In February 2023, the Privacy Act Review Report was released after two years of extensive consultation and review of the Privacy Act 1988 (Cth). It included proposed reforms aimed at strengthening the protection of personal information and the control individuals have over their information.
But what does this actually mean for you?
Building on our previous discussion in the ‘Essential 8 vs. Privacy Act article’, we explore the nuances of the Privacy Act Review and its implications, particularly for the nonprofit, medical, and education sectors.
In This Article
- What is the Privacy Act
- Definitions: “Agreed” vs “Agreed in Principle”
- Timeline and Next Steps
- How the Privacy Act Review Affects Non-Profits
- How the Privacy Act Review Affects the Medical Industry
- How the Privacy Act Review Affects the Education Sector
- Where to From Here?
What is the Privacy Act?
The Privacy Act review, initiated in Australia, was designed to update privacy laws in light of technological advancements. It focuses on data handling, individual rights, organisational accountability, and regulatory enforcement, ensuring that privacy laws stay relevant.
Report Definitions: “Agreed” vs “Agreed in Principle”
When the government agrees to a proposal, it means that they have committed to developing legislative provisions for these measures. This agreement is more definitive, indicating a clear intention to enact the proposed changes.
“Agreed in Principle”
This indicates a provisional agreement subject to further engagement and analysis. It means that while the government supports the idea behind the proposal, it requires more detailed examination, impact analysis, and consultation with regulated entities. This is to ensure a balanced approach, considering both privacy benefits and the potential economic and regulatory impacts on entities.
Timeline and Next Steps
The review process involved evaluating the pros, cons, and costs of various proposals. This led to the modification of some proposals, the discontinuation of others, and the introduction of new ones. Some proposals haven’t been subject to stakeholder feedback yet and will need further discussions before they can be implemented. Considering the comprehensive steps of consultation, impact assessment, and legislative development, it’s anticipated that the actual implementation of these changes might not take place until late 2024 or later.
How the Privacy Act Review Affects Non-Profits
Here is a collection of principles that could impact non-profits and potential use cases:
|Agreed In Full||Agreed In Principle|
|Protection of De-identified Information (Proposal 21.4): A domestic violence support centre safeguards de-identified client data.|
New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): A mental health service provider could face penalties for mishandling client data.
Consent for Geolocation Tracking Data (Proposal 4.10): An app by a homeless support organisation gets explicit consent for tracking location data.
Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Organisations ensure the protection of sensitive data when sharing with international partners.
|Sensitive Information: Support services dealing with genetic disorders must ensure robust consent processes and secure data handling.|
Fair and Reasonable Information Handling: Charities must ensure the fair use of personal stories and data in campaigns.
Vulnerability Protections: Services supporting vulnerable groups like domestic violence survivors must handle data with additional care.
Organisational Accountability: A privacy officer is needed to ensure data protection and handle privacy inquiries or complaints.
How the Privacy Act Review Affects the Medical Industry
Here is a collection of principles that could impact medical and healthcare organisations and potential use cases:
|Agreed In Full||Agreed In Principle|
|Purpose Identification for Consent (Proposals 14.2 & 14.3): A clinic must transparently state why it’s collecting patient data, such as for treatment, billing, or sharing with specialists.|
Amendment to Objects of the Act (Proposals 3.1 & 3.2): Healthcare providers must balance patient care with the individual’s right to privacy.
Protection of De-identified Information (Proposal 21.4): Hospitals protect de-identified patient data from potential misuse or re-identification.
Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Medical practices follow detailed guidelines for destroying or de-identifying patient health records.
New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): Clinics could face penalties for improper handling of patient data or administrative breaches.
Consent for Geolocation Tracking Data (Proposal 4.10): Healthcare apps require explicit consent from users before tracking their precise location data.
