Ch. Ch. Ch. Changing Definitions in Australian Privacy: Privacy Act Review Deep Dive

We’re continuing our deep dive into the Privacy Act Review Report. You can read our earlier coverage here 

There are a number of key terms that have been redefined in the Privacy Act Review Report, as well as one new definition – namely:  

  • Personal information. 
  • De-identified information.  
  • Collects. 
  • Sensitive information.  
  • Consent.  

We’ll explore each of the proposed changes in this coverage. 

Personal Information: Proposed Changes Under the Privacy Act Review 

The Existing Definition of Personal Information 

Personal Information is currently defined in section 6 of the Privacy Act as follows: 

“Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:  

  1. whether the information or opinion is true or not; and  
  2. whether the information or opinion is recorded in a material form or not.  

Individual is defined as a ‘natural person’.” 

Issues With the Existing Definition 

Information must essentially pass a two-pronged test under the existing criteria to be considered personal information:  

Prong 1: It must be about an individual; and   

Prong 2: An individual is identified or reasonably identifiable.  

The word ‘about’ has caused issues. As a result, the Privacy Act Review report suggests replacing ‘about’ with ‘that refers to’. This change in language makes it clear that inferred information and technical information that relates to an individual can be personal information.  

To be clear, the new definition would read:  

“Personal information means information or an opinion that refers to an identified individual, or an individual who is reasonably identifiable:  

  1. whether the information or opinion is true or not; and  
  2. whether the information or opinion is recorded in a material form or not.  

Individual is defined as a ‘natural person’.” 

The report also proposes to include a non-exhaustive list of categories of information that may be personal information. The proposed categories include the following:  

  • A name. 
  • Identification numbers.  
  • Location data.  
  • Online identifiers.  
  • One or more factors specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity or characteristics of that person.  

Defining “De-Identified Information 

The Privacy Act Reform report also seeks to clarify ‘prong 2’ of the two-pronged test for determining if information is personal information (above). This relates to whether a person is identifiable or reasonably identifiable from information.  

A crucial aspect of the proposed reform includes defining de-identification in a way that makes it clear that whether information could properly be considered ‘de-identified’ may change based on context. The reform also suggests creating protections for de-identified information that are proportionate to the risk of the information being re-identified.  

Proposed Changes to the Definition of ‘Collects’ 

While the concept of ‘collection’ applies broadly already, the Privacy Act Review report proposes to update the definition of ‘collection’ to include information that is inferred or generated. It also makes clear that inferred or generated information is collected at the point at which the inference is made, or the generation occurs.  

Sensitive Information: Proposed Changes Under the Privacy Act Review 

Sensitive information is currently defined as “information or an opinion (that is also personal information) about an individual’s: 

  • racial or ethnic origin 
  • political opinions 
  • membership of a political association 
  • religious beliefs or affiliations 
  • philosophical beliefs 
  • membership of a professional or trade association 
  • membership of a trade union 
  • sexual orientation or practices, or 
  • criminal record. 

Health, genetic, and biometric information about an individual are also considered sensitive information.  

Given that sensitive information poses a risk to the dignity of the individual if it is mishandled, it is afforded a higher level of protection under existing Australian Privacy law. 

Proposed Changes to the Definition of Sensitive Information 

The Privacy Act Review report makes three suggested changes relating to the definition of sensitive information. They are: 

  1. To include ‘genomic’ information as a category of sensitive information. (Privacy 108 was cited as a source supporting this change!) 
  2. To replace ‘about’ with ‘relates to’, in line with the proposed change to the definition of personal information above. 
  3. To clarify that inferred information can be sensitive information if the inference is about a category of sensitive information. It should be made clear that inferences can be sensitive information even if they are made based on information that is not sensitive information. 

Consent: Proposed Changes Under the Privacy Act Review 

Australia’s existing law only requires consent to be given for a limited range of collections, uses, and disclosures for personal information. That consent can be express or implied.  

The collection and use of sensitive information has more stringent consent requirements.    

Proposed Changes to the Consent Requirements 

To bring Australia’s definition in line with many other jurisdictions, including the EU, the Privacy Act Review proposes to amend the definition of consent such that it must be:  

  1. Voluntary; 
  2. Informed;  
  3. Current;  
  4. Specific; and 
  5. Unambiguous.  

This change will likely have a significant impact on organisations – particularly those that have relied on implied consent in the past. It places an increased burden on the organization to gather consent and ensure that consents are valid. 

However, it is worth noting that the reforms do not require that consent be evidenced by positive, affirmative action, leaving open the possibility of relying on opt-out consent. 

What do the proposed changes mean for you? 

It’s probably a good idea to start considering how these proposed changes may impact your organisation. 

Some steps you can take to prepare for the possible introduction of these changes: 

1. Review the information you are treating as personal information, and consider whether you need to extend your privacy program 

2. In particular, consider how you treat the following: 

    • Location data 
    • Online identifiers 
    • Inferred data

3. Review the way you are handling ‘de-identified’ information. Are you considering that it is now outside the operation of the Privacy Act or is de-identification an important privacy risk mitigator? 

4. Where you are relying on consent, ensure that consent meets the new definition of being voluntary, informed, current, specific and unambiguous.  Is it time to renew consents you are relying on to ensure they are current? 

How can we help? 

If your organisation needs assistance developing a ‘plan of attack’ to respond to Australia’s changing privacy laws, reach out. Our privacy team would love to assist.  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.