Insight,

Cybersecurity,Privacy,Data,

KWM privacy bytes – Privacy Act Review Report individual rights

09 May 2023

Our People
GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Released in February this year, the Government’s long-awaited Privacy Act Review Report (Report) contains 116 proposals for privacy reform. In this, our second article in the Privacy Bytes series, we take a closer look at the new individual rights the Report proposes to include or expand in the Privacy Act. 

You may also be interested in our following related articles:

New (and expanded) individual rights will require technological and process uplift

The Privacy Act currently includes a limited number of rights that can be exercised by individuals. A right to access personal information held by organisations (subject to exemptions) and a right for individuals to request organisations correct personal information they hold about that individual. This is to be contrasted to the broader range of ‘data subject rights’ available to individuals under the European Union and UK General Data Protection Regulation (GDPR). The Report proposes to reduce this gap by extending existing rights and introducing a number of new rights to the Privacy Act, with the overall objective of significantly enhancing the control individuals have over their personal information under the Privacy Act.

We briefly summarise the core proposals below before analysing some in more detail. 
PROPOSED INDIVIDUAL RIGHT
WHAT DOES IT MEAN?
Example uses 2
Expanded

Right to access and explanation – a right to know what personal information is held, where it came from, and what is being done with it.

A right to access personal information already exists under the Privacy Act (see APP 12). The Report proposes that the existing right be strengthened to allow individuals the right to not only know what personal information a company holds about them (ie their current right) but to also know where that personal information came from (ie the source) and what has been done with it.
New

Right to erasure a right to have personal information deleted.

If requested by the individual, organisations will be required to either delete (or justify why they will not delete) that individual’s personal information from the organisations’ records and systems. Where the request relates to personal information from a third party (or disclosed to a third party), the organisation must notify the individual and the third party of the erasure request.  
New

Right to object to the collection, use and disclosure of personal information – a right to challenge whether an APP entity’s handling of personal information complies with the Act.

This right will empower individuals with the ability to question or challenge how an organisation is handling personal information. The organisation would need to provide a justification for why its actions are compliant with the Act. The individual may then use that to consider their options, including as to whether or not to make a complaint.
Expanded

Right to correction – a right to require that personal information be accurate, up-to-date, complete, relevant and not misleading.

The Report proposes to extend the right to correction to generally available publications online over which an APP entity maintains control.

Practically, this means that an organisation will need to be able to correct any personal information that can be found on its publicly accessible websites (or other publicly available sources). Depending on how this change is implemented, it may also have broader implications (as currently information in a generally available publication is not considered to be “held” under the Act and, as such is in effect exempt from many compliance obligations).
New

Right to de-index certain search results – a narrow right to have internet search results about an individual de-indexed in specific circumstances.

Effectively a sub-category of the (new) right to erasure, this right will allow individuals to request search engines de-index sensitive information, information about a child, excessively detailed information (e.g. home address/personal phone numbers) or inaccurate/misleading information. If implemented, it is likely this right will be jurisdictionally limited to Australia (e.g. it can only be used to de-index within Australia) and closely follow the tests in Google Spain SL v Costeja González C-121/12, EU:C:2014:317 as adapted for the GDPR.

Practically, this right is likely to have limited practical application to organisations other than search engine operators.  
New

Right to meaningful information about automated decision making (ADM) – a right to request meaningful information about how substantially automated decisions with legal or similarly significant effect are made.

Where an organisation uses automated decision making technology (e.g. AI) to make a decision that will have a legal or similarly significant effect on an individual, that individual will have the right to request meaningful information about how that decision was made. 

Managing a right to explanation

The expansion of the existing right of access will require organisations to identify the source of the personal information they have collected indirectly from a third party source (rather than directly from the individual in question) and to provide an explanation or summary of what the organisation has done with the personal information.

