Why is reform now required? 

Since the commencement of the Privacy Act in 1988, access to the internet has meant personal or sensitive data is now systematically collected by third parties. 

“Privacy was traditionally an individual concern, but with the rapid pace of technology, and the increased volume of sensitive and personal data held by third parties, it's become a social governance consideration,” says Cass Wright, CCIWA Director Commercial Legal. 

“We can see that breaches of privacy are corrosive for trust and public perception and social licence, and so it's obvious that regulation must keep pace with technological advancements.” 

What are the proposed changes to the Privacy Act? 

Following a two-year review, the Privacy Act Review Report comprised 116 recommendations. Of those the Federal Government last year agreed to 38 of the proposals and agreed in principle to a further 68. These include: 

• An entity must take reasonable steps to keep personal information secure, and reasonable steps to destroy and de-identify personal information. 
• Privacy policies should outline what personal information is used in automated decisions that affect individual rights. 
• The definition of consent for obtaining sensitive data from an individual is changed from “expressed or implied” to “voluntary, informed, current, specific and unambiguous”. 
• Organisations must carry out a privacy impact assessment before commencing high-risk activity that is “likely to have a significant impact on the privacy of individuals”. 
• For businesses working with children, an online privacy code should be developed and applied to online services likely to be accessible by children. 
• The establishment of low, mid and serious penalty tiers to strengthen enforcement. 
• The Information Commissioner should be provided with additional powers for investigations of civil penalty, and to undertake public inquiries and reviews into specified matters on the approval and direction of the Attorney-General. 

 “The proposals are now subject to further engagement, including a comprehensive impact analysis,” says Wright. 

“This is to ensure the right balance between the privacy of individuals and the burden on businesses and also to understand the appropriate adjustments before the Government makes a final decision on the implementation of the proposals.”

Removing the Small Business Exemption 

As part of the proposed reforms, the Government has agreed in principle to the removal of the Small Business Exemption, where businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. 

An impact analysis will better determine what impact this will have on small businesses and what support they require to adjust their privacy practices to facilitate compliance with the Act. 

Managing employee records 

Wright says the most contentious of the proposed changes involves managing employee records. 

“At present employee records of current or former private sector employees are exempt from the Privacy Act,” she says. 

“The original rationale for this exemption was that employee privacy was better regulated under workplace relation laws.” 

However, Wright says further consultation will be undertaken with employees and employer representatives on how enhanced privacy protections for the private sector may interact with workplace relations laws and how they will be implemented. 

What should I do now? 

The changes to the Privacy Act will affect HR practitioners as custodians of employee data.  

Wright says a commonsense approach, with some practical procedures, will ensure information is handled with care and transparency. This includes: 

• Consider how data is stored. Do you have CVs in your inbox? Is that the safest place for CVs to be kept? 
• Lock your screen when you walk away from your computer 
• Scan data in a safe way, use destruction bins and shredders for personal information and clean out your inbox 
• What information are you asking third parties to provide on entrance, i.e. a book on reception that asks for names and details, and how is that being protected 

Wright says it is important that HR managers undertake a comprehensive point in time review of employee data and make adequate plans to adapt to the pending changes. 

“HR managers should prioritise employee training and awareness programs to empower staff to understand and exercise their privacy rights within the workplace, but also to keep employees informed of the changes of how personal data is stored and managed,” she says. 

“By proactively adapting to these changes, businesses can not only comply with the law, but also build trust in their employees and consumers.” 

Want advice on this or other commercial legal matters? Get in touch on (08) 9365 7560 or via [email protected].