Privacy Act review: are changes required?

By Alison Baker 

A number of significant changes have been made to the Privacy Act 1988 (Cth) since 2000, including the extension of the Act into the private sector in 2001 and the introduction of the Australian Privacy Principles in 2014. But how effective were those changes and is the Act still fit for purpose in a continuously evolving digital environment?

Does the Privacy Act continue to strike the right balance between addressing increasing concerns about the ability of organisations to protect our personal information; versus creating an overly complex regulatory environment for businesses?

To answer these questions, the Federal Government announced at the end of 2019 that a review of the Privacy Act would be conducted. At the end of October 2020 the terms of reference for the review were released. Some of the areas that will be examined include:

  • the scope and application of the Privacy Act. This includes a review of the current exemptions from the Privacy Act such as whether the small business exemption threshold (which broadly provides that companies with a turnover of $3 million or less are not covered by the Privacy Act) is still appropriate;
  • whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices;
  • the effectiveness of current enforcement powers and whether individuals should have the right to enforce privacy obligations in relation to their own information to give more control over their own information and another incentive for compliance by organisations;
  • whether a statutory tort for serious invasions of privacy should be introduced and if so, should it only apply to intentional breaches or extend to negligent conduct;
  • a review of the recently introduced notifiable data breach scheme including whether data security practices have changed as a result and what challenges in complying with the scheme have emerged; and
  • whether an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws should be introduced

One significant issue for employers will be the review of the current exemption of employee records from the Privacy Act. Historically, the basis for the exemption was that it was considered that the regulation of the handling of employee records was more appropriately dealt with under workplace relations legislation.

While the Fair Work Regulations (Cth) 2009 impose obligations on employers to retain and provide access to certain employment records, there are limited protections for the privacy of personal information of employees in the private sector. Should employee records therefore be brought within some or all of the Australian Privacy Principles?

The review will also consider, in the event the employee records exemption was removed, how concerns about an employee’s ability to freely consent to their employer handling their personal information be addressed.

This issue was highlighted in the recent case of Lee v Superior Wood Pty Ltd [1] (discussed here) in which the Fair Work Commission questioned whether consent could be freely given in circumstances where an employee had been threatened by disciplinary action or dismissal.

Further details about the review can be found here on the Attorney General’s Department website and submissions are invited by 29 November 2020.

[1] [2019] FWCFB 2946


You might be also interested in...

Retail & FMCG | 25 Aug 2020

Social media and shopping converge: buyer beware

In this article, we consider the legal issues for retailers hoping to take advantage of the new convergence of ‘social’ and ‘shopping’.

Cyber | 1 Jun 2020

Online privacy: what’s at risk?

Hall & Wilcox has been working with cyber security company CTRL Group on a number of privacy-related initiatives. This article is co-written by Hall & Wilcox privacy and employment law experts Alison Baker and Iona Goodwin, as well as cyber security specialists Sahand Bagheri (CTRL Group) and Fergus Brooks (The Cyber Advisory Practice, a CTRL […]