OAIC wants stronger enforcement powers in Australia's revamped Privacy Act

State information commissioners also back OAIC's request to remove exemptions, such as for political parties, from the Privacy Act.
Written by Asha Barbaschow, Contributor

The Office of the Australian Information Commissioner (OAIC) has asked for amendments to be made to the Privacy Act 1988 that would update its regulatory powers and remove exemptions such as for political parties.

In a 150-page submission [PDF] to the Attorney-General's review of the Act, the OAIC made a handful of recommendations, including enhancing its own ability to regulate, which it said would bring its powers in line with "community expectations".

"Through strengthened enforcement powers and new regulator measures, including a direct right of action and statutory tort to provide individuals with greater control of their personal information," the OAIC wrote.

It said legislative protections must be reinforced by a strong system of oversight that upholds individuals' rights and holds entities to account.

"The privacy regulator needs the correct tools to respond efficiently and appropriately to new threats and regulate in line with community expectations," the submission explained.

The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation, and determination. The OAIC has described this nearly 33-year-old function as outdated.

"This reflects the context in which the Privacy Act was first introduced. In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action," it said.

"While Australia's current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified."

It also said the regulator needed appropriate resources to proactively identify and address existing and emerging risks before serious, widespread, or societal harm occurs.

See also: Senators concerned OAIC will remain under-resourced despite hiring 31 staff

The commissioner has also asked that the emerging updated Act provides for global interoperability to allow data to be protected wherever it flows; privacy self-management, so individuals have choice and control; organisational accountability, such as implementing sufficient obligations on entities; and a contemporary approach to regulation, which would entail having the right tools to regulate.

"Strong data protection and privacy rights are both necessary to uphold our human right to dignity in the digital age, and a precondition for consumer confidence and economic growth," the OAIC wrote.

"They are also critical to achieving other societal objectives such as the protection of health, safety, and security."

Further recommendations made by the OAIC are aimed at addressing "declining levels of trust" and responding to the community's desire for "more to be done to protect their privacy". The OAIC said the Privacy Act must be supplemented with protections that create legal obligations aimed at achieving greater fairness and organisational accountability to address privacy risks and harms.

Flexibility and scalability of the existing principles-based approach should remain, the OAIC said, supported by enhanced abilities for the commissioner to make legally binding instruments.

It also asked for the implementation of stricter guidelines for privacy self-management tools in order to allow individuals to better understand how their information is handled and used. In addition, it wants requirements for regulated entities that ensure all collections, uses, or disclosures of personal information are fair and reasonable, and appropriate safeguards are maintained.

Additional organisational accountability measures were also requested by the OAIC, with the commissioner saying this would ensure entities have implemented actions and controls that demonstrate their compliance with the privacy regulatory framework.

Protections provided currently within the Privacy Act include exemptions in relation to small businesses, employee records, registered political parties and political acts and practices, and journalism.

The OAIC considers it no longer justifiable to exempt major parts of the economy from the operation of the Act.

"The OAIC therefore recommends removing the current exemptions in the Privacy Act … it is appropriate to consider more comprehensive privacy protections for all Australians … regardless of the type of entity that holds their information or particular purpose for which it is held," it said.

Privacy and information commissioners from New South Wales, Queensland, and Victoria also provided submissions to the Attorney-General's review, sharing the view that political exemptions must be removed, or at least reconsidered.

"It is the [Queensland Office of the Information Commissioner's] view that the small business exemption, employee records exemption, and political parties exemption is becoming harder to justify and their relevance questioned in an increasingly digital world," the Queensland commissioner wrote in its submission [PDF]

"Continuing the exemption creates the potential for increased cybersecurity risks as the small business may be the weakest links in the supply chain to attack larger more valuable information and data assets.

"In the interests of promoting public confidence in the political process, those who exercise or seek power in government should adhere to the principles and practices that are required of the wider community."

Likewise, the Office of the Victorian Information Commissioner said [PDF] removing such protections would bring the Privacy Act more in line with community expectations, by "ensuring that individuals' privacy is better protected in circumstances where there is currently little to no privacy protection".

The NSW commissioner, meanwhile, said [PDF] they support consideration of whether these exemptions should be removed or narrowed in scope.

NSW to implement its own mandatory data breach reporting scheme

The Information and Privacy Commission New South Wales has provided an update on plans to implement a mandatory data breach reporting mechanism that it says will complement the existing Commonwealth mandate.  

Australia's Notifiable Data Breaches (NDB) scheme came into effect in February 2018, requiring agencies and organisations in Australia that are covered by the Privacy Act to notify individuals, whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.  

Although it has coverage Australia-wide, the NSW commission said the NDB scheme is aimed primarily at federal government agencies and private sector organisations regulated by the Privacy Act. There are provisions that apply to NSW agencies, however.

"The Information and Privacy Commission has published guidance for NSW agencies to assist them in complying with their obligations to report data breaches, including under the NDB scheme," it said in its submission. 

The Information and Privacy Commission currently operates a voluntary data breach notification scheme in parallel to the NDB.

"As a matter of best practice, NSW agencies are encouraged to voluntarily report data breaches to the Privacy Commissioner, and to affected individuals as appropriate," it said.

"Building on these voluntary processes, I support the introduction of a mandatory data beach notification scheme in NSW."

A draft model for a mandatory reporting scheme in NSW has been developed by a working group that comprises NSW agencies including the Department of Communities and Justice, the Department of Customer Service, the NSW Ministry of Health, and the Information and Privacy Commission.

"Any mandatory data breach notification scheme introduced in NSW would be designed to complement the existing Commonwealth Notifiable Data Breach (NDB) Scheme under the Privacy Act, particularly in areas of jurisdictional overlap," the commission added.

In 2019-20, the commission received 41 voluntary breach notifications.

State government was accountable for 28, local government for 10, and public universities for three.


Editorial standards