Public Law Essentials: Privacy

Privacy is a fundamental human right, enshrined in international law. The concept of “privacy” is broad, and includes rights associated with information and data protection (which can be described as the right to control the extent and manner in which information about oneself is collected and handled).

Privacy and data protection in Australia is regulated through a mix of Federal, State and Territory laws.

This section focuses on the Commonwealth privacy framework. State and Territory Government agencies will be subject to applicable privacy laws in their respective jurisdictions.

Commonwealth statutory framework

Privacy Act 1988 (Cth)

At the federal level, the Privacy Act 1988 (Cth) governs the way in which APP entities (Commonwealth Government agencies, health service providers, and private sector organisations with an annual turnover of $3 million or more) deal with personal information.

• Personal information is information or an opinion that identifies, or could reasonably identify, an individual (ie. a natural living person).
• Sensitive information is a subset of personal information, and includes information or an opinion about an individual’s racial or ethnic origin, political opinions, professional or political or religious group affiliations or memberships, sexual orientation or practices, criminal record, and health, genetics and biometrics information.

The obligations of all APP entities, as well as the rights of individuals with respect to their personal information, are largely set out in the 13 Australian Privacy Principles (APPs) at Schedule 1 of the Privacy Act. The APPs impose requirements relating to:

• APP compliance and privacy policies;
• collection, use and disclosure (including additional obligations relating to disclosures outside Australia);
• direct marketing, and the adoption, use and disclosure of Government related identifiers (relevant to private sector organisations, with limited application to Commonwealth agencies)
• data quality and security; and
• access to, and correction of, personal information.

Related legislation

In addition to the Privacy Act (and various rules and codes made under that Act), there are a number of other laws that impose obligations with respect to the collection and handling of:

• certain types of personal and sensitive information (eg. tax file numbers, credit-related information, and criminal record information, as well as some types of health information); and
• personal information in the context of certain activities (eg. data-matching and research).

Commonwealth Government agencies must comply with the Privacy (Australian Government Agencies – Governance) APP Code 2017 (Cth), which details specific requirements and practical steps to ensure a consistent and best practice approach to privacy governance. Key Code requirements implementing a Privacy Management Plan (PMP), appointing a Privacy Officer and a Privacy Champion, and to undertake a privacy impact assessment (PIA) for all high privacy risk projects.

Certain Privacy Act obligations intersect with other statutory obligations and considerations, including:

• the Public Governance, Performance and Accountability Act 2013 (Cth), which requires agencies to act in a way that is consistent with Australian Government policies, including instruments that are relevant to the protection of personal information (eg. the Protective Security Policy Framework and the Information Security Manual);
• the Archives Act 1983 (Cth) which intersects with a number of APPs, including requirements and limitations relating to the retention, alternation, deletion and destruction of information contained in Commonwealth records;
• the Freedom of Information Act 1982 (Cth) which provides for:
  • separate rights for individuals to request access to, or amendment or annotation of, their personal information; and
  • certain protections relating to the disclosure of personal information;
• secrecy provisions in legislation which contain offences that restrict the handling of specified types of information (which may also constitute personal information); and
• surveillance and telecommunications laws.

Regulatory oversight

The Australian Information Commissioner and Privacy Commissioner, supported by the Office of the Australian Information Commissioner (OAIC), have responsibility for ensuring APP entities comply with the Privacy Act, with a broad range of statutory functions and powers including:

• conducting (or refusing to conduct) an investigation into a complaint made by an individual about an APP entity’s information handling practices;
• handling complaints, including the power to issue a determination directing an APP entity to do something in response to a complaint (eg. to undertake a certain action to ensure future compliance with the Privacy Act, or to pay damages to a complainant);
• conducting an investigation into an APP entity’s compliance with the Privacy Act; and
• the power to apply to the Court for a civil penalty order, in the case of serious or repeated breaches of privacy.

Further information can be found in the OAIC’s Regulatory Action Policy, which sets out the Commissioner’s approach to exercising its regulatory powers.

The OAIC also has privacy regulatory responsibilities in relation to the My Health Record system, the Consumer Data Right scheme, and the Australian Government’s Digital ID system.

Privacy compliance and risk management

While not defined in the Privacy Act, a privacy risk can broadly be described as the possibility that an entity’s information handling practices, processes, procedures, or systems (including technical infrastructure) could result in the collection, handling or release of personal in a way that is contrary to the Privacy Act (and other relevant laws).

Privacy risk management is an inherent requirement in APP 1.2, which requires entities to take reasonable steps to establish, implement, and maintain practices, procedures, and systems that ensure compliance with the APPs and any applicable registered APP code. This obligation is broadly understood as a matter of good privacy governance.

