Insight,

Privacy,Data,

KWM Privacy Bytes - Privacy Act Review Report: Collecting and using of personal information

30 March 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

The Government’s long-awaited Privacy Act Review Report contains 116 proposals for reform. While not fundamentally changing the current principles based approach, these proposals will require a step change in how Australian companies collect and use personal information. For an overview of the changes see here.

As the first in a series of Privacy Bytes, our experts extract the core proposals relating to the collection and use of personal information.

Expanding definitions will mean that existing use will need to be reassessed

The scope of what is protected under the Privacy Act will be expanded under the reforms. This will mean existing obligations will apply in more circumstances, to more information and to processes that would not have previously been covered. Organisations will need to assess existing collection, use and disclosure practices through this broader lens.  

Some of these expansions:

  • Personal Information - The definition of personal information will be amended to include any information that relates to an individual (instead of information ‘about an individual’). This expands the current definition and will capture information such as technical information (e.g. IP addresses and location data) that may have been excluded under the current definition. The proposals will also expressly capture inferred and generated information (e.g. predictions about individuals’ behaviour) in order to make clear that this type of information is already protected under the Act. These changes will be supported by a non-exhaustive list of what will expressly fall within this definition which list information such as location data, technical or behavioural data, inferred data and features of a person.
  • Reasonably identifiable - The Report also proposes to provide greater clarity as to when an individual is reasonably identifiable based on a list of factors to be considered in making this assessment. These factors could include the nature and volume of information, who holds and has access to the information, how and why the information is collected, other information that is available to the recipient and the context in which the information is being handled. The Report makes clear that a person may be reasonably identifiable if they can be uniquely identified from all others, even if the person’s legal identity remains unknown. This means that unique identifiers may be captured by the Act, even if assigned on an otherwise anonymous basis.
  • Sensitive Information - The definition of sensitive information will be expanded to align with the expanded definition of personal information and to also include genomic information (e.g. information about how an individuals’ genes work).
  • De-identified information - Some protections will also apply to de-identified information (although this will not be personal information per se, there will be some protections and obligations applicable to this information). De-identified information falls outside the scope of the Privacy Act (provided that the information has been properly de-identified!). However, the Report is proposing that the existing obligations in APP 8 (Cross-border transfer) and APP 11 (Security) should be extended to de-identified information. These changes reflect the reality that the more data an organisation holds the greater the chance that de-identified information can be reidentified. It has been recommended that a new criminal offence be introduced for the malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate

Organisations will need to take a step back and think about information they collect in a new way.

  • Collecting information about usage from a device or IP address?
  • Using location data to tailor a service?
  • Collecting service-related data that may relate to an individual?
  • Relying on the fact that you cannot reasonably identify the individual from the data you collect?
  • Relying on de-identified data?

There is scope for a broad range of service related data to now be captured under the Privacy Act.  Organisations will need to assess this usage and how best to manage compliance in the context of this expanded definition. 

Would an objective reasonable person say current use is fair and reasonable?

One of the substantive changes around the collection and use of Personal Information is the introduction of new obligation that will place a positive obligation on companies to ensure that ‘all collection, use and disclosure of personal information is fair and reasonable in the circumstances’. This is an objective test, assessed from the perspective of a reasonable person. Importantly, this requirement applies irrespective of consent. That is, if an individual provides voluntary, informed, current, specific and unambiguous consent (more on that later) to the collection and use of personal information in a particular manner, this will form part of the context in considering whether it is fair and reasonable. However, it will not, of itself, be adequate to demonstrate that the collection and use is fair and reasonable in the circumstances.

While a reasonable person test is a familiar concept in Australian law, there may be substantial scope for dispute as to what a reasonable person may consider in the context of technology and privacy. The Report proposes to include a list of non-exhaustive factors to assist with this assessment. These include:

  • Reasonable expectations
  • Kinds, sensitivity and amount of personal information collected
  • Functions and activities of the entity
  • Risks of unjustified adverse impact or harm
  • Whether the impact on privacy is proportionate to the benefits
  • Transparency in the collection and use of personal information
  • Whether it is in the best interest of the child where applicable
  • The objectives of the act.

Coupled with the introduction of direct rights of action, this obligation will become a foundational requirement for future privacy compliance efforts for all organisations. This will require renewed focus within organisations as to how proposals to collect and use personal information are assessed, how they formulate their privacy policies, collection statements and how they obtain consents, and how they document this analysis (more on that later too!).

Organisations can be assessing now whether their current collection, use and disclosure of personal information (based on the broader test!) is fair and reasonable from the perspective of an objective reasonable person.

Will privacy policy, collection notices and consents need to change?

Every organisation will need to review its existing privacy policy, collection notices and privacy consents as part of these reforms. This is not just for content (although this will be required) but for clarity and the relationship between them. Organisations that rely heavily on their privacy policy to ‘do all the work’ and so don’t pay close attention to other privacy notices will need to revisit this approach. While there is still a way to go to for the reforms to be implemented, an increased focus on transparency and clarity is likely to be required. Organisations should start considering these impacts now. 

