It has only been three months since the Attorney General’s Office released its report (Report) on the proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act). The Report made 116 recommendations for reform. The recommended reforms are extensive and will, if implemented, have a substantial effect on how businesses regulated under the Privacy Act (APP entities) may lawfully collect, use and disclose personal information.
In this article, we deal with the Report’s proposals for the introduction of new rights of individuals in relation to their personal information.
The Report has proposed six rights for individuals whose personal information is collected, used or disclosed:
While privacy advocates welcome the strengthening of individual rights, APP entities may find compliance with the changes challenging – particularly the first four rights listed above.
Many people may believe it is inevitable that their information will be made public, misused or stolen in a data breach. The first four rights proposed as listed above aim to empower individuals to take control of the information APP entities hold about them.
The first step to empowerment is knowledge. It is important for individuals to know what information APP entities hold about them, and how it is used. Once they gain an understanding of what there is and how it’s used, individuals can exert greater control over their information.
The ability to object to the collection, use or disclosure, and to request erasure, of personal information offers individuals the ability to minimise the volume of information that’s in the wild and outside their control.
An individual’s right to request that an APP entity should correct inaccurate, incomplete or misleading personal information already exists as Australian Privacy Principle 13. The Report proposes to extend this right to generally available publications online that are controlled by an APP entity. The extension of this right of correction could throw up issues in the context of subjective information (e.g. an opinion about the individual).
If the individual rights above are actually introduced, an APP entity will need to map out where data are held, ensure that the data can be erased, and map data flowing to third parties. The APP entity would also need to prepare processes for dealing with each type of request, and train its personnel tasked with managing personal information in relation to those processes.
The right to have search results de-indexed is rather narrow and won’t be addressed in this article.
Currently, individuals have very narrow avenues available to them if they wish to take action for interferences with their privacy. Individuals may submit a complaint to the Information Commissioner, apply to the Federal Court for injunctive relief and/or, in relation to credit reporting, apply to the Federal Court for compensation depending on the situation.
Under the Privacy Act in its present form, individuals do not have the ability directly enforce their privacy rights in court, aside from participating in a class action.
The introduction of the ability for individuals to enforce their privacy rights against APP entities and to take direct action in relation to interferences with their privacy, would improve individuals’ control of their information. If introduced into law, the right would be available to any individual, or group of individuals, that have suffered loss or damage as a result of an APP entity’s interference with their privacy rights. Importantly, the concepts of ‘loss or damage’ would include injury to the individual’s feelings or feelings of humiliation. The direct right of action if introduced into law would clearly incentivise APP entities to comply with the Privacy Act, particularly where it collects, uses and/or discloses numerous individuals’ personal information.
A ‘gateway’ model is likely to be adopted for the direct right of action. A complainant would first have to submit a complaint to the Office of the Australian Information Commissioner (OAIC) or another body to be assessed for conciliation. If the submission is successful and the matter is conciliated, but the conciliation of the matter was unsuccessful the complainant could elect to take action in court. Utilising the OAIC as a first step gateway would reduce potential cost barriers for enforcement of individual rights, and would also reduce the risk of overloading the court system.
With the introduction of some or all of the rights of individuals, APP entities will need to reassess and strengthen their Privacy Act compliance. There are several things APP entities can do in order to get ahead:
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Antoine Pace, Partner
Clare Smith, Associate
Freya vom Bauer, Associate