Increased Accountability Obligations: Privacy Act Review Report Deep Dive Part 4
In February 2023, the Australian Attorney-General released its Privacy Act Review Report 2022 and we promised a series of deep dives into some of the key thematics.
So far, we’ve covered:
- Deep Dive 1: Security, data breach notification and retention
- Deep Dive 2: New definitions in the Privacy Act
- Deep Dive 3: New Australian Laws Proposed for Direct Marketing, Targeting, & Data Analytics
This deep dive focuses on the increased accountability obligations recommended in the report.
Accountability and why it is significant
Accountability is a key building block for effective privacy regulation and management[1]. In the Privacy Act, accountability covers the different actions and controls that an entity must implement to comply, and demonstrate compliance with the privacy regulatory framework. Accountability is a key concept and concern for complying with principles-based legislation like the Privacy Act. After all, and for example, it is much simpler and more certain for a regulator to prosecute a company for not having a licence, when section 36(d)(iii) of the Act requires you to have a licence, than for a regulator to bring the same company to account for not managing personal information in an open and transparent way, in accordance with Australian Privacy Principle 1.
The recommendations at a glance
The Privacy Act Review Report recommends several express accountability requirements which go some way to providing entities with clarity about the steps they should take to meet their ongoing compliance obligations under APP 1, and will also provide, no doubt, more definite grounds for prosecutions than those currently available.
The proposed accountability reforms address the following themes:
- Public-facing privacy notice requirements
- Internal organisational accountability measures
- Transparency and disclosure obligations to other stakeholders.
We consider each of these in turn below, but you will see that the common goal across these themes is to make the legislation more prescriptive and specific.
Increased public-facing privacy notice requirements
The specific recommendations made in relation to public-facing privacy notice requirements involve:
- Retaining existing requirement for both an APP 1.3 privacy policy and an APP 5 collection notice are here to stay but they need to be clearer, particularly for children: Despite submissions pointing out a preference to provide only a privacy policy (on the basis that it generally contains all the information required for an APP 5 collection notice and the collection notice is duplicative), the overriding view was that giving more notice to individuals was better than less. The A-G noted that the privacy policy is an overall information management handling practice whereas the collection notice should be specifically addressed to a particular scenario. The A-G recommended privacy policies and collection notices needed to be clearer and more easily understandable, particularly for information specifically addressed to a child. In proposal 16.3, the A-G recommended that guidance on child appropriate privacy policies and collection notices should be specified in a Children’s Online Privacy Code.
- Content of APP 5 collection notices to be updated (Proposals 10.1, 10.2, 23.5): At present, entities are required to take reasonable steps to provide a collection notice to individuals to notify them of the matters referred to in APP 5.2 (e.g. these matters include the entity’s identity and contact details, the fact and circumstances of the collection, the purposes of collection and the consequences if personal information is not collection). The A-G also recommended that there should also be a new express legislative requirement for APP 5 collection notices to be made more concise, clear, up-to-date and understandable and for the following new matters be included in an APP 5 collection notice where needed in the circumstances:
- the collection, use or disclosure of personal information for ‘high privacy risk activities’, (i.e., any activities that are ‘likely to have significant impact on the privacy of individuals’);
- a reference to the privacy policy containing details on how an individual can exercise any applicable privacy rights;
- the types of personal information that the entity discloses to overseas recipients and in proposal 23.5 of the report (the A-G recommended that entities be required to specify the overseas locations of entities to which personal information would be disclosed as well as the types of personal information that may be disclosed to those overseas recipients)
- Additional content to be considered for inclusion in privacy policies (Proposals 19.1, 19.2 and 19.3): The A-G also made recommendations for mandating inclusion of the following additional content in privacy policies:
- the types of personal information that will be used in automated decision making which may have a legal, or similar significant effect on an individual’s rights (proposal 19.1); and
- how entities use personal information to make substantially automated decisions with legal or similar significant effect (proposal 19.3)[2].
