The Federal Government recently released its highly-anticipated Privacy Act Review Report, following a two-year review of Australia’s privacy laws. The Report contains some of the most sweeping reforms to the privacy landscape in Australia, including 116 proposals to amend the Privacy Act. The proposed changes are aimed at bringing our privacy regime in line with equivalent overseas laws, and strengthening protection and control of personal information in the digital age.

Broadly speaking, these reforms will increase the types of information governed by the Privacy Act and the obligations of businesses when handling personal information, as well as the rights of individuals, and the penalties for privacy breaches.

Here is a breakdown of the key changes that may apply to you as a business owner.

Removal of the Small Business Exemption

Most significantly, the small business exemption will be removed entirely. All Australian businesses will be required to meet minimum data privacy standards, regardless of turnover. Currently, businesses with turnover of less than $3 million are exempt.

The Report proposes a support package for small businesses, and some consultation about the support and resources they’ll need to comply with the Privacy Act long term, but this is yet to be detailed.

Broader Definition of Personal Information

The Report recommends expanding the definition of personal information, clarifying that information that ‘relates to an individual’ Is considered Personal Information. This small but significant wording update means technical information such as IP addresses, metadata and geolocation data are all quickly in scope for new data privacy standards. The proposed changes don’t stop there, definition seeks to further clarify, for the absence of doubt, that the same security obligations for personal information will also apply to de-identified information.

Introduction of a ‘Fair and Reasonable’ Test

The collection, use and disclosure of personal information must be demonstrably fair and reasonable. The new test will consider a number of factors, including the individual’s privacy expectations, the sensitivity of the information, and whether the privacy impact is proportionate to the benefit of collecting information.

New Requirements for Employee Records

This might come as a surprise for many business owners and employees alike, but employee data is currently exempt from protections in the Privacy Act. This is set to change with privacy protections being extended to cover company employees. This means businesses will have increased obligations around transparency and security of employee records. They’ll also be required to notify staff and the OAIC of data breaches affecting employee personal information.

New Collection and Consent Requirements

Businesses will need to keep a record of their collection and handling of personal information, and appoint a senior employee who is responsible for privacy. For activities with high privacy risks, organisations will also be required to conduct a Privacy Impact Assessment.

The Report proposes stronger requirements for collection statements to ensure they are clear, up-to-date, and understandable. Privacy policies will be required to include additional information about information handling practices. The amended Privacy Act will also codify the OAIC’s current guidance that consent must be voluntary, informed, and unambiguous.

Established Data Retention Periods

The Report introduces a new requirement for businesses to establish minimum and maximum data retention periods, which are to be included in their privacy policies. This is to ensure that individuals can see how long their data is being stored for, and put the obligation back on organisations to delete personal information when it is no longer required.

New Rights for Individuals

The reforms will significantly expand the rights of individuals to grant them greater control over their personal information. These include: the right to object to the collection, use, or disclosure of their information; receive an explanation about how information is handled; and have their personal information erased or transferred to another organisation.

Of these individual powers, the right to erasure is perhaps the most significant. The Report recommends a 30-day window for businesses to comply with a request to delete all personal information. Customers can also ask for any internet search results about them to be de-indexed.

Limitations on Direct Marketing and Trading

Customers will have the right to opt out of direct marketing and targeting advertising. This includes de-identified information – for example, using internet history to tailor content to an individual. Businesses will also have to gain consent to trade in personal information.

New Requirements for Children

Businesses will face additional transparency requirements in relation to children. They’ll also be prohibited from directly marketing to or targeting children, and trading in the personal information of children.

Transparency About Automated Decision Making

Organisations will need to include information about automated decision making in their privacy policy. Individuals will also have the right to request information about how automated decisions are made, if they will be significantly impacted by the decision.

New Measures for Cross-Border Disclosures

Mechanisms will be introduced to make it easier for organisations to disclose personal information overseas in a compliant way. These include developing standard contractual clauses, and creating a whitelist of countries with similar privacy protections to Australia. The individual must still give their informed consent to overseas disclosures.

More Efficient Data Breach Reporting

The Report proposes a new timeframe of 72 hours for businesses to report suspected data breaches to the OAIC. They’ll also need to include additional information in breach notices, and have practices in place to respond efficiently to data breaches.

Greater Penalties and Enforcement

The reforms will increase enforcement, including a direct right of action for individuals who have suffered loss or damage as a result of privacy interference, and a statutory tort for serious invasions of privacy. New civil penalties will be introduced, and the OAIC will be granted additional powers for undertaking public inquiries and conducting reviews.