It is no secret that fraud, scams and many other cybercrimes are rapidly growing each day, and privacy and cyber security laws in Australia are due to be tightened.
The Privacy Act 1988 (Cth) was reviewed by the Australian Government in late 2023, with many proposals being agreed to. These proposals will move quickly into legislative changes for 2024.
In this article, we break down some of the proposed changes which have been agreed to, and explain what you and your business need to do to ensure that you are compliant. It’s important that your business actions changes now, so that you are not in breach when the laws come into effect.
Key Changes
Some of the key proposed changes to the Privacy Act, which have been agreed to in principle, include the following:
Small Business Exemption – Information for facial recognition technology
Under the current privacy legislation, only businesses that turn over $3 million or more or fall within a regulated industry (for example, being a health provider) need to have a privacy policy.
Undoubtedly, the biggest change is that the government has agreed in principle to remove this exemption and require compliance from all businesses who engage in activities that pose significant privacy risks. This will include most businesses, regardless of their size or turnover, to have a privacy policy and follow it.
For business owners, this will require you to draft a privacy policy, make the policy readily available to customers, draft an internal staff manual and train staff to respond to privacy concerns.
Personal Information
The government has agreed in principle that the definition of ‘personal information’ needs to change, to clarify that personal information is extensive and includes technical and inferred information. The aim of this change is to include data such as IP addresses and device identifiers under personal information.
The government has also agreed that the Privacy Act should include a new list so that entities can be aware of what information counts as personal and when an individual will be reasonably identifiable.
Collection
The government has agreed in principle that the definition of ‘collection’ should be amended, to clearly cover information obtained from any source and by any means. The aim is to include inferred or automatically generated information.
The expanding definition of ‘collection’ will require most businesses to update their privacy policy and to divulge the purpose of the inferred or automatically generated information being collected.
Sensitive Information – Geolocation tracking data
The government has agreed in principle that permission should be required for the collection of precise geolocation data.
This change will be very important for businesses who have apps and will require them to gain consent prior to tracking. The best way of obtaining consent is by having a pop-up box which the user must accept or tick prior to using the app for the first time.
Individual Rights
Currently, individuals are unable to request details on how their personal information is being used, or request their information be deleted.
The government has proposed that an entity collecting personal information must determine and record the purposes for which it will be collected, used and disclosed, by the time the information has been collected.
They have also proposed that entities must appoint a senior employee to be responsible for the privacy within the entity.
What does this mean for your business?
The above changes are a significant shift of Australia’s privacy laws to:
- Expand the types of information being collected;
- Remove options for non-compliance; and
- Grant customers more information and access to the information being collected about them.
These changes will bring Australia more in line with countries in the European Union and are set to come into force quickly. To get ahead of the changes, businesses should:
- Meet with their website and app teams;
- Update or draft a new privacy policy; and
- Update or draft a new staff manual for privacy and train a senior staff member to respond to privacy concerns.
How we can help you
If you would like to receive further information on these potential changes, or assistance updating your privacy policies, contact our experienced lawyers on (03) 9481 2000 or info@tauruslawyers.com.au.