- Greater transparency about targeting practices (proposals 20.3 and 20.9): Following the call for greater transparency about practices made by the Australian Competition and Consumer Commission’s (ACCC) 2019 Digital Platforms Inquiry Final Report, the A-G recommended that entities provide information about ‘targeting’ (which was defined in proposal 20.1 of the report to mean the collection, use or disclosure of information relating to an individual for tailoring services, content, information, advertisements or offers provided to, or withheld from, them), including clear information about the use of algorithms and profiling to recommend content to individuals. Whilst it wasn’t made clear whether this further information should be included in the APP 5 collection notice and/or the privacy policy, there was certainly a desire by the A-G to provide individuals with greater awareness and understanding about how targeting systems work and why they are being targeted with certain content. The A-G also recommended that entities give individuals an unqualified right to opt-out of receiving targeted advertising.[3]
- New templates for privacy policies and collection notices (Proposal 10.3): Considering the concern shared by many that privacy policies and collection notices are just too complex, lengthy, legalistic and vague, the A-G made recommendations for the use of standardised templates and layouts for privacy policies and collection notices.
Increased internal organisational accountability measures
The specific recommendations made in relation to this theme involve:
- New requirement for general records of compliance (proposal 15.1): A central component of a privacy management program is a process for conducting the privacy impact assessments which are critical to facilitate ‘privacy by design’ and ‘privacy by default’. Whilst the A-G didn’t go so far as to recommend including privacy by design as a requirement into law (as done in the EU and the UK under their respective GDPR laws), the A-G did recommend that entities be obligated to record the purposes for which personal information is collected, used and disclosed before collecting for a primary purpose or using or disclosing for a secondary purpose. This new requirement of recording the primary and secondary purposes for which personal information is collected, used and disclosed, would assist entities focus on the adequacy of their current practices.
- New requirement to appoint a senior employee responsible for privacy (proposal 15.2) The objective of enhancing organisational accountability of entities for their personal information handling practices was similarly supported by the A-G recommending that entities appoint or designate a senior employee responsible for privacy within the entity. This person should be the first point of contact for privacy matters within an entity and should be responsible for ensuring day-to-day operational privacy activities are undertaken. Whilst we expect this should improve privacy governance and foster a culture of respect for privacy within organisations finding experienced privacy professionals is likely to prove a challenge though.
- New requirement to conduct PIAs for high privacy risk activities (proposals 13.1 and 13.2): There is currently no express requirement in the Privacy Act for organisations to complete privacy impact assessments before commencing high privacy risk activities. The A-G recommended that this be mandated with a ‘high privacy risk activity’ being defined as any function or activity that is likely to have a significant impact on the privacy of individuals[4].
- Biometrics: The A-G also recommended that there should be enhanced risk assessment requirements for facial recognition technology and other uses of biometric information although this should be further detailed as part of a broader consideration by government of the regulation of biometric technologies.
New transparency and disclosure obligations in special cases
The A-G made recommendations for new transparency and disclosure obligations impacting employee records, political parties and disclosure of personal information in emergency situations:
- Employment scenarios (proposal 7.1): Private sector employees should be afforded enhanced transparency regarding what their personal and sensitive information is being collected and used for, in contrast to the current situation where employee records that directly relate to an employment relationship are exempt from the Privacy Act[5].
- Political parties (proposal 8.2): Each ‘registered political party’ will need to publish a privacy policy which provides transparency in relation to their acts or practices. Currently, registered political parties are exempt from having to comply with the Privacy Act[6].
- Emergency Responses (proposal 5.5): Entities will also be entitled to make disclosures of personal information to state and territory authorities when an Emergency Declaration (e.g. an emergency or disaster situation) is in force. Currently, in an Emergency Declaration scenario, entities may only disclose personal information to a Commonwealth agency. With this new recommendation, entities should be able to disclose personal information to state and territory authorities thus facilitating a better response to an emergency or disaster, particularly given that state and territory authorities are often responsible for providing or coordinating services for individuals.
