First reaction to the Government's response to the Privacy Act review — IIS Partners

By Natasha Roberts

Two weeks ago, the Government released the Response to the Privacy Act Review Report. And for many of us, who participated in multiple rounds of consultation, who engaged with critical law reform questions, who offered solutions to challenges created by the digital age, who hoped the Government was ready to take an ambitious leap forward…

First, there was a feeling of disappointment…

…as we came to terms with the fact that the Government had agreed to only 38 of a possible 116 proposals, and ‘agreed-in-principle’ to a further 68. No ambitious leap. More of a reluctant step forward in which the privacy law ‘can’ was kicked down the information superhighway. What ‘agreed-in-principle’ will mean in practice remains unclear. Naturally, many of us are concerned about the potential for serious watering down or backing down. Only time will tell.

…next, we took stock of the missed opportunities…

Perhaps unsurprisingly, the Government decided against taking up proposals to narrow the political exemption. We will leave it to others to point out the double standard inherent in this decision.

But, we in the privacy and security community are a pragmatic bunch and must invest our energies in…

The parts the Government got right

While the ‘agree-in-principle’ (rather than the straight ‘agree’) response to many proposals introduces uncertainty, there is, at least, an opening to work with Government to push those proposals forward. The following reforms have the potential to make a real difference to the privacy rights and protections of everyday Australians:

Updating the definition of personal information to close gaps in protection, particularly online. We particularly commend the Government’s recognition of the privacy impact of individuation. In its response, the Government made clear that it ‘considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’ (p 5). A change to the scope and coverage of the Privacy Act along these lines could mean a significant uplift in privacy protection.

Introducing a ‘fair and reasonable’ test. Currently the Privacy Act offers little direction on the uses an organisation may make of personal information, except that the information must be necessary to a defined use and should not be used for other purposes (except in certain prescribed circumstances). This gives considerable latitude to organisations and leaves open the possibility that information is used for activities that do not meet community expectations.

Which is why the Government’s agreement-in-principle to a ‘fair and reasonable’ test – which would apply irrespective of whether consent has been obtained – is so welcome. The Privacy Act is in serious need of rebalancing. Privacy responsibilities – which are currently borne too heavily by individuals (under the at times deceptive doublespeak of ‘choice’ and ‘consent’) – should be transferred to organisations. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

Strengthening children’s privacy. The Government has agreed-in-principle to a suite of proposals aimed at protecting children, particularly online. This includes restrictions on targeting of children online and prohibition of trading in children’s personal information. It also includes the development of a Children’s Online Privacy Code to ensure the best interests of the child are upheld in the design of online services, and to provide further guidance on how entities are expected to meet requirements regarding targeting, direct marketing and trading. We applaud this.

Aligning privacy and security. The law reform environment in Australia, broadly, has an information security flavour right now (or at least, one that is cognisant of the deep impacts of advanced persistent threats and cyber-crime and the impact of data breach on individuals), which highlights necessity of digital and data initiatives operating in an environment that is safe-for-work. The set of proposals (21.1-21.8) in the ‘Security, retention and destruction’ chapter are clearly reflective of this.

It is great to see that there will be clarity around securing personal information – with what ‘reasonable steps to secure personal information’ in APP 11 actually means in practice to be embedded in legislation. The Government has also agreed-in-principle to organisations being required to meet baseline privacy outcomes that are aligned with the forthcoming Australia’s Cyber Security Strategy. Given the common goals of the Government’s privacy and information security mandates, we look forward to seeing further developments here.

A final word on the law reform process

Regulating information privacy is notoriously difficult and multifaceted. The challenge is compounded by a rapidly evolving digital environment. The Privacy Act Review could have sat languishing in a backroom of the Attorney-General’s department, un-responded to and un-actioned. Instead, the Government has responded to the review and published its response. For this we are grateful. Yes, there have been some areas of disappointment in the Government response but overall, we’re encouraged to see the Government moving forward, despite the challenges.

Be assured that we will be watching closely to see how the next stage plays out.

Please contact us if you have any questions about the Privacy Act reform process and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.