The distinction between collection notices and privacy policies will be retained (with the Government confirming (again!) that a privacy policy is not a substitute for a collection notice). Key things to be aware of are:

  • Privacy Policies are already required to be clearly expressed, up to date and to cover specified matters. These should cover the entity’s entire personal information handling practices. These will need to be updated to reflect new requirements under the reforms, including retention periods, new additional rights and specific information required about high risk privacy activities. However, the privacy policy should not be relied on to do the work of the collection statement or to obtain consent (including bundled consents).
  • Collection Notices will need to be clear, up to date, concise and understandable. This will be a new requirement. At the same time, the scope of matters to be included in collection notices will be expanded to include the collection, use and disclosure of personal information for high-risk activities, how to exercise any applicable individual rights and the types of personal information that be disclosed to overseas recipients. Importantly, collection notices must be both clear and ‘concise’ which means that simply referring to a general privacy policy is unlikely to be sufficient as the policy will inevitably contain more information (and at a more abstract level) than is necessary to meet the standard required of a collection notice. Organisations will need to make sure that at each point of collection they communicate in a clear and crisp way about their privacy practices and don’t simply fall back on the privacy policy.
  • Consents will need to be voluntary, informed, current, specific and unambiguous. There is no proposal to substantially broaden the circumstances in which consent is required, although organisations will need express consent to collect, use, disclose and store precise geolocation tracking data (e.g. data showing an individual’s precise location at a particular place and time that is tracked over time). Further, if relying on implied consent, consideration will need to be given to whether the consent is unambiguous in the circumstances. This is new.

It is also worth considering whether your organisation collects (or may collect) personal information from children (which will be defined as individuals who are not yet 18). Even if an organisation is not actively targeting children, they will need to consider whether they may be collecting information from a child. If this is the case, consideration will need to be given to ensuring a child has capacity to consent, modifying collection notices to make them understandable to children, ensuring regard is had to the best interests of children and, for online services likely to be accessed by children, a Children’s Online Privacy Code may be developed. One open question is whether organisations may need to start collecting additional information in order to confirm whether or not they are dealing with a child – that could potentially be counterproductive from a privacy perspective, as it would mean collection of age verification information that would otherwise not be required.

Privacy policies, collection notices and consents should be reviewed for clarity and transparency. Consents and collection notices should not rely on the privacy policy to ‘do the work’.

Other considerations in the collection, use and disclosure of Personal Information

In addition to the additional specific requirements in the proposed reforms, there are a range of proposals aimed at increasing organisational assessment of, and accountability for, data collection practices. Here are some of the key proposals you need to know:

  • you will need to determine and record the purposes for which you collect, use or disclose personal information at (or before) the point of collection. A similar requirement will also be introduced for secondary use or disclosures, so you will need to determine and record the secondary use or disclosure before information is used or disclosed in that way. While many organisations will consider use, there will need to be a more rigorous process around this assessment and recording the outcome of this assessment as part of any approval process. This will have a substantial impact on data governance processes
  • the creation of inferred or generated personal information will be deemed to be a ‘collection’. Although this isn’t new, it means extra care will need to be given when making predictions about behaviour or preferences, when generating profiles from aggregated information and for any use of AI
  • individuals will need to be able to withdraw consent as easily as they provided it – this will require a review of consent withdrawal processes to ensure companies are not placing hurdles in these flows
  • if the collection, use or disclosure may relate to a high risk privacy activity, you will need to do a privacy impact assessment (more on that in another Byte)
  • you must appoint a senior employee responsible for privacy. While many organisations will already have this in place, for others this responsibility may need to be allocated to a sufficiently senior employee.

The changes will require a review of organisations processes and systems not just documentation.

The reforms largely adjust existing requirements outlined in the Privacy Act. But the cumulative effect of the changes could be substantial. These changes will impact on all organisations and may ultimately require organisational, process and system changes in addition to updating privacy policies, collection notices and consents. Assessing the impact of these changes now could help with implementation once the reforms are implemented.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
April Security of Payment Wrap Up across Australia
The ACMA is consulting on the new SMS Sender ID Register and associated Draft Telecommunications (SMS Sender ID Register) Industry Standard 2025.

11 April 2025

Insight
Modern Slavery - Reforms at home & abroad
In this update, we summarise key modern slavery law developments in Australia and overseas during 2024, and what changes businesses should be prepared for in the rest of the year ahead.

10 April 2025

Insight
A New Era for Development in the Northern Territory: Passing of the Territory Coordinator Act
In a move to support its ‘Rebuilding the Economy’ agenda, the Northern Territory’s Country Liberal Party has enacted new legislation in what it’s calling the Territory's "most important piece of economic reform" in a decade.

10 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies