Privacy Act Changes To Support Greater Transparency
What will the proposed changes to Australia’s Privacy Act mean for transparency?
For Privacy Awareness Week 2024, organisations are being asked to ‘power up your privacy’ as part of the overarching theme of Privacy and technology: Improving transparency, accountability and security.
We’ve posted separately on why transparency is important. This post is focused on the proposed changes to the Australian Privacy Act that will require greater transparency about their personal information handling practices from covered entities.
Background to Privacy Act Changes
The Australian Privacy Act has been under review for some time. In October 2023, the Government responded to 116 recommended changes. This response foreshadowed likely amendments … though we are still waiting.
We have written previously about some of the proposed changes including:
- General review of the government response
- The proposed changes that would introduce increased accountability
- Proposed reforms for direct marketing and targeted advertising
- Proposed changes for security, retention and data breach notification
In summary, of the 116 proposed amendments in the Privacy Act Review Report, the Government agreed to 38 proposals, agreed in-principle to 68 proposals and noted 10 proposals. (The 10 ‘noted’ proposals are essentially rejected).
The Government’s response was divided into the following sections – indicating a general ‘grouping’ of amendments:
- Bring the Privacy Act into the digital age
- Uplift protections
- Increase clarity and simplicity for entities and individuals
- Improve transparency and control
- Strengthen enforcement.
This post will focus on Section 4: improving transparency and control.
Improving transparency and control
It was acknowledged in the response that privacy notices currently don’t work well.
Feedback during the consultation demonstrated an expectation that individuals should have access to more meaningful information about how their personal information is handled.
This expectation is supported by the 2023 Australian Community Attitudes to Privacy (ACAP )survey results, which showed a strong desire for greater transparency. According to the ACAP survey, Australians want a wide range of information to be included in privacy policies:
- 32% rate ‘how my personal information is collected, used, held and protected’ as the ‘most important’ inclusion;
- 14% indicated a strong desire for transparency around ‘why’ the data is being collected, held and disclosed;
- 11% indicated ‘what kind’ of information is being collected and held as most important.
In terms of specific proposals to improve transparency and controls, the response divides them into the following:
- Consent
- Privacy policies and collection notices
- Individual rights
- Ability for individuals to seek redress for infringements with privacy.
The first three of these topics are most relevant to the theme of transparency.
Consent
Consent has been part of privacy law from inception. It most usually appears as a basis on which to collect and process personal information, particularly sensitive information. However, reliance on ‘consent’ to process personal information has been problematic in the privacy world for some time.
Many commentators regard consent as a fiction, and not really a valid exercise of choice in many modern interactions.
Some of the issues include:
- It can be inferred, for example, by continuing to use a website where there are terms and conditions often difficult to locate via a small link at the bottom of the page. The idea of consent by inaction is problematic in the privacy space;
- It can be hidden in lengthy terms and conditions that are ‘agreed to’ without being read;
- There are often no alternatives if consent is not given, which undermine the ‘voluntary’ nature of the consent;
- Consent to many different things are often bundled together making it hard to differentiate between things you consent to and those you don’t;
- Consent becomes ineffective when over-used: people will tick consent out of consent fatigue rather than a genuine acceptance.
Consent also shifts the responsibility for understanding what data is being collected and how it is being handled to the individual, placing unrealistic burden on individuals to understand the risks of information-handling practices.
Useful research on the notion of consent and some recommendations for improvements to the model was commissioned by the OAIC as part of the Privacy Act Review (more here).
Issues with consent are truly thorny.
In response to these concerns, the government has agreed in principle:
- to clarify that consent should be voluntary, informed, current, specific and unambiguous (proposal 11.1) – which should impact the way that consent is obtained in particular it will make it more difficult for unbundled consents to be acceptable;
- that the OAIC will provide guidance on how online services can design consent requests to clarify how these requirements will work in online contexts, (proposal 11.2).
- to expressly recognise the ability for individuals to withdraw consent in an easily accessible manner (proposal 11.3).
It is worth noting that the ‘agreed in principle’ recommendations will undergo further consideration before implementation – and may still be some way off.
Recognising the challenges for public interest research, the government has agreed that:
- researchers will be able to rely on ‘broad consent’ due to difficulties in obtaining ‘specific’ consent from individuals in research contexts (proposal 14.1).
- further consultation to be undertaken on expanding the scope of the Act’s exceptions from requiring consent in research contexts to apply to human research generally that is in the public interest, and on agencies and organisations being covered by a single research exception and set of guidelines developed by the Privacy Commissioner in consultation with relevant stakeholders (proposals 14.2 and 14.3).