What you should do next
While the report is still just a report and the recommendations are still just recommendations, you should consider the following as a basic roadmap towards compliance with where the winds are obviously blowing:
- Identify high risk activities: Identify any activities in your business that are likely to be considered ‘high privacy risk activities’ (e.g. substantially automated decision making activities which have a legal or similar effect on individuals) or targeting practices and commence performing privacy impact assessments or making records of compliance, creating APP 5 privacy notices and updating privacy policies as needed to, amongst other things, provide further transparency to individuals
- Implement appropriate record keeping processes: Begin to incorporate records of the purposes for collection, use and disclosure of personal information as part of your information management governance processes and systems. This will support your entity’s ability to demonstrate compliance with the Privacy Act (including assessing whether your entity’s collection, use and disclosure of personal information is fair and reasonable as recommended under proposal 12.1 and whether consent is required) but also assist your entity’s ability to adequately respond to individual rights requests and complaints
- Introduce a culture of collection notices: Ensure you have APP 5 collection notices in place for all collections of personal information and see to it that they are concise, understandable and contain all the required information as needed in your circumstances
- Review your privacy policy: Ensure your privacy policies are up-to-date and reflect your business’s current practices (and cover all the things they need to …)
- Ponder the adequacy of your resourcing: Consider whether you need internal or external privacy resources to help your organisation navigate the current changes. If your business handles large volumes of personal information, has a high exposure to personal information of individuals, or is of a size or complexity that exposes it to high privacy risk activities, start to seriously consider the privacy resources you need to deploy to support the current, future and ongoing management of privacy in your organisation.
How we can help
We offer a number of services to help you prepare for and navigate the coming privacy reforms. We can offer training, information briefings, FAQs and materials to explain the reforms to your team. We can also help you get started building a privacy compliance program or understand where the gaps might be in your existing privacy program.
At Privacy 108 we help businesses, non-profits and government agencies with information security, privacy, data protection and data management. In everything we do, we aim to demystify the complex and offer pragmatic solutions helping our clients ensure they collect, use and secure all information in a way which is not just compliant with the law but also consistent with stakeholder expectations and in a way that develops and retains trust.
Footnotes
[1] Centre for Information Policy Leadership (CIPL) (May 2020) What Good and Effective Data Privacy Accountability Looks Like: Mapping Organization’s Practices to the CIPL Accountability Framework (online document), CIPL, accessed 24 April 2023.
[2] The A-G recommended that high-level indicators of the types of decisions with a “legal or similarly significant effect on an individual’s rights” should be developed, included in the Privacy Act and supplemented by OAIC Guidance (proposal 19.2). In our view, there should also be further clarity on what is meant by “substantially automated decisions” as distinct from solely automated decisions.
In the report, it was discussed that if a decision affects an individua’s legal status or legal rights (for e.g., an individual’s ability to access a social security benefit), this will amount to a decision which produces ‘legal effects’; and a decision has a ‘similarly significant effect’ to a legal decision if it has an equivalent impact on an individual’s circumstances, behaviour or choices, such as the automatic refusal of an online credit application.
[3] The call for greater transparency about targeting practices follows the Australian Competition and Consumer Commission’s (ACCC) 2019 Digital Platforms Inquiry Final Report (DPI Report) which made several privacy recommendations and shed light on concerning targeting practices linked to political polarisation, manipulation and exploitation of individual beliefs and fears.
[4] Some examples of ‘high privacy risk activities’ are included in the list below. The A-G suggested that further guidance be given via OAIC guidelines:
- The collection, use or disclosure of sensitive information on a large scale
- The collection, use or disclosure of children’s personal information on a large scale
- Online tracking, profiling and the delivery of personalized content and advertising to individuals
- The sale of personal information
[5] The A-G acknowledged that further consultation needs to be undertaken with employer and employee representatives on how privacy protections for employee records should be implemented in legislation.
[6] There was overwhelming support from submitters to remove the exemption applying to political entities; removing the exemption would increase accountability and transparency in the way political entities handle personal information and increase public confidence in the political process.