This will require an organisation to understand and keep detailed records for the lifecycle of personal information they hold. This can be challenging in circumstances where personal information:

  • was received as part of an acquisition of a business where there are limited records as to the source of data
  • is aggregated into systems without a record of the source of that information (e.g. directly from the individual or through a third party such as a sales agent, distributor or service provider)
  • forms part of a single record that may develop organically over time as new information is collected about an individual (e.g. it may mean that the organisation must keep records of the source of each change over the lifetime of the record – not all record keeping systems may have functionality that easily allows that level of detail to be kept)

Similarly, an organisation may understand the primary purpose for which it uses personal information but may not systematically track what it has done with that personal information outside of that primary purpose. Particularly where personal information is used across multiple parts of a business, there may be no consistent record of how that information has been used and with whom it has been shared. In those circumstances, it may be challenging to satisfy the proposed requirement to explain what has actually been done with the information. There is also a risk that providing a detailed explanation will result in leakage of sensitive confidential or proprietary information about the organisation’s business. 

Does your organisation have a clear view of the lifecycle of the personal information it holds? 

  • What is the source of the personal information?
  • What is done with that personal information?

Can you track this information over time? If not, this is something that you should start thinking about now. 

What will the right to erasure mean for my business?

The recent increase in cyber security incidents have bought into sharp focus the volume and age of personal information stored by some organisations. In this context, a right to erasure will make sense to a lot of people. But what does it mean for organisations and how they manage their data?

A request to erase information may sound simple, but erasure requests can create substantial complexities for organisations. 

Firstly, an organisation will need to be able to locate all of the personal information related to an individual. Sounds simple, right? Many organisations have a complex web of systems built up over many years. If an organisation doesn’t have a clear view of the personal information that they hold, every system in which it is stored and how it is used, locating personal information can be very challenging. This may particularly be the case where personal information is:

  • held on multiple systems
  • duplicated across the same or different systems
  • shared with third parties
  • accumulated over many years from a variety of sources (including acquisitions) where the source, and use of the data may not always be known.

Secondly, an organisation will need to understand all of the ways in which that personal information is used and disclosed within and outside of the organisation to ensure that the deletion will not have any unintended impacts. It is worth noting that the Report proposes to extend the definition of ‘personal information’ in a way that will capture certain types of technical data, including metadata, that many organisations may not currently consider to be subject to the Act. Apart from the fact that it may be practically onerous and time consuming to track down all of this type of data and ensure it is deleted in the event of an erasure request, the deletion could also have implications for the technical functioning of communications networks and other systems that rely upon this type of data.

The implications of deletion will require broader consideration to ensure there are no unintended impacts on the individual in question. For example, there may be issues where an organisation may have conflicting legal obligations to retain information, or where the information is important for other purposes. The Report also contemplates that the current exemption under the Act for employee records may be removed – in that case, the implementation of the right to erasure in an employment context would need to be carefully considered. After all, what employee wouldn’t relish the prospect of being able to request the deletion of a less-than-complimentary performance review?

Finally, organisations will need to consider whether changes will need to be made to their systems and processes to enable them to comply with a request for erasure. This may be technically complex where the same information may be stored across multiple systems and data repositories that are not always automatically synced.

Building on the assessment above, it will be critical for every organisation to have a clear picture of:

  • what personal information it holds (taking into account the proposed expansion to that definition!)
  • how that data is used and disclosed within, and outside of, the organisation (leveraging assessment done for the right of explanation above)
  • what the impact is of deleting that personal information (on services and the organisation’s legal requirements)
  • what changes will need to be made to systems and processes to enable (or support) compliance with any new right of erasure.

This may take substantial work and, again, this is something that can be started now. In the context of cyber security threats many organisations are already reviewing their data handling practices. Building on this work will prepare organisations for the introduction of a right to erasure. 

Considering the impact of a right to object

The new right to object will enable individuals to object to the processing of their personal information for certain purposes. An organisation will need to provide a written response to an objection with reasons.

Once again, in order to properly respond to an objection, an organisation will need to understand exactly what personal information it collects, why it collects that information and what it does with that information. This may require a more detailed level of record keeping than many organisations currently have in place.