Identifying privacy risks

Privacy risks and impacts are not static. They can change (and potentially increase) over time, including as an agency’s functions, activities and data holdings grow, as regulatory frameworks develop, and as community expectations and attitudes towards privacy issues evolve. Moreover, the nature and significance of privacy risks may not be fully known at the time that a project is implemented.

It is therefore critical that privacy risks are managed on an ongoing basis through all stages of a project, and throughout the data lifecycle.

Below we have set out some key tools that can assist agencies to identify and manage privacy risks.

Privacy Management Plan

A requirement for Commonwealth Government agencies under the Code, a PMP identifies an agency’s specific, measurable commitments for ensuring APP compliance. Agencies are required to review and update their PMP at least annually, although more regular review can assist an agency to identify and address privacy risks, and uplift its privacy culture and governance, in a more proactive way.

The OAIC has published an Interactive PMP tool to assist agencies in applying a risk-based framework for assessing their current privacy practices, which are weighted against 21 key areas of the OAIC’s privacy maturity framework.

An agency’s PMP can work in conjunction with their security and broader risk management frameworks.

Privacy Threshold Assessments and Privacy Impact Assessments

As noted above, the Code requires all Commonwealth Government agencies to undertake a PIA for all “high privacy risk” projects, being those that involve new or changed ways of handling personal information that are likely to have a significant privacy impact. A PIA is a process that enables APP entities to identify:

• the impacts and risks to privacy that may arise from a project or information handling practice (privacy law compliance, as well as community expectations and acceptance); and
• appropriate strategies to manage, minimise or eliminate the identified negative impacts and risks.

A Privacy Threshold Assessment (PTA) is a preliminary assessment that is an initial step in the PIA process, and helps APP entities to identify whether a PIA is necessary for a project. The purpose of a PTA is to screen for factors that point to the potential for a high privacy risk (which requires a PIA under the Code), rather than assessing risk levels (which is what a PIA does). If an agency determines that a PIA is not required, they should retain a copy of the PTA for their records.

Some key factors for agencies to think about when undertaking a PIA include:

• ensuring that any negative privacy impacts are proportionate to, or balanced with, any benefits;
• accounting for the diversity of individuals affected by the project or initiative; and
• the impacts of privacy enhancing technologies, where those are used.

Information security risk assessment

An information security risk (and/or cyber risk) assessment helps APP entities to identify and evaluate potential risks to data, systems, and operations. The findings should inform the development of risk management and information security policies, plans, and, procedures (including a review of both virtual and physical information security controls) to ensure all identified risks are adequately mitigated.

Privacy risk mitigation strategies

Below are some key tips for managing and mitigating privacy risks:

• Know what personal information you hold: Under the Code, Commonwealth Government agencies must ensure that a record of their personal information holdings is maintained. Relevant details include the type and nature of the information, the purpose of collection, any legal authority for the collection, how and where it is stored, access controls, and retention and destruction periods. Maintaining a comprehensive and accurate record of personal information holdings can help an agency to understand how information can be used and disclosed, ensure appropriate security measures are in place, identify privacy risks, and respond to access/correction request and data breaches.
• Collect only the data you need: The information collected must be proportionate and necessary for the relevant function or activity. APP obligations with respect to collection will not be satisfied if the information is collected because it might serve a future purpose.
• Adopt a privacy by design methodology: Embed good privacy practices into business practices, information technology, and physical and network infrastructures as early as possible, to anticipate and prevent privacy and data breaches before they occur. It is important for APP entities to understand all privacy risks and impacts that may arise from its information handling practices and taking all reasonable steps to mitigate any risks to personal information In this respect, the three key tools noted above (in particular PTAs and PIAs) will assist APP entities in applying a privacy by design approach towards projects, by identifying and mitigating risks from the start.
• Don’t forget to account for human error: In the OAIC’s Notifiable Data Breach Scheme report for the January to July 2024 period, the Information Commissioner emphasised the importance of entities ensuring their policies, practices, and systems account for and mitigate the effects of the foreseeable risk of human error. As an example, APP entities might add a staff training module on useful methods to detect phishing attempts, and also conducting regular phishing exercises to test staff knowledge.
• Regularly review and monitor ICT and access security: Noting the constantly evolving technology and security risk landscape, regularly review and monitor ICT security mechanisms and access security controls. It is important to ensure ongoing compliance with relevant standards and frameworks, as updated, including:
  • the Protective Security Policy Framework and the Information Security Manual;
  • the Australian Cyber Security Centre’s essential eight strategies to protect IT infrastructure and data holdings from cyber threats, minimum requirements for multi- factor authentication systems, and guidance on cloud security;
  • the National Institute of Standards and Technology’s Cyber Security Framework; and
  • the International Organisation for Standardisation’s ISO 27001 and ISO 27002.
• Regular audits and updates: Be sure to regularly review your:
  • personal information security processes, procedures, and systems, having regard to data breach learnings and new projects;
  • security and privacy training modules to ensure they remain fit for purpose;
  • Privacy Management Plan to ensure privacy risks are being promptly identified and appropriately managed;
  • Privacy Policy and consent notices to ensure ongoing transparency, particularly as new projects and initiatives are implemented; and
  • Data Breach Response Plan and ransomware policy – these should be regularly tested and rehearsed with key internal stakeholders, including your legal, privacy and ICT teams.
• Physical security: Consider physical security measures to protect information, including staff access to certain areas of the office, appropriate storage facilities for classified material, and internal policies which govern or prohibit the removal of classified information from the office.
• Consider supply-chain risks: Proactively address privacy risks in any contractual arrangements with third-parties engaged in information handling practices on your behalf, including clear processes for handling personal information and clearly assigned roles and responsibilities for managing and reporting data breaches. Regular auditing of third parties will help ensure ongoing compliance with contractual obligations.

