Privacy Act 1988 Review: A Compliance Burden or Welcome Change?

Marc Coleman, Senior Manager Protiviti Australia
Ewen Ferguson, Managing Director Technology Consulting, Protiviti Australia

It has been more than two years since the Attorney-General’s Department announced it would be undertaking a review of the Privacy Act 1988. The review will likely result in the most substantial amendment to the Act since what we now know as the Australian Privacy Principles (APPs) were introduced in 2000. The objective of the review “will consider whether the scope of the Privacy Act 1988 and its enforcement mechanisms remain fit for purpose”. Notable areas under consideration for reform in the review’s Terms of Reference include:

  • The definition of “personal information”;
  • Current exemptions;
  • Erasure/deletion of personal information;
  • The impact and effectiveness of the notifiable data breach scheme; and
  • The feasibility of an independent certification scheme for organisations to demonstrate compliance with Australian privacy laws.

What has happened since

The review was initially scheduled to commence in October 2020 but has experienced delays. Following the Department’s invitation for submissions in response to a published issues paper, the volume of interest and responses has been positive with many notable organisations providing feedback and opinions on areas of the current Act for reform. By the close of submissions, the department had received responses from private sector organisations such as Facebook, Atlassian and Google, as well as public sector agencies, academics and research centres, and even the Office of the Australian Information Commissioner (OAIC) itself.

Following a review of submissions received, the Department published a Discussion Paper in late October 2021. The Discussion Paper sets forth a number of proposed amendments to the Act. The Department requested responses to the Discussion Paper and the proposed amendments, seeking “more specific feedback on preliminary outcomes, including any possible options for reform”. The consultation period closed on 10 January 2022.

What is going to change

The Attorney-General’s Department’s Discussion Paper has proposed reforms to the Act in three key areas:

  1. Scope and application of the Privacy Act 1988;
  2. Protections afforded to individuals and their personal information; and
  3. Regulation of the Act and enforcement powers.

To learn more about what is going to change, the impact, and potential action items, read our paper.

Add comment