One context in which an individual may exercise their right to object is where they consider the handling of their information is inconsistent with the proposed new requirement to ensure that all collection, use and disclosure of personal information is ‘fair and reasonable’. Ideally, organisations will be able to call upon documented privacy impact assessments and other internal records to show that their information handling practices are proportionate and that privacy risks have been properly identified, considered and mitigated where possible. See [First Privacy Byte] for more information about the duty to act in a fair and reasonable way.   

In addition to understanding how and why your organisation collects and uses personal information, you may also need to consider this use in the context of other changes proposed to the Privacy Act. 

Impact of the proposed changes on adoption of AI and Automated Decision Making

The buzz surrounding ChatGPT and other generative AI engines means that this is suddenly a very topical subject. But organisations have been using tools that include AI or automated decision making (ADM) for years. Many tools and systems which incorporate a degree of ADM or AI are not particularly transparent. In fact, many suppliers closely guard their algorithms, training techniques and data sources as proprietary and confidential. The proposed right for individuals to access meaningful information about the use of ADM for decisions with legal or similarly significant effect may forcibly shed light on these practices.

Organisations will need to give careful thought to how they can fulfil the new transparency obligations in relation to their use of AI without giving away any valuable business secrets. Some may even be driven to limit their adoption of AI technologies to avoid the associated compliance burden. However, that may be difficult for organisations where ADM is already an important part of their business – e.g. for recruitment, loan processing or insurance assessments. In other circumstances, organisations may choose to apply a human overlay to any automated decision making to ensure that the decision isn’t substantially automated. Finally, there is likely to be increasing pressure on suppliers of AI and ADM solutions to ensure that those solutions provide sufficient transparency to enable organisations to get comfortable with the basis on which decisions are being made, and to comply with any amendments arising from the Report.

The changes proposed in the Report for the provision of meaningful information about ADM is proposed to be implemented with the broader work being undertaken by the Department of Industry, Science and Resources as part of the regulation of AI and ADM. As a result, the timing of these changes may be different to the proposed amendments to the Privacy Act. 

Do you have a policy around the use and adoption of AI and ADM solutions? Consider where AI and ADM are used within your organisation, are they used to make substantially automated decisions with legal or similarly significant effect? Do you have sufficient transparency to understand the basis on which those decisions are being made?  

The new individual rights will not be absolute

Importantly, the new individual rights above will not be absolute. It has long been acknowledged that the rights of an individual need to be balanced against the broader (and sometimes competing) interests of businesses and the broader community. Accordingly, other than the right to direct action, the individual rights will generally be subject to the exceptions for:

  • Countervailing public interests: such as where complying with an individual’s request would be contrary to public interests, including freedom of expression and law enforcement activities.
  • Other legal interests: such as where complying with an individual’s request would be inconsistent with another law or contract.
  • Technical exceptions: such as where it would be technically impossible, unreasonable, frivolous or vexatious to comply with an individual’s request.

These changes will have a significant impact on all organisations and will require organisational, process and system changes. Assessing the potential impact of these changes, including by undertaking a stocktake of all existing data assets and upgrading record keeping systems in order to be able to keep track of how information is collected and used throughout your organisation, will provide a vital head start once the reforms are implemented. 

These changes will have a significant impact on all organisations and will require organisational, process and system changes. Assessing the potential impact of these changes, including by undertaking a stocktake of all existing data assets and upgrading record keeping systems in order to be able to keep track of how information is collected and used throughout your organisation, will provide a vital head start once the reforms are implemented. 

Practical Tip: As evidenced in Europe, the introduction of new individual rights are likely to be supported by the development of bespoke technological solutions to help organisations address these issues (e.g. to help to process and respond to an increase in information access requests). This is likely to help make your compliance journey easier.  

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
The Cyber Security and Critical Infrastructure Rules have now been registered
Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

13 March 2025

Insight
Public-Private Partnerships in Japan
We have published an article titled "Public-Private Partnerships in Japan" by Attorney Ushijima from our Tokyo office. This is the English translation of the article published last year.

11 March 2025

Publication
A guide to investing in Australian real estate
For those considering investing in Australian real estate assets, Investing Down Under provides an overview of the initial legal, taxation and structuring issues you may need to consider.  

10 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies