AICD submission on Privacy Act Review Final Report

Our submission considered that in pursuing privacy reforms the Government must appropriately balance strengthening how Australians’ personal information is collected, stored and protected, with not unduly stifling the innovative use of data or imposing a counterproductive regulatory burden.

Our submission also considered that it has not been demonstrated that the policy benefits of a number of the 116 proposals will outweigh the costs on entities, and a clear evidence base must be presented for such a major reform. We recommended the Government undertake a cost benefit analysis of the proposals in their totality. Our key points on the proposals outlined in the Report were:

1. Did not support the removal of the small business exemption for all currently exempt businesses or NFPs. We considered that a targeted approach for industries with high privacy risks, or a proportionate application of the Privacy Act obligations to small businesses, would be a more effective policy response.
2. Supported measures to harmonise, and more importantly clarify, existing data retention laws and reporting obligations, including establishing a single portal for data breach and cyber incident reporting.
3. In principle support for a direct right of action for individuals to seek compensation in circumstances where they have suffered loss or damage as a result of an interference of their privacy. We recommended however that a direct right of action be limited only to ‘serious’ interferences of privacy involving significant fault on the part of an entity, and that application in the cyber security context be suitably constrained.
4. In principle support for the introduction of a statutory tort for serious invasions of privacy, provided it is the model recommended by the Australian Law Reform Commission (ALRC), requiring a fault threshold of ‘intentionality or recklessness’. We do not however support an outcome where it would be open to claimants to seek compensation for the same actionable conduct under multiple heads of claim.
5. In-principle support for changes to the definition of ‘personal information’ and amendments to Australian Privacy Principle 11 Security of Personal Information. However, we were concerned that other key proposals, including the objective test of ‘fair and reasonable’ information handling, may unnecessarily add a layer of complexity to the Privacy Act with very limited benefit.
6. Proposals for a privacy impact assessment and a senior officer with responsibility for privacy obligations should be limited to larger businesses. Disproportionally imposing entity level requirements of this nature on SMEs and NFPs could be a counterproductive compliance requirement, creating unnecessary costs.
7. Did not support the OAIC being able to make delegated legislation in the form of privacy codes. Our view is that this power would be inconsistent with the intent of delegated legislation and in time would add complexity for entities seeking to interpret and comply with the Privacy Act, particularly those with limited resources.
8. In-principle support for the introduction of mid and lower tier penalty provisions and the OAIC being able to issue penalty notices for administrative breaches of the Privacy Act. We recommended the Government provide legislative clarification in primary legislation and/or the Explanatory Memorandum on what nature or severity of a breach would give rise to serious, mid and lower tier penalties.