Legal Insights

Privacy reforms - what now? Our top 3 tips for Australian Government agencies

• 19 September 2024 • 5 min read
  • Share

Much has already been written about the introduction of the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) through the Privacy and Other Legislation Amendment Bill 2024 (Privacy Bill) (for example, see our recent e-alert here).

Even though many of the substantive reforms to the Privacy Act that were proposed have not yet been actioned, Australian Government agencies should take steps now to make sure that they are prepared for the reforms that are covered by the Privacy Bill, rather than waiting for its final form and passage through Parliament. Taking proactive preparatory steps now will demonstrate a robust approach to managing compliance with the introduced reforms.

This article sets out our top 3 tips for practical steps that agencies can take now to prepare.

Tip 1 – Educate your litigators about your agency’s privacy obligations

If enacted, the Privacy Bill will:

  • include an enhanced civil penalty regime with a new penalty structure, with greater enforcement powers for the Information Commissioner. The OAIC has said this will “add significantly to our enforcement toolkit, providing the OAIC with greater discretion and flexibility to apply a risk-based approach to enforcement that is proportionate and also supportive of a growing digital economy”;
  • introduce a new statutory cause of action, which will allow individuals to take legal action directly against agencies for ‘serious’ interferences with privacy (a greater range of factors will be able to be taken into account to determine if an interference with privacy is ‘serious’);
  • empower the Information Commissioner to undertake public inquiries on matters relating to privacy; and
  • introduce criminal offences for releasing personal information using a carriage service in a way that is menacing or harassing towards the relevant individuals (the ‘anti-doxxing’ provisions).

All of this means that, now more than ever, your agency (and in particular your litigation team, if you have one) needs to really understand its current and future privacy obligations, so that it can effectively resolve privacy complaints, and manage disputes and litigation.

Things to check:

  • Are there already good lines of communication between your personnel responsible for privacy and your litigation team, or do these need to be established?
  • Do you need to arrange specialised privacy training for your litigation team (including about the reforms)?

Tip 2 – Review and test your data breach response plan

If enacted, the Privacy Bill will:

  • introduce a range of new obligations for agencies (see Tip 3 below), some of which may mean an increased chance of unauthorised disclosure of personal information by your agency, resulting in more eligible data breaches; and
  • include a mechanism to facilitate sharing personal information if an eligible data breach occurs, to reduce the risk of harm to individuals.

This means that now is the perfect time to have a careful look at your agency’s data breach response plan, and see if it is still fit for purpose. It’s also important to test the plan regularly (using scenario based activities) to see if it works in practice.

Things to check:

  • Do you foresee needing to share personal information with other agencies (including State or Territory bodies) if an eligible data breach occurs? If so, do you need to include processes in your data breach response plan to seek a declaration from the Minister to facilitate that sharing?

Tip 3 – Identify which other reforms are relevant for your agency

The Privacy Bill contains a range of other reforms that might have implications for some Australian Government agencies, depending on their particular activities.

Things to check:

  • Has your agency deployed computer programs that make, or do a thing that is 'substantially and directly related' to making, any decisions?
  • Does your agency facilitate electronic communication by children under the age of 18 years with others, or fund others to do so?
  • Is your agency likely to need to handle personal information in emergency and disaster situations?
  • Does your agency store or transmit any personal information overseas?

If the answer to any of these questions is ‘yes’ (or even ‘maybe’), you will need to carefully consider the proposed reforms in the Privacy Bill. You might need to take a range of actions, including changing your agency’s collection notices, consents and privacy policy; updating contractual obligations; and/or changing particular processes used to handle personal information.

Key takeaways

Even though some commentators have expressed disappointment that the Privacy Bill does not go far enough, it will still introduce some key reforms that will have ramifications for Australian Government agencies.

There should be enough time for agencies to make sure that they are ready to tackle the challenges associated with this first step in Australia’s privacy reform journey - but this process should start now!

The Maddocks Commonwealth Privacy, Data and Information Law team has a wealth of expertise and experience in assisting Australian Government agencies to meet not only their legal privacy obligations, but also the Australian community’s expectations for handling personal information. Please contact us for a confidential discussion about your agency’s activities, how it is likely to be impacted by the Privacy Bill, and the strategies that it might deploy to ensure preparedness.

Would you like to discuss this issue further?

Get in contact with our team

Recent articles

Online Access