In 2022, the Privacy Act 1988 (Cth) (Privacy Act) was amended to increase penalties for serious or repeated interferences with privacy – a.k.a. breaches of the Australian Privacy Principles (APPs). You can read more about this in our article: We have a Privacy Bill, but some promised reforms will have to wait.
Now, in 2023, we have more action on the Privacy Act Review. The Attorney-General’s Department has published a report containing over 100 concrete proposals of reform, seeking consultation and feedback from the public.
Below we summarise the proposed amendments which will have the greatest impact on schools and other educational organisations such as Out of School Hours Care, TAFEs, Registered Training Organisations and key providers of services to schools.
More information captured by the APPs
It is likely the definition of “personal information” will be broadened to capture more information. This means the APPs, and the Notifiable Data Breach Scheme (NDB Scheme) will apply to more information. The proposed change to this definition is partly due to considerable confusion identified in previous consultation about what is exactly covered by the Privacy Act.
A technical change, it is proposed that the word “about” in the definition of personal information is changed to “relates to”. This significantly expands the reach of the Privacy Act to cover instances when a person may be mentioned or referred to, even if the information is primarily about another person.
No more employee records exemptions
Currently, the anomalous “employee records exemption” means Australian private sector employers do not need to comply with the APPs for large swathes of personal information they hold about their employees.
The proposed amendment suggests the security requirement of APP 11.1 and the NDB Scheme should both apply to employee records. It does not suggest that all the APPs should apply to employee records, as a consideration is the need for employers to have “adequate flexibility” to handle the information about employees they need.
The General Data Protection Regulation (GDPR), Europe’s privacy law and the global “gold standard”, does not include an equivalent exemption.
Privacy rights and protections for children
There are a few proposed amendments which relate to children. We intend to publish more detailed information about these which goes beyond the below summary.
Who is considered a “child”?
- Define a child as under 18 years of age. Currently, schools and organisations need to apply the “Gillick competence” test, which is to consider the child or young person’s capacity to understand and consent; or
- Embed the 15-year-old assumption of capacity in the Privacy Act.
Other proposed changes
- Implement a Children’s Online Privacy Code to ensure collection notices and privacy policies for only services targeted to children are clear and understandable by that age group.
- Require organisations to have regard to the best interests of children when handling their information, and designing online services.
Shorter data breach reporting periods
The proposed new data breach reporting obligation would require schools and other organisations covered by the NDB Scheme to notify the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of a data breach, so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals.
The current requirement is 30 days. This is a significant change, and will require schools to upskill in their data breach responses.
How we can help
These proposed amendments, and many others, are already considered best practice in the industry. We can help you prepare for the coming reforms, and upskill your school, to aim for best practice privacy protection measures. We can do this by offering training to your staff, reviewing policies and procedures, and conducting a privacy compliance audit.
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.