Privacy Policies and Collection Notices
Privacy policies and collection notices are required by APP 1 and APP 5 respectively. They are intended to provide individuals with transparency over personal information practices. However, the government noted feedback that privacy policies and collection notices are often complex, lengthy, legalistic and vague, which can undermine individuals’ understanding of how their personal information will be handled.
Accordingly, the Government agreed in-principle that:
- privacy notices should be clear, up- to-date, concise and understandable, with appropriate accessibility measures in place (proposal 10.1).
- To support entities to meet this requirement, standardised templates for privacy policies and privacy notices should be developed for voluntary adoption by entities (proposal 10.3). This could include standardised icons, layouts and phrases to better support consumers to make quick and informed decisions.
In terms of the contents of privacy notices, the Government agreed in-principle that collection notices should also specify:
- if information is collected, used or disclosed for high privacy risk activities,
- how to exercise individual rights, and
- the types of personal information that may be disclosed to overseas recipients (proposal 10.2).
Individual rights
Individual rights are currently limited to a right to access and of correction. Individuals are not able to request information about how their information is being used or request that their information be deleted.
The Review proposed the expansion of individual rights. The 2023 ACAP survey results showed that almost all Australians think they should have additional rights under the Act, including the right to ask a business to delete their personal information (90%); ask a government agency to delete their personal information (79%) and object to certain data practices while still being able to access and use the service (90%).
The Government agreed in-principle that individuals should have greater transparency and control over their personal information through the creation of new individual rights which would enable them to:
- request an explanation of what personal information is held and what is being done with it through an enhanced right to access (proposal 18.1)
- challenge the information-handling practices of an entity and require the entity to justify how its information handling practices comply with the Act (proposal 18.2)
- require an entity to delete (or de-identify) personal information through a right to erasure (proposal 18.3)
- request correction of online publications over which an entity has control (proposal 18.4), and
- require search engines to de-index certain online search results (proposal 18.5).
The Government agreed in-principle that these rights should be subject to exceptions (proposal 18.6) including:
- where complying with a request would be contrary to public interests,
- in circumstances involving legal relationships and legal or related proceedings (such as where complying with a request would be inconsistent with another law or a contract with the individual), and
- where a request is technically impossible or unreasonable, or a request if frivolous or vexatious.
The Government agreed in-principle that individuals should be notified about their rights and how to exercise them at the point of collection, and that privacy policies of entities set out procedures for responding to requests (proposal 18.7).
The Government also agreed in-principle that, when responding to a request, entities should:
- acknowledge receipt of the request within a reasonable time and provide a timeframe for responding (proposal 18.10)
- provide reasonable assistance to individuals (proposal 18.8), and
- take reasonable steps to respond to a request (proposal 18.9).
The Government further agreed in-principle that where an entity refused a request, it would need to provide an explanation for why it was refusing the request and information on how the individual could lodge a complaint regarding the refusal with the OAIC (proposal 18.9).
Other transparency changes
There are other proposed changes that have an impact on transparency. These include an agreement in-principle that entities should be required to establish their own maximum and minimum retention periods for personal information they hold (proposal 21.7) and specify these retention periods in privacy policies (proposal 21.8).
Retention periods should take into account the type, sensitivity and purpose of the information being retained as well as the entity’s organisational needs and any obligations they may have under other legal frameworks.
What happens next
In October 2023, the Government said it was committed to introducing legislation to protect the personal information of Australians in 2024. To date, no draft legislation has been released, even for the fairly straight forward ‘agreed’ proposal.
It is likely that there will be some reform, and transparency will definitely be part of that – but the timing and precise requirements are still to be determined. However, given the impact of some of the amendments that are likely to be made it is prudent to start preparing now.
What you can do now
Some actions you can think about to start preparing for the changes:
- Consider how an extended definition of personal information may impact your current understanding of the PI you collect and process
- Review where consent is relied on for the collection or handling of PI and make sure that that meets the new requirements for valid consent
- Implement systems to support the withdrawal of consent
- Ensure you have a comprehensive understanding of all personal information collection and processing, so that those processes can be clearly and fully described in your privacy notices
- Identify in particular any high privacy risk activities to be separately outlined in your privacy notice
- Identify the types of personal information that may be disclosed to overseas recipients which again must be disclosed in your privacy notice
- Consider the new individual rights and implement systems to support their exercise
- Provide information about how to access individuals rights in your collection notice and privacy policy
- Be prepared to justify your processing activities (including data sharing) if challenged
- Identify the retention and deletion time periods for your personal information data sets with sufficient specificity to meet the new disclosure requirements
- Make sure you have systems in place to meet those identified retention and deletion periods
- Review your privacy notices in every context for appropriateness and ‘usability.’ Can you do better?
Privacy Awareness Week runs from May 6 – 12, 2024. More information here.
And if you need help increasing transparency at your organisation, don’t hesitate to reach out. We’d love to work with you.