the DPC. It was instead mandated by the EDPB’s binding decision and is the result of an objection raised by the Berlin supervisory authority on behalf of both it and the Baden-Württemberg supervisory authority.

More specifically, the EDPB concluded that the design of the “Registration Pop-Up,” with the “Go Private” or “Skip” options, and the “Video Posting Pop-Up,” with the “Cancel” or “Post Now” options, nudged the user to a certain decision, “leading them subconsciously to decisions violating their privacy interests.” The EDPB took into account the chosen language, sharing the DPC’s view that the word “Skip” seemed to incentivise or even trivialise the decision to opt for a private account, which shows the use of nudging. It also considered the location of the “Skip” and “Post Now” buttons on the right-hand side of the screen, which according to the EDPB, would lead most users to choose the option as they are accustomed to clicking to continue there, as well as the different color gradient for each option — light gray for “Cancel” and black for “Post Now.” 

The EDPB’s direction in its binding decision on this point, requiring the DPC to insert a finding of an infringement of the fairness principle, demonstrates the EDPB’s propensity to use the general principles provision in Article 5(1)(a) as a route for finding additional umbrella-type infringements, even where the lead supervisory authority’s investigation did include such an issue within its scope.

Corrective powers

With regards to the above infringements, the decision exercises the following corrective powers: 

• A reprimand. 
• An order to bring TTL’s processing into compliance with the GDPR within three months, to the extent (if any) that TTL is conducting ongoing processing operations as described in the decision. TTL made several service modifications, both during and after the relevant period, which was also considered as a mitigating factor by the DPC.
• Three administrative fines totaling 345 million euros, as follows: A fine of 100 million euros for TTL’s infringement of Articles 5(1)(c) and 25(1), (2), regarding the public-by-default account setting; a fine of 65 million euros for the infringement of Articles 5(1)(f) and 25(1) regarding the “Family Pairing” feature; and a fine of 180 million euros for infringement of Articles 12(1) and 13(1) regarding transparency. 

The DPC did not impose a fine for infringements of Article 24, regarding the public-by-default setting and TTL’s age-verification measures, given that the GDPR does not provide for an administrative fine for this infringement. The DPC also did not impose a fine for the infringement of the fairness principle — although this was requested by the Berlin supervisory authority in its objection. Instead, TTL was ordered to bring its processing into compliance.

Finally, it should be noted that TTL has appealed the DPC’s decision to the Irish High Court and has also issued annulment proceedings before the Court of Justice of the European Union against the EDPB in relation to its binding decision.

How we can help

With the growing focus from both Europe and Australia on children’s data, organisations that work with children must take careful consideration of how they handle personal information.

Our privacy and data security team work with organisations to create workable and compliant privacy frameworks, and implement information handling practices that are resilient to data security threats. Our deep understanding of the education and not-for-profit sectors means that we are well equipped to support organisation that work with children on privacy requirements.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

In September 2023 TikTok was fined 345 million euros (the equivalent of $575 million AUD) by the Irish Data Protection Commission (DPC) under the European General Data Protection Regulation (GDPR) for breaches in its processes of children’s personal data. The basis for the fine is a lack of transparency through vague language explaining TikTok’s data handling processes and a failure to implement privacy-by-design in automatically making children’s accounts public. Another important part of the decision is consideration of age-verification measures.

We have written previously about children’s privacy, as it is an intersection of privacy and child safety similar to our annual eSafety campaigns for Safer Internet Day each February. More information on these topics is here:

• Online grooming a significant online safety risk to consider as part of Safer Internet Day 2023
• Why Safer Internet Day is important for your charity or school
• Privacy Act Review: More clarity on privacy changes for children
• Privacy Act Review: Children’s privacy in the spotlight

This article considers three key aspects of the TikTok fine – transparency, privacy-by-design, and age-verification measures – in the context of Australian privacy regulation as it is relevant for charities and schools who work with children.

