Privacy Act Review: Small charities and NFPs likely to be captured

On 30 October 2020, the Government published the Issues Paper and Terms of Reference (Issues Paper) for its review of the Privacy Act 1988 (Cth) (the Privacy Act).

The review builds on the Government’s announcement in March 2019 of reforms to increase the maximum civil penalties under the Privacy Act and develop a binding privacy code to apply to social media platforms and other online platforms that trade in personal information.

Large scale reforms also will likely mean that, for the first time since the Privacy Act was introduced in 1988, small and micro organisations, including charities, churches, schools and early childhood services which have a turnover of less than $3M will be required to comply.

This arguably represents a significant imposition on a sector which has already seen a drop in income in 2020, even as demand for services, particularly welfare and mental health, has boomed. It is likely to continue to place pressure on smaller organisations to merge to gain economies and scale and be positioned to attract funding. This is not without impact on sector diversity and jobs. Other important mooted changes include:

  • An updated definition of ‘personal information’ to include technical data and online identifiers;
  • An individual right to erasure of personal information; and
  • Strengthening of individuals’ rights to privacy by equipping them with a direct right to enforce privacy obligations under the Privacy Act and inclusion of a statutory tort for ‘invasion of privacy’.

If implemented, these changes would require organisations to reconsider how they define personal information and necessitate technological change in order to implement and operationalise the reforms. We detail what steps your organisation may need to take to respond to these amendments.

What matters is the Privacy Act Review considering?

Removal of the small business exemption

Currently, organisations with a turnover of less than $3 million do not need to comply with the Privacy Act. The Government is considering the appropriateness of this threshold and considering its removal. This change would dramatically increase the number of organisations that need to comply with the Privacy Act.

Definition of personal information

In order to keep up with technological advancement, the Australian Competition and Consumer Commission recommended in its inquiry into digital platforms that the definition of personal information under the Privacy Act should include technical data such as IP addresses, location data, device identifiers and any other online identifiers. This change would require an organisation to adapt its privacy processes and procedures to ensure this data is being protected in the same way as other personal information that is collects, uses and discloses.

The right to erasure

Under current law, organisations must delete data once it is no longer necessary. An individual right to erasure of data would remove this burden on organisations and create a right for individuals to request erasure of their data. Subject to some exceptions, this right would not:

  • override existing obligations to retain personal information for legal reasons;
  • overshadow public interest reasons for retaining information (such as retaining information in the interests of national security); or
  • negatively affect freedom of expression and the free flow of information.

Giving individuals more control over their personal information, this right would enable them to make a direct request to an organisation for erasure of their personal information. They would no longer need to request a declaration from the Office of the Australian Information Commissioner (OAIC) to have their personal information deleted.

In response to this recommendation, you may like to consider whether your current organisational data retention practices would enable you to swiftly respond to an individual’s request for deletion of their personal information.

Stronger Privacy Protection

The review is currently considering whether a direct right of action should be created for individuals to enforce privacy obligations, or a statutory tort of privacy should be created.

A direct right of action to enforce privacy obligations

Currently, there is no right under the Privacy Act for individuals to seek compensation through the courts for interference with their privacy. Instead, a privacy complaint must be lodged with the OAIC, and once the OAIC has made a determination, a complainant may then apply to the Federal Court or the Federal Circuit Court to enforce that determination. A direct right of action would enable individuals to bring actions or class actions against organisations to seek compensatory damages as well as aggravated and exemplary damages for breach of privacy.

The Issues Paper states that this direct right of action would be confined to serious rather than trivial breaches of the Privacy Act and a requirement would be imposed on complainants to take genuine steps to resolve their matter (by, for example, attending conciliation) before filing a complaint in court.

Statutory tort of privacy

Instead of a direct cause of action, the Government is also considering a tort for invasion of privacy, which would respond to breaches of privacy. However, the Issues Paper does note that the need for a tort of privacy may be negated by recent changes to criminal law that address serious invasions of privacy, such as image-based abuse. The Issues Paper seems to favour a direct right of action.

Next steps

We expect further announcements by the Government next year, with a second issues paper due for release in early 2021. In the interim, if you believe your organisation may be affected by these changes, you should consider whether:

  • your data collection and retention practices comply with the current requirements of the Privacy Act; and
  • your organisation would be in a position to adapt to the proposed changes.

Furthermore, given the prevalence of online attacks and data breaches brought about by the pandemic, it is more important than ever that organisations comply with Privacy Act requirements. You are therefore encouraged to ensure:

  • your privacy policies and procedures are up-to-date and compliant;
  • you are collecting and retaining data and personal information safely and securely; and
  • you act swiftly in response to known or suspected instances of data breaches or privacy interference.

How we can help

If you would like further information about the proposed changes to the Privacy Act, or assistance with ensuring your organisation has up to-to-date and compliant privacy practices and procedures, please do not hesitate to contact us.