See the OAIC’s Guide to Securing Personal Information for further guidance on the reasonable steps your agency can be taking to protect the personal information you hold.

Data breaches

A privacy breach is where an APP entity interferes with the privacy of an individual by undertaking an act or practice that breaches one or more provisions of the Privacy Act (including the APPs), or a registered code made under that Act.

A data breach is where there is unauthorised access to, or unauthorised disclosure of, or a loss of, personal information that is held by an APP entity.

An eligible data breach is where:

• there is a data breach (as defined above) that is likely to result in “serious harm” to an individual; and
• the APP entity has not been able to prevent the likely (ie. probable, as opposed to merely possible) risk of ‘serious harm’ with remedial action.

“Serious harm” can include serious physical, psychological, emotional, financial or reputational harm. Whether an eligible data breach has occurred (including the likelihood of serious harm) is an objective test:

• from the perspective of a properly informed, reasonable person in the entity’s position; and
• having regard to available information (including any reasonable inquiries) and the entity’s assessment of the data breach.

The OAIC’s Data Breach Preparation and Response guide provides detailed guidance on how to determine whether an eligible data breach has occurred.

Notifiable Data Breaches Scheme

Subject to certain limited exceptions, APP entities are required to notify the OAIC and affected individuals as soon as reasonably practicable where it becomes aware that there are reasonable grounds to believe that an eligible data breach has occurred.

If an eligible data breach is suspected, an APP entity must take all reasonable steps to carry out an assessment (within 30 calendar days) to determine whether there are reasonable grounds to believe that an eligible data breach has occurred. While there must be some factual basis for the suspicion, it need only be slight and can be formed on facts that would be insufficient to reasonably ground a belief that an eligible data breach has occurred (see Datateks Pty Ltd (Privacy) [2023] AICmr 97 and Pacific Lutheran College (Privacy) [2023] AICmr 98).

Data breach response

Agencies should have a robust and tailored data breach response plan that is regularly tested, and understood by all staff. Prompt response to a data breach can assist in reducing the scale of a data breach and the risk of serious harm to affected individuals, and is consistent with APP 11 security obligations.

An APP entity’s response to a particular data breach may have regard to a number of factors including the nature of the compromised personal information, the broader circumstances of the breach, and the potential or actual harms to the APP entity and affected individuals.

Part 3 of the OAIC’s Data Breach Preparation and Response guide recommends the following four key steps, to be undertaken simultaneously or in quick succession, following a data breach:

• Contain the breach to prevent any further compromise of personal information.
• Assess the breach, including the risk of serious harm associated with the breach. Where possible, take action to limit the impact of the breach.
• Notify affected individuals and the OAIC, where an eligible data breach is identified. Where an eligible data breach has not occurred, the APP entity must carefully consider whether notification to the affected individual(s) should occur, with relevant considerations including the nature of the breach (and whether the individual might need to take steps to protect their information), and whether notification could cause unnecessary anxiety or de-sensitisation to privacy breach notifications.
• Review and learn from the breach to prevent recurrence. Consider any improvements to personal information handling practices by a number of activities, such as a security review, a review of policies and procedures, changes to internal staff training practices, and a review of third-party providers that were involved in the breach. Also identify and consider similar breaches, which could indicate a systemic issue that needs to be addressed.

Cyber security incidents

Certain cyber security incidents perpetrated against critical infrastructure assets, as defined in the Security of Critical Infrastructure Act 2018 (Cth), must be reported to the Australian Cyber Security Centre.

For assets that are deemed as Systems of National Significance (by Declaration of the Minister for Home Affairs), there are also four enhanced cyber security obligations, such as undertaking cyber security exercises to build cyber preparedness, and undertaking vulnerability assessments to identify vulnerabilities for remediation.