Transparency: a pillar of privacy regulation

Transparency is a pillar of privacy regulation, in both Europe and Australia. In the TikTok decision, the DPC took issue with certain vague words: the use of “public,” “everyone” and “anyone” to describe who could see a user’s account was not sufficiently clear as to whether that meant all registered TikTok users or anyone who could access the platform. Another transparency breach was the failure to provide information about TikTok’s information handling processes in a concise, transparent, intelligible and easily accessible form, using clear and plain language. We encourage all organisations to ensure their privacy policies and collection notices are clear, easy to understand and tailored to their particular audience.

In Australia, Australian Privacy Principle 1 enshrines openness and transparency as requirements for how organisations handle personal information. Specifically, openness and transparency means:

• taking reasonable steps to implement practices, procedures and systems to ensure you comply with the APPs and can deal with related inquiries and complaints; and
• you have a clearly expressed and up-to-date Privacy Policy publicly available that explains how you manage the personal information you hold.

Further, improving transparency of organisations and control of individuals is a key aim of proposed amendments to the Privacy Act 1988 (Cth).¹ The reforms propose to increase transparency and control with improved notice and consent mechanisms. This is, in part, in response to the 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey which showed that 84% of Australians want more control over the collection and use of their personal information.

For charities and schools, ensuring you provide transparency and control is critical to maintaining a strong and healthy relationship of trust with your community members. Transparency is a pillar of privacy regulation because privacy recognises that handling over information about ourselves or our children can be personal; similar to handling over part of our identity. Privacy, and transparency, is inherently about trust.

Privacy-by-design: your pro-active tool  

We previously discussed what we mean by privacy-by-design in a recent article. For TikTok, it was found that making children’s accounts public by default is inconsistent with the GDPR’s data protection by design and default obligations. This was partly because TikTok, through its web browser version, can be access by non-registered users; i.e., the public at large. An additional, specific setting was required to “Go private”.

In Australia, no obligation regarding privacy-be-design currently exists. The inclusion of a privacy-by-design requirement is possible in the proposed amendments. What the government has committed to is to implement “new organisational accountability requirements [that] will encourage entities to incorporate privacy-by-design into their operating processes.” Regardless of a compliance obligation, privacy-by-design is a strong risk mitigation step against the threat of data breaches because:

• privacy-by-design shifts the focus from compliance to prevention.
• privacy-by-design increases awareness of privacy in your organisation.
• privacy-by-design addresses human error breaches (1/3 of all notifiable data breaches) through awareness and system design.

Privacy-by-design is particularly relevant to children’s privacy, as the Government agrees with the recommendation from the Attorney-General’s Department to introduce a Children’s Online Privacy code.² The code would apply to online services that are likely to be accessed by children.

Age-verification: an emerging area

However, the decision is novel from a pan-European/EDPB (European Data Protection Board) perspective insofar as it is the first to examine age-verification measures against the backdrop of the GDPR. While the EDPB’s dispute resolution procedure, in an arguably rather odd way, directed the DPC to reach an inconclusive outcome, there are some important markers digital services with a mixed user population should note, as they may be indicators of future regulatory approaches to age verification. 

Other key takeaways of the Irish Data Protection Commission’s fine of TikTok

The decision reaffirms the major focus of European regulators — and moreover the DPC as the bloc leader in this area — on children’s data. This is a topic we expect to see increasingly more often in regulatory investigations and enforcement decisions.

The DPC’s findings regarding the risks to children from the processing of their data are informative of how the DPC will expect organisations to assess such risks in relation to their own processing operations.

Finally, the decision also signals the EDPB’s willingness to use the fairness principle to bolt on additional findings of infringement at the dispute resolution stage, even where the lead supervisory authority’s investigation did include such an issue within its scope.

Read our latest article more detail on how the DCP came to their decision against TikTok.

How we can help

With the growing focus from both Europe and Australia on children’s data, organisations that work with children must take careful consideration of how they handle personal information.

Our privacy and data security team work with organisations to create workable and compliant privacy frameworks, and implement information handling practices that are resilient to data security threats. Our deep understanding of the education and not-for-profit sectors means that we are well equipped to support organisation that work with children on privacy requirements.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

¹Australian Government, Government Response to the Privacy Act Review Report (28 September 2023).

²Australian Government, Government Response to the Privacy Act Review Report (28 September 2023), page 13; Attorney-General’s Department, Privacy Act Review: Final Report (23 February 2023) Proposal 16.5.

The changes to the vacant residential land tax (VRLT) laws flagged in our recent article have now passed into law, with the new bill receiving Royal Assent on 12 December 2023.

After updates made during Parliamentary debate, these changes now address one of the major concerns affecting people with holiday homes located in Victoria raised in our previous article, but still leaves major uncertainty for the owners of holiday homes which are owned in trusts or company structures.

Use by owner’s relatives now qualifies for exemption

The ‘holiday home’ exemption from VRLT will now apply where the owner or the owner’s relatives use and occupy the holiday home for four weeks each year (whether continuous or in aggregate). Previously, the exemption only applied to use by the owners themselves.

‘Relatives’ include the owner’s spouse/domestic partner, lineal ancestors and descendants, siblings, and includes the owner’s spouses siblings, as well as spouses of the owner’s children and siblings.

This is welcome news for families who share use of a holiday home held in personal names.

Holiday homes held in companies and trusts

While the changes made by Parliament go some way in providing a common-sense approach to the exemption in the context of the VRLT catchment area being expanded State-wide, what remains outstanding is the application of VRLT to holiday homes owned within a company or trust structure. 

This issue was considered in Parliament, but was not addressed in the final bill. Attorney-General Jaclyn Symes has stated that the government is “committed” to extending the exemption to holiday homes owned this way, but indicated that due to a “complexity” in incorporating such changes, this issue will be reconsidered in the first half of 2024. 

Therefore at this stage, there is no legislated exemption from VRLT for holiday homes owned in trusts or company structures, and unless the Government follows through on the comments above, holiday homes held under such structures will be liable for VRLT from 2025.

Because there is no guarantee that changes will be made in this regard, owners of such properties would be wise to consider whether they wish to lease those properties out for at least 6 months of the 2024 year so as to ensure they won’t receive a VRLT assessment for 2025.

How we can help

The team at Moores is across the complex issues raised by the VRLT changes, and would be glad to help you or your clients to navigate the new rules.

We can assist with:

• Advising on the impact of the changes on a specific person’s landholdings
• Exploring options to ensure that a property is not vacant and caught by the VRLT regime
• Exploring potential restructuring options, including tax and estate planning and administration implications

Contact us

Please contact us for more detailed and tailored help

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

School record keeping obligations are multifaceted and data retention remains an ongoing and complicated issue. Retaining data for too long raises the risk of data breaches being more damaging and significant for schools. However, we acknowledge schools are also grappling with retention requirements, particularly regarding child safety information.

But how long is too long? Schools are not at liberty to simply dispose of all information relevant to a student once they have ceased being educated by that school. For example, Victorian schools are obliged under the Ministerial Order 1359 (MO1359) to create, maintain and dispose of records relevant to child safety and wellbeing in accordance with the Public Records Office Victoria (PROV) Recordkeeping Standards, including minimum retention periods (clause 6.2(f)).

But what does this mean in practice?

School recordkeeping obligations require schools to define their maximum retention periods for different categories of records and ensure these are applied across physical and digital information assets.

Child Safety and Wellbeing Records

The reference to ‘child safety and wellbeing’ in MO1359 is broader than the PROV standard, PROS 19/08, introduced in response to the Royal Commission into Institutional Responses to Child Sexual Abuse. This standard requires organisations, in relation to records about organisational responses to child sexual abuse, to:

• indefinitely retain records about the development of policy, strategy and procedure;
• retain reporting and investigation records for 99 years; and
• retain training and development records for 45 years.

Other considerations regarding recordkeeping

What about documents that are not ‘records about organisational responses to child sexual abuse’? This is where schools need to balance competing obligations, such as contractual and legal requirements, including under privacy law, which requires organisations to destroy records when they are no longer required. Student data may involve sensitive and health information and other detailed personal information which carry specific privacy obligations.

There are several matters to consider when balancing privacy and the MO1359 requirement to retain records relevant to ‘child safety and wellbeing’. We recommend all schools create a Data Retention Policy that outlines those considerations and identifies the retention periods for different categories of student data to have a clear understanding of their framework for data management and retention.

