Australian Privacy Law Reforms: how will expanded individual privacy rights impact your practices and procedures?
You should start work on anticipating, identifying and actioning improvement opportunities now before expanded individual privacy rights are enacted.
Individuals presently have limited rights to access and request the correction of their personal information under the Privacy Act, but the Attorney-General's report on the review of the Privacy Act proposes changing that. The introduction of a raft of new rights for individuals, and their exercise, may give rise to costly legal and operational challenges for many organisations.
What access rights does an individual currently have with respect to their personal information?
An individual currently has a limited right to access their personal information and to request that their personal information be corrected. In its current form, Australian Privacy Principle (APP) 12 (right to access) provides that, upon request, an individual must be granted access to personal information held about them, subject to certain exceptions. APP 13 (correction of personal information) provides that an individual may request the correction of personal information, which must be acted upon where the organisation is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
Generally speaking, these rights do not extend to current or former employees, because of the employee records exemption.
What potential future privacy rights may an individual have?
The Report proposes expanding an individual's rights in their personal information to bring Australian privacy law into the digital age, to meet community expectations, and to promote interoperability with other privacy regimes, such as the European Union's GDPR.
These expanded rights would include:
- A broader right of access – APP 12 would be expanded so that an organisation must, in addition to identifying the personal information of the individual that it holds, explain the source of the personal information and what is done with the personal information.
- The right to challenge or object to the collection, use and disclosure of personal information – Modelled on the GDPR's right to object, individuals would be able to request that an organisation cease to process their personal information in certain circumstances, or to object to a particular way in which it is being handled.
- A broader right to correction of their personal information – The proposed expanded right under a modified APP 13 is likely to enable an individual to request the correction of an online publication over which the organisation maintains control.
- The right of erasure – While organisations are already required under APP 11 (security of personal information) to take reasonable steps to destroy or de-identify personal information once it is no longer needed, this proposed right would require an organisation to destroy that personal information if requested by the individual in certain circumstances, such as if an individual ceases to use that organisation's services and the information is sensitive (ie. health information), or the information is about a child.
- The right to seek the de-indexing of internet search results – This proposed right will likely be modelled on the GDPR's "right to be forgotten" and is a sub-category of the right of erasure. The successful exercise of this right would result in the de-indexing or removal of internet search results where the search results contain personal information that is sensitive information, information about a child, excessively detailed or inaccurate, out-of-date, incomplete, irrelevant or misleading. This right would not lead to the removal or deletion of the underlying webpage itself.
Are there any exceptions to these proposed new privacy rights?
While organisations will be expected to act on requests from individuals to exercise their new rights, the Report proposes exceptions which could be relied upon to refuse a request, including:
- Competing public interests – Organisations could seek to balance the public interest in an activity against the public interest in protecting privacy. For example, the public interest in law enforcement may outweigh an individual's right to access their personal information; or the rights to object and erasure may negatively impact health care and research.
- Required or authorised by law, legal relationships, and proceedings – Organisations would be permitted to take into consideration an organisation's legal obligations, whether they be the retention of specific records under a legislative regime, contractual obligations that the organisation must fulfil, or that the information may relate to actual or threatened legal proceedings.
- Technically infeasible – Organisations would be permitted to consider the technical difficulties and disproportionate effort that may be required to comply with an individual's rights, such as a right of access, correction or erasure. For example, these difficulties may arise due to the technical limitations of the software employed by an organisation.
- Frivolous or vexatious requests – The existing exception relying on the frivolous of vexatious nature of requests would be retained and extended to apply to all of an individual's new rights. Examples of a frivolous or vexatious request may include repeated requests in respect of the same personal information or requests made for the purpose of unreasonably interfering with an organisation's operations (although the precise limits have not yet been tested by the Courts).
How may these changes impact your organisation?
If introduced, these rights individually or collectively are likely to have a significant impact on an organisation's compliance burden. This will likely bring with it direct and indirect costs. For example:
- Motivated individuals – A motivated individual could exercise their rights of access to, and request an explanation concerning the handling of, their personal information. An organisation's response to these requests may form the basis of an objection to the organisation's privacy practices and, in turn, result in a complaint to the OAIC or civil proceedings being commenced against it.
- IT systems – Many organisations use legacy systems which were not developed with these proposed privacy rights in mind. Organisations may need to invest in upgraded systems, associated infrastructure, and employees to efficiently manage privacy requests.
- Increased transparency – These proposed new rights provide an opportunity for individuals (and the OAIC should complaints follow) to closely scrutinize an organisation's internal processes and practices to ensure that they align with its external-facing privacy policies. Any discrepancies between an organisation's external and internal practices may be highlighted, resulting in complaints, reputational damage, regulatory action and/or civil proceedings.
- Identity theft – The need to ensure that any systems put in place to facilitate responses to an individual's exercise of their rights need to be robust enough to guard against bad actors that may try to impersonate an individual in order to gain access to additional information about them.
Putting in place adequate systems and procedures to deal with the proposed new rights of individuals will in many cases be a time-consuming and costly task. With no suggestion in the Report that organisations will be given a grace period in which to implement such systems,[1] work on anticipating, identifying and actioning improvement opportunities should start now.
[1] The Report does acknowledge at p185 that several submissions proposed a grace period, and that "Legacy IT systems of many APP entities may not be designed with privacy in mind." However, while the Report went on to say that "[i]t may therefore be appropriate to have a suitable implementation period before these obligations commence", such a grace period is not an express part of any of the Report's proposals.