OAIC calls for Privacy Act reform to build public trust

The Office of the Australian Information Commissioner (OAIC) has called for a strong, fair and flexible privacy framework that prevents harm, protects fundamental human rights and builds public trust to support a successful economy.

In a submission to the Australian Government’s review of the Privacy Act 1988, the OAIC said changes are needed to ensure privacy protections remain consistent with the values of Australians.

Australian Information Commissioner and Privacy Commissioner Angelene Falk acknowledged that the Privacy Act is a well-established framework that is principles based, technologically neutral and flexible, before noting that the external landscape has changed significantly in recent years, with research indicating declining levels of community trust in how organisations handle personal information.

“Australians want more done to protect their privacy in the face of ongoing and emerging threats,” said Commissioner Falk, adding that addressing these issues through the review is essential for the proper functioning of a data-driven economy.

Commissioner Falk said that strong data protection and privacy rights are a precondition for consumer confidence and economic growth, with effective and proportionate privacy regulation needed to achieve these mutual benefits.

“When regulated entities have a clear framework that sets out their personal information handling responsibilities, they will be able to operate and innovate with confidence. Equally, when Australians have clear privacy rights and trust that their personal information is protected, they will feel confident to engage in the data-driven economy and to access services,” Commissioner Falk said.

The OAIC has called for greater emphasis on the protection of individuals and the obligations on entities to ensure business models and practices safeguard privacy. The OAIC has also recommended the introduction of fairness and reasonableness standards for the collection, use and disclosure of personal information.

The OAIC’s submission on the Privacy Act further recommends stronger organisational accountabilities for entities, and the removal of exemptions for employee records and acts and practices by small business operators and political parties. The OAIC has also called for individuals to have a direct right to bring actions in the courts against organisations covered by the Privacy Act to seek compensation.

Commissioner Falk said strengthening notice and consent requirements — and addressing their limitations — should be a central consideration in the review.

“Obtaining individual consent for the use of personal information is important, but it is not the answer in every circumstance. Australians should be able to expect that safe practices are in place, without having to read lengthy and complex notices on a take-it-or-leave-it basis. Consent should be kept for where it really matters and is meaningful, so it doesn’t turn into a tick-box exercise which detracts from its value in higher-risk situations,” Commissioner Falk said.

The OAIC submission also recommended reforms that enable it to take proportionate regulatory action and meet community expectations through broadening the jurisdiction of the courts to hear privacy matters, strengthening compulsive powers of the Commissioner and allowing the Commissioner to issue infringement notices.

Additional enforcement powers would enhance the regulator’s ability to focus on issues of greatest risk to privacy, investigate potential breaches of the Privacy Act, deter inappropriate conduct and support privacy best practice.

“These changes are needed to help us effectively regulate new and emerging risks posed by personal information handling practices in the global digital environment,” Commissioner Falk said.

Image credit: ©stock.adobe.com/au/Vitalii Vodolazskyi