There is no ‘one size fits all’ document that will serve the school’s purpose in this regard. Each school will have to make decisions itself and develop its own policy.

The shift to digitised and digital records also means that Schools need to consider privacy and data retention in their systems and applications. Privacy and data security risks can be managed by undertaking a privacy impact assessment to consider how school requirements translate into new systems and processes.

How we can help

Moores has helped a number of schools and other education providers with the creation of Data Retention Policy’s since MO1359 was enacted in July 2022.

We have also facilitated privacy risk assessments for new systems and processes that impact student data and records management.

We are more than happy to guide you through the steps required to ensure you are creating adequate retention periods, implementing new systems in alignment with your privacy requirements, and also advising how best to avoid a data breach in respect of such personal and sensitive information.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

This article was originally published October 2022. Updated December 2023.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

Uniform and dress codes have commonly found themselves in the media, often when found to be at odds with changing societal expectations and values. Since 2017, female students at Victorian government schools have been allowed to wear shorts and trousers.¹ Independent schools have a choice. Here we discuss what factors may influence your school’s choice over uniforms and dress codes.

Community pressure and expectations

There is mounting pressure on schools to ensure that their uniform policies promote equal participation and are tailored to the needs of different students, including on the basis of their sex, religion, culture, disability and gender identity.

Anti-discrimination law

Students must not be discriminated against on the grounds of personal characteristics such as gender identity, religious beliefs or sexual orientation (among others). These characteristics may impact how a student responds to a uniform requirement, and this could result in indirect discrimination. Indirect discrimination is when treating everybody the same way disadvantages someone because of a personal characteristic.

---

Example: Arora v Melton Christian College²

VCAT found the College had contravened the Equal Opportunity Act 2010 (Vic) because:

• The uniform policy was a requirement imposed on the child.
• The restriction on long hair disproportionately impacted the child, due to the religious beliefs of the family (Sikh).
• The requirement for the child to comply with the hair requirement was unreasonable. The College could not prove it was reasonable.
• Common identity, community and inclusivity through the uniform could be achieved without imposing the discriminatory requirement.

---

The Equal Opportunity Act 2010 (Vic) (the Act) contains an exception that permits schools to set and enforce reasonable standards of dress, appearance and behaviour for students (the Exception).³ A standard of dress will be ‘reasonable’ if the school has taken into account the views of the school community in setting the standard. This means, if community views are changing, your standards may also need to change. The more extensive, engaging and collaborative the consultation process, the more likely it is to be considered reasonable. When did your school last review its uniform policy?

Health and safety

Could elements of the school uniform put students at risk? Consider the risks of:

• Sunburn and heat stroke;
• Jewellery, cords etc that could cause harm when playing sport or during active outdoor play;
• School bags that are too heavy and/or pose risks of back injuries to students.

Child safety and wellbeing requirements

Ministerial Order 1359 requires schools to pay particular attention to the needs of students with a disability, students from culturally and linguistically diverse backgrounds and LGBTQIA+ students – who may be disproportionately impacted by uniform policies.

You can find broader information about transitioning to a more gender inclusive school environment here. We also talk about associated topics of bathrooms and events regarding gender inclusion here.

Setting a dress code can promote a shared sense of identity and pride, allow students to feel equal and enhance the profile of the school in the wider community. Whilst there can be many benefits associated with a dress code, they should be sensitive to the needs of different students and sufficiently flexible to promote equal participation. Schools must achieve a balance between imposing standards of dress and behaviour with their obligation not to discriminate against students on the basis of a protected attribute; one being sex where the questions of trousers for girls arises again.

Pants and trousers are less common options for girls under the dress codes in non-government schools. However, advocates for uniform reform argue that forcing girls to wear dresses and skirts reinforces rigid gender stereotypes, limits physical movement and makes girls less inclined to exercise or participate in sporting activities.

How we can help

Moores can help your school with:

• Advice on anti-discrimination issues that arise in an education context.
• Updating enrolment policies and agreements to ensure that they protect the legal interests of the school and comply with anti-discrimination law.
• Resolving disputes with parents following complaints regarding discrimination.
• Updating school policies and procedures, including dress codes and grievance procedures.
• Delivering professional development sessions to staff and volunteers (e.g. equal opportunity training).

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

¹ http://www.theage.com.au/victoria/girls-win-right-to-wear-shorts-and-trousers-to-all-victorian-state-schools-20170912-gyfwf9.html

²Arora v Melton Christian College (19 September 2017 – VCAT)

³ Equal Opportunity Act 2010 (Vic) s 42.

The school year is coming to a close. Many students are already on summer holidays. We are certain teachers are looking forward to the holidays as well. Before you depart, we have some recommendations for our school clients to consider in your planning for priorities in 2024.

The governance angle

• Have policies been reviewed and approved this year, if required?
• Has reporting to the Board been finalised?
• Board skills review – who do you have? What are their skills? Are there cliques and cronies? Are members fit and proper? Do you need a board skills review?
• Constitution – check director terms limits, and how a director can be removed (you will be surprised!)
• External audit process – do you have a process for rigorous and regular external board evaluation and the ability to implement recommendations?
• Workforce restructuring in the face of increasing costs and the payroll tax

Child safety

• Have your staff, board and volunteers received their required annual training?
• Have you empowered your students to understand their rights to safety over the summer holidays, for example, regarding risks of grooming?
• What mechanisms have been put in place to address online safety and bullying between students?
• Have recruitment processes for 2024 followed the child safety policy and met Ministerial Order 1359?
• Are your inclusion practices intersectional? For example, how do your child safety practices support students with disability? What about inclusion of students and staff of different faiths?  

Enrolment

• Have offers been made and accepted for 2024?
• What do these offer and acceptance forms say regarding the enrolment agreement? Is it a binding contract?
• Have you considered recent legal changes in this space; Brindabella and ACL amendments?
• Have your made enquiries and considered what reasonable adjustments and resources you will need for new students?

Your school grounds and facilities

• Will works be done on the school  premises over the holidays?
• What processes are in place regarding working with children checks for school building projects?
• What access will children have to the school premises over the holidays? Can school premises be accessed by the public?
• Will you be hiring your facilities over the school holidays? What do your arrangements with hirers require of them and are you adequately covered?

How we can help

Our Education team can help with any of the above recommendations to help your prepare for the summer holidays and the 2024 school year.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

If you are unable to make a decision on your medical treatment, a health practitioner may need the consent of your Medical Treatment Decision Maker (MTDM) before they provide treatment.

Appointing a person to make medical decisions for you can be just as important as appointing an attorney to act for financial and personal matters. In Victoria, unlike some other Australian States, a MTDM is appointed under a separate document to that of a financial or personal attorney. The relevant legislation is the Medical Treatment Planning and Decisions Act 2016 (Vic) (Act).

As part of an estate planning matter, we talk to our clients about the importance of having the right people making decisions for them if they were to lose capacity – this includes consenting to or refusing medical treatment. Here are the 5 most commonly asked questions on matters relating to medical decisions.

1. Who can I appoint as my Medical Treatment Decision Maker?

You can appoint an adult person to make medical decisions for you provided you have decision making capacity at the time of the appointment. You may decide to appoint one of your family members, another close relative or a friend. Your MTDM should be someone who you trust, can communicate effectively, and who is willing to accept the responsibilities of the role. Your MDTM does not need to be the same person you appoint as your financial and personal attorney.

Only one person can act as your MTDM at any time. If you want to appoint more than one person to act, the decision-maker is the first person listed who is available, willing, and able to make the decision at the relevant time. 

The appointment of a MTDM must be made in writing in the prescribed form. It must be executed and witnessed in accordance with the requirements of the Act. A person appointed as your MTDM must also accept their appointment.

2. Who will make medical decisions for me if I do not appoint a decision-maker, or my appointed decision-maker is not willing and able to make the medical treatment decision for me?

If you do not appoint a MTDM, or your appointee is not available and willing and able to make a decision for you, then a guardian appointed by the Victorian Civil and Administrative Tribunal (VCAT) with the power to make medical decisions can act for you.

