Nearly 12-months old COVIDSafe legislation cited as cause of Privacy Act review delays

The Attorney-General's Department (AGD) has said the reason for the delay in moving forward with a rework of the Australian Privacy Act 1988 was that staff needed to work on the COVIDSafe legislation, which entered Parliament in May last year.

During Senate Estimates on Tuesday night, senators raised concerns regarding declarations made by Attorney-General Christian Porter, who is currently on leave, back in March 2019 that tougher penalties for misuse of Australians' personal information were on their way, as no such protections have been put in place.

"The team that works on the legislation and the Privacy Act review, has also dealt with other priorities. For example, the COVIDSafe legislation … that took quite a significant effort to deal with some of those issues," deputy secretary for the Integrity and International Group in the AGD, Sarah Chidgey, said in response.

See also: Attorney-General urged to produce facts on US law enforcement access to COVIDSafe

The department is currently in the midst of reviewing the Privacy Act. Since October, it has been calling for all interested parties to provide their two cents. Chidgey said an exposure draft was on its way.

"We have been working on an exposure draft inside the Privacy Act review and expect that that would be released shortly, alongside the further discussion paper in the review of the Privacy Act," she said, noting there has been "a lot of work on it".

"We've used submissions we've received through the Privacy Act review to better inform the development of that exposure draft legislation."

Australian Information and Privacy Commissioner Angelene Falk said she welcomed any additions to her regulatory toolkit that would come with an updated Privacy Act.

Her submission to the review included recommendations such as considering international developments, such as Europe's General Data Protection Regulation, as well as adapting global schemes to suit Australia.

"I think the digital platforms inquiry that was conducted by the ACCC (Australian Competition and Consumer Commission) certainly brought to public attention the extent of data handling practices … and a number of recommendations were made by that inquiry, some of which accorded with my own submissions to that inquiry, that there ought to be some amendments to the Privacy Act to ensure that it's able to regulate data handling practices over the next decade," she said.

"I welcome any changes and improvements to the regulatory toolkit that I currently have. And I'm looking forward to both the legislation that goes to these matters and also the progress of the review that's more broadly going to be conducted or is being conducted by the department at present."

PRIVACY IMPACT ASSESSMENTS UNDER REVIEW

Falk was asked about the requirement for all Australian government agencies to keep a register of privacy impact assessments that are conducted. Greens co-deputy leader Senator Nick McKim pointed specifically to a project the Department of Home Affairs has underway regarding its travel exemption portal that is used to grant people permission to enter or leave Australia.

While Falk isn't aware of the project, McKim said individuals are currently being encouraged by Home Affairs to provide information such as banking details, financial assets, social media information, personal communications between them and their partners, private health and medical information, personal photographs to prove relationships, and medical reports to support any medical claims they have been making, including mental health reports.

"I think there's some difficulty in me commenting on a specific [project] … but the principle is that where a department is handling personal information in changed ways, or a new project that involves handling personal information in a way that could be considered to be high risk, then they ought to conduct a privacy impact assessment," she said.

"Many departments also conduct a preliminary assessment to decide whether or not that threshold is in fact, met. And I understand that that is usually the way in which many of the big departments and I think the Department of Home Affairs, does, in fact, undertake those preliminary assessments to decide whether or not to conduct a full privacy impact assessment."

Falk has powers under the Privacy Act to direct an agency to conduct a privacy impact assessment, but that power has not been exercised.

She said her office is currently looking into how many agencies do have privacy impact assessment registers in place.

"Notwithstanding that, we do think that we would expect Australian government agencies to have noted on their website a place where those documents could be found," she added.

MORE FROM THE PRIVACY ACT REVIEW

• Privacy Act review to examine privacy tort, direct action rights, and GDPR compliance
• Facebook and Snap Inc call for a GDPR-aligned Australian Privacy Act
• Attorney-General asked to update 'personal information' definition in Privacy Act
• ACCC calls for Privacy Act changes to protect loyalty scheme customers
• Google says consent over every aspect of data processing would be burdensome
• Optus warns not to punish whole economy for tech giant sins in Privacy Act changes
• Over 4,000 privacy complaints made about Aussie telcos in FY20
• OAIC wants stronger enforcement powers in Australia's revamped Privacy Act