Breaking down the Privacy Act Review Report #1: More Personal Information to be captured by the Act

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Under proposals 4.1-4.4 of the Report, changes to broaden the definition of Personal Information are on the horizon. Under the proposed amendments, the word “about” in the definition of Personal Information will be amended to “relates to”. That is – “information or an opinion that relates to an identified individual…”. This brings the definition in line with other legislative frameworks that regulate privacy and ensures consistency with the language used in the GDPR definition of ‘Personal Data’.

Amendment of the definition of ‘collection’ is also proposed to expressly cover information obtained by any means, including inferred or generated information. The Report also states that ‘reasonably identifiable’ should be supported by a non-exhaustive list of circumstances to which APP entities will be expected to have regard to in their assessment of what is ‘Personal Information’.

What does this mean for my organisation?

With such a broader interpretation, APP entities will need to have regard to a larger set of information that could fall within the definition. This will see information such as mobile location data, IP addresses, social media handles, mobile advertising IDs and other technical information more clearly fall within the definition.

Where to next?

While these proposals are still in the consultation phase and we cannot guarantee that they will be put into force, the change has been put forward since the publication of the Privacy Act Issues Paper in October 2020.

This will likely have an impact on a number of policies and practices with entities also needing to note the further information they are collecting in their privacy policies. We can see this having a particularly large impact on digital marketing and the AI industry including those utilising AI technologies in their business.