If there is no VCAT appointed guardian, your MTDM will be the first of the following who is in a close and continuing relationship with you:

• spouse or domestic partner;
• primary carer;
• oldest available adult child;
• oldest parent; and
• oldest adult sibling.

3. What types of decisions can my MTDM make?

A MTDM must make the medical treatment decision that they believe is the decision you would make if you had decision-making capacity, subject to any conditions or limitations specified in a MTDM document. This includes consenting to treatment on your behalf, or refusing treatment. Your MTDM must consider:

• Any valid and relevant values directive;
• Any other relevant preferences that you have expressed;
• The likely effects and consequences of the medical treatment; and
• Whether there are any alternatives, including refusing medical treatment.

There are some exceptions to consent. Consent is not required from a health practitioner in the event of an emergency to save your life, prevent serious damage to your health or prevent you from suffering significant pain or distress. 

A MTDM also cannot:

• Make a decision about palliative care, but can advocate for your preferences and values to be taken into account; and
• Make decisions with respect to voluntary assisted dying.

4. Can I change who I appoint as my decision-maker?

If you have capacity and you decide that one or more of the people you have appointed as your decision maker is no longer appropriate, you can revoke the appointment of your MTDM. You can do this by:

• Completing a revocation document which must be in the prescribed form; or
• Having a subsequent MTDM document in place, as a later document will revoke an earlier one.

VCAT also has the power to revoke an appointment of a MTDM. 

If you revoke your MTDM, you should inform your MTDM and any people who know of the appointment, such as your health practitioner or hospital. 

5. Can I provide directions about medical treatment I consent to and refuse?

In Victoria, you can make an advance care directive. This is a document where you can set out your binding instructions or preferences and values in relation to your medical treatment. 

You can give an advance care directive if:

• You have decision making capacity in relation to each statement in the directive; and
• You understand the nature and effect of each statement in the directive.

An advance care directive must comply with certain formal requirements. To be binding, the directive must be in writing, contain certain particulars, be signed by the person giving it and witnessed by two adults, one of whom must be a medical practitioner.

Some of the matters which you can address in an advance care directive are:

• What matters most to you in your life?
• Do you have any unacceptable outcomes of medical treatment after illness or injury?
• What type of medical treatment do you consent to/refuse?
• Whether you would like the document to expire on a particular date.

Any statement about palliative care in an advance care directive is regarded as a values directive. You cannot provide directions on voluntary assisted dying in an advance care directive.

You can amend or revoke an existing advance care directive, or make a new advance care directive should you change your mind or wish to record further directions.

How we can help

Appointing a MTDM allows you to control who will make medical decisions for you if you are not able to make them yourself. Your estate planning should incorporate a discussion on medical treatment decisions and the preparation of documentation to appoint a decision-maker. We can advise on, and prepare a MTDM as part of attending your estate planning.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

Children are particularly vulnerable to online harms. The increasing profile and powers of the eSafety Commissioner under the Online Safety Act 2021 (Cth) is partly designed to address this vulnerability, as are some of the possible amendments to the Privacy Act 1988 (Cth) (Privacy Act). Children increasingly rely on online platforms, social media, mobile applications and other internet connected devices in their everyday lives. While acknowledging the many benefits these services provide to children and young people, there is equally a concern that thousands of data points are being collected, including information about their activities, location, gender, interests, hobbies, moods, mental health and relationship status.

The 2023 Australian Community Attitudes to Privacy survey results showed:

• protecting their child’s privacy is a major concern for 79% of Australian parents; and
• the privacy of their children’s personal information is of high importance to 91% of parents when deciding to provide their child with access to digital devices and services.

The Government Response to the Privacy Act Review has provided more clarity on the likely changes to the Privacy Act to better protect children’s privacy.

