Tag:Australian Privacy Principles

1
Australian Privacy Law Reform – The Wait is (Almost!) Over
2
Australian Privacy Reform Series Refresher: What Are These Reforms?
3
Privacy obligations when collecting COVID-19 vaccination status
4
Australian Privacy Act Under Review
5
OAIC’s controversial decision broadens scope for the disclosure of personal information
6
Hold the phone…is “metadata” personal information? Who knows?

Australian Privacy Law Reform – The Wait is (Almost!) Over

By: Cameron Abbott, Stephanie Mayhew, and Rob Pulham

The long-awaited privacy reform has finally been introduced into the Australian Parliament today with the introduction of the Privacy and Other Legislation Amendment Bill 2024. Described as ‘Tranche 1’ of the reforms, the Bill introduces significant uplifts to several aspects of Australia’s privacy laws.

The proposed changes include:

  • The long-touted statutory tort for serious invasions of privacy;
  • As we predicted, new ‘tiered’ penalty provisions which will apply as soon as the law comes into force, allowing the Commissioner to issue infringement notices of up to US$66,000 for specific breaches of the Australian Privacy Principles (APPs), including:
    • Not having a privacy policy, or not having a fully compliant privacy policy;
    • Not allowing individuals to remain anonymous or use a pseudonym (unless it is impracticable to do so);
    • Not keeping written records of certain disclosures;
    • Not complying with the direct marketing provisions in APP 7;
    • Not dealing with correction requests; and
    • Not providing compliant notifications about data breaches.
  • Introduction of an ‘adequacy’ recognition mechanism into APP 8, to make it easier for organisations to disclose personal information to third parties outside Australia – specific permitted countries or binding schemes will be specified for these purposes in the regulations, and disclosures to third parties in those countries or subject to those binding schemes will be permitted without the disclosing organisation being required to take additional steps to ensure the recipient complies with the APPs in relation to that information;
  • Additional notice requirements in entities’ privacy policies regarding use of automated decision-making (the transitional provisions allow for a period of 24 months before this takes effect);
  • Additional protections for minors, by paving the way for the introduction of a Children’s Online Privacy Code, which must be developed and registered by the Commissioner within 24 months of the law coming into force;
  • A new criminal offence for malicious release of personal data online, known as ‘doxxing’, with jail terms for publishing private details with the intent of causing harm, including up to 7 years’ imprisonment if the person or group is targeted on the basis of their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin;
  • Additional entry, search and seizure powers to the Commissioner; and
  • Additional orders which may be made by the Federal Court for contraventions of the Privacy Act.

Although the changes are yet to be passed, now is most certainly the time to ensure your organisation has at least the most basic (and visible) privacy compliance measures in place, and to start considering the make-up of your organisation’s privacy reform project team.

Australian Privacy Reform Series Refresher: What Are These Reforms?

By Cameron Abbott, Rob Pulham, and Stephanie Mayhew

In 2023 the Attorney-General’s Department released the “Privacy Act Review Report” (Review Report), which considered whether the Australian Privacy Act 1988 (Cth) and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy.

Read More

Privacy obligations when collecting COVID-19 vaccination status

By Cameron Abbott, Rob Pulham and Ella Richards

Some Australian jurisdictions have imposed obligations on businesses and employers to either sight, or collect and hold, information about their workers’ COVID-19 vaccination status, or to take reasonable steps to ensure unvaccinated individuals do not enter their worksites or premises. For example, on 7 October 2021, the Premier of Victoria released Directions that require employers to collect information about workers’ COVID-19 vaccination status before allowing them to work anywhere outside of the employees’ usual place of residence. Industry-specific obligations (with some differences to those Directions) also apply to some settings such as education, construction and healthcare. Similarly, under public health orders in New South Wales, certain businesses from 11 October 2021 must take reasonable steps to ensure people who are not fully vaccinated do not enter their premises.

The Victorian Government Directions for workers are in effect from today, 15 October 2021, meaning that many employees must provide proof of either receiving their first dose or having booked their first dose by 22 October 2021.

To comply with privacy obligations (including under applicable health records legislation), employers must provide employees with a clear collection statement that outlines, among other things:

  1. the types of sensitive information that the employer is collecting;
  2. the purpose of the collection;
  3. who the employer may disclose the information to, including specifying if any of these parties are outside of Australia; and
  4. a reference to the employer’s Privacy Policy that applies to the information collected about employees.

Even where a business is not subject to these mandatory collection requirements, they may wish to collect this information from employees to assist the business to maintain a safe and secure working environment (including, for example, to provide encouragement to staff to get vaccinated – subject to the requirements around providing incentives to do so).

If you would like advice on your Privacy obligations as an employer, please reach out to Cameron Abbott from our Privacy team. For further information on the Victorian Government Directions, see the Alert from our K&L Gates employment team here.

Australian Privacy Act Under Review

By Cameron Abbott, Rob Pulham and Keely O’Dowd

In December 2019, the Australian Government announced it would conduct a review of the Privacy Act 1988 (Cth).

A year has almost passed and finally the Australian Government has publicly released details about the review. On 30 October 2020, the Australian Government released the Terms of Reference of the review. In particular, the review will cover:

  • The scope and application of the Privacy Act
  • Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
  • Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
  • Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  • The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
  • The effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
  • The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
Read More

OAIC’s controversial decision broadens scope for the disclosure of personal information

By Warwick Andersen, Rob Pulham and Georgia Mills

In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt.  In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox.  The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.