The long awaited report reviewing Australia’s Privacy Act 1988 has been released by the Australian Government, proposing significant changes including individual rights modelled on the GDPR, such as the right to request erasure, and notification of databreaches to Office of the Australian Information Commissioner within 72 hours.
Attorney-General Dreyfus’ statement releasing the report says, ‘the Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.’
In relation to security, destruction and notifiable databreaches the report states, ‘recent large-scale data breaches have highlighted the vast amount of personal information that is collected and retained by entities, and the need for entities to put in place stronger protections to prevent unauthorised access to Australians’ information. The best way to protect personal information is for entities to minimise the amount of personal information they collect and retain. The Act already requires entities to only collect what is reasonably necessary and to destroy personal information when it is no longer required. This requirement would be reinforced through enhanced OAIC guidelines for entities on the reasonable steps they should take to destroy or de-identify personal information so that they can be in a better position to meet their obligations. In addition, this Report proposes that entities should determine, and periodically review, the period of time for which they retain personal information. There should be a further review of legal provisions outside of the Privacy Act that require certain forms of personal information to be retained. This further work should determine if those requirements appropriately balance the intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information. The Report also proposes enhancements to the Notifiable Data Breach scheme (NDB scheme) so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals. Proposed new data breach reporting obligations, including notifying the Information Commissioner (IC) within 72 hours of becoming aware of a data breach, would assist with this objective. The Report also proposes further work to better facilitate reporting processes for entities with multiple reporting obligations.’
The Government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take.
Submissions on the report are due on 31 March 2023.
Read the report here – https://bit.ly/3YAZ9b7