Amendments we are likely to see to the Privacy Act

Amendments we are likely to see include:

• that a child should be defined in the Act as an individual who has not reached 18 years of age;
• a prohibition on targeting a child unless it is in their best interests;
• a prohibition on trading in personal information of children;
• a prohibition on direct marketing to children unless there was direct collection and the direct marketing is in the child’s best interests;
• a requirement that organisations must have regard to a child’s best interest in considering if collection, use or disclosure is fair and reasonable in the circumstances
• a Children’s Online Privacy Code to clarify how the best interests of children should be upheld in the design of online services; and
• a requirement that valid consent must be given with capacity.

Whereas the Government Response adopts only 38 of the 116 recommendations from the Attorney-General’s Department’s February Report, the area of children’s privacy is one space where many of the recommendations are agreed to.

How we can help

Being committed to working with organisations on child safety and the safeguarding of other vulnerable Australians, Moores is well positioned to empower your organisation to implement these privacy changes for organisations who work with children and vulnerable Australians. It is most commonly individuals who are already vulnerable who face greater risks of harm from interference with their privacy. More details about how we can help with privacy and data security is here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

The Privacy Act Review has been a work in progress since 12 December 2019, initially in response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry. Throughout this journey we have endeavoured to keep our community up-to-date, through our article series:

• Privacy Act Review: Children’s privacy in the spotlight
• Privacy Act Review: Key changes on the radar for NFPs
• Privacy Act Review: Schools, are you ready?
• Privacy Act Review: We have a Privacy Bill, but some promised reforms will have to wait
• Privacy Act Review: Small charities and NFPs likely to be captured
• Privacy Act Review: Coming Soon

Now we have the next step in the process: the Government Response to the Privacy Act Review which responds to the Attorney-General’s Department Report published in February 2023 and adopts 38 of the 116 recommendations. Other recommendations are agreed to “in principle”. The Government Response has narrowed proposed amendments into five categories:

1. Bring the privacy act into the digital age;
2. Uplift protections;
3. Increase clarity and simplicity for entities and individuals;
4. Improve transparency and control; and 
5. Strengthen enforcement.

We explain these categories in more detail below.

Bring the privacy act into the digital age

This means changing the scope and application of the Privacy Act 1988 (Cth) (Privacy Act) to apply to a broader range of information and entities. For example:

The Government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment.¹

However, the small business exemption will not be removed from the Privacy Act until further consultation has been undertaken and supports are afforded to small businesses to assist compliance.

Uplift protections

We’ve written previously about how privacy-by-design can help future-proof your operations for subsequent privacy breaches or data breaches. Now we have an official statement that:

The Government agrees in-principle that privacy settings for online services should reflect the ‘privacy-by-default’ framework of the Privacy Act.²

This is part of the possible amendments that collection, use and disclosure must be fair and reasonable in the circumstances, distinct from other requirements to collect or disclose such as consent. A fair and reasonable threshold for collection, use and disclosure is said to partly address “dark patterns” which are designs in systems and processes to nudge users towards consenting to more privacy intrusive practices.

An uplift in protections will likely also see more detail included in the Privacy Act as to what reasonable steps to secure personal information entail; that is, it entails both technical and organisational measures. Retention is another feature:

The Government agrees in-principle that entities should be required to establish their own maximum and minimum retention periods for personal information they hold and specify these retention periods in privacy policies.³

Some organisations will already have strict retention policies, such as schools in Victoria who are required to adhere to the Public Records Office Victoria Recordkeeping standards under Ministerial Order 1359. Another major possible change is the reduction in the notification period under the Notifiable Data Breach Scheme to 72 hours. Again, this is only agreed to “in principle” and further consultation is flagged as the next step.

Increase clarity and simplicity for entities and individuals

This includes introducing definitions of key terms, such as collection, disclosure and consent. Another key change would be the introduction of a distinction between controllers and processors of personal information. These are terms found in the European Union’s General Data Protection Regulation (GDPR); generally considered the global gold standard in privacy protections for individuals. Aligning with the GDPR is acknowledged to “reflect the operational reality of modern business relationships, and reduce the compliance burden for entities acting as processors”.⁴

To further support international trade and business, the Government agrees a mechanism should be introduced to prescribe countries with substantially similar privacy laws. This replicates the function of adequacy decisions under the GDPR.

Improve transparency and control

Australians overwhelmingly (84%) want more control over their data. While privacy policies and collection notices are intended to provide individuals with transparency, consultation revealed concerns that privacy policies and collection notices are often complex, lengthy, legalistic and vague. To address this, the Government agrees in-principle that:

• privacy notices should be clear, up-to-date, concise and understandable, with appropriate accessibility measures in place;
• standardised templates for privacy policies and privacy notices should be developed for voluntary adoption by entities. This could include standardised icons, layouts and phrases to better support consumers to make quick and informed decisions.
• collection notices should also specify if information is collected, used or disclosed for high privacy risk activities, how to exercise individual rights and the types of personal information that may be disclosed to overseas recipients. 

We may also see the introduction of individual rights in addition to the existing rights of access and correction. These could include the right to an explanation of how information is used and the right to require deletion (i.e., similar to the GDPR’s right to erasure). Individuals could also be given the ability to bring legal action under a statutory tort for serious invasions of privacy, which would be based on a model proposed by the Australian Law Reform Commission in 2014.⁵

Strengthen enforcement

While we saw increased penalties for serious interference with privacy introduced in 2022, there is a possibility for:

• a mid-tier civil penalty provision to address interferences with privacy which do not meet the threshold of being ‘serious’; and
• a low-level civil penalty provision for specific administrative breaches of the Privacy Act and Australian Privacy Principles. 

How we can help

There are a lot of proposed reforms, but no Bill before Parliament as yet. At this stage, we recommend organisations focus on getting their house in order to prepare for changes to the law. One place you can start is to reflect on what data you collect and where you store it. We can help with this first stage through a Privacy Audit, designed to map your information handling practices and identify areas for improvement. We can work with you to address any more specific concerns your may have to design a tailored product for your organisation. More details about how we can help with privacy and data security is here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

¹ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 7.

² Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 9.

³ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 10.

⁴ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 17.

⁵ Australian Government, Government Response Privacy Act Review Report, (28 September 2023) page 21; Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era (ALRC Report 123) 3 September 2014.

The statistics are in. The Office of the Australian Information Commissioner (OAIC) conducted a survey of Australians this year and the results show privacy is a growing concern and priority for Australians.

• 62% of Australians surveyed see the protection of their personal information as a major concern in their life;
• 74% of Australians surveyed consider data breaches to be one of the biggest privacy risks they face today;
• Only 32% of Australians surveyed feel in control of their data privacy; and
• 84% of Australians surveyed want more control and choice over the collection and use of their personal information.¹

How to prioritise privacy and build trust with stakeholders

Privacy is inherently about trust and identity. By sharing personal information about themselves with your organisation, individuals are placing trust in your organisation that you will respect their identity – our information or data is an extension of self-expression and identity.

To grow this trust, we recommend organisations:

• Review their privacy policy to ensure it reflects current information handling practices. The requirement to have a privacy policy is based on openness and transparency about information handling practices.
• Implement tailored, clear and concise collection statements. This will address the desire for more control and choice over the collection of personal information.
• Only collect the information you actually need. In addition to this being recommended to reduce risks of data breaches impacting greater swathes of data, and a requirement under certain privacy legislation², it builds trust in your stakeholders. The OAIC’s survey found less than half of people trust organisations to only collect the information they need.

Where to start in making privacy a priority

As a starting point to take steps in making privacy a priority, you can:

• Review the detailed legislative guidance published by the OAIC for information about privacy policies and collection notices;
• Embed a culture of Privacy Impact Assessments and privacy-by-design; and
• Map how and where your organisation collects and stores personal information.

How we can help

We know you are busy. We know many of our clients include the role of Privacy Officer in a broader risk and compliance role. We can support you with directions of how to start through our online publications – such as our Privacy Toolkit – or we can take on these projects for you. This can be a full privacy audit that will start with mapping your data assets, reviewing your information handling practices and processes, and proposing changes to systems and policies. Alternatively, we can discuss what other projects may look like for your organisation and design a tailored offering to your needs. More details about how we can help with privacy and data security is here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.

---

¹ The 2023 Australian Community Attitudes to Privacy Survey

² For example, the Health Records Act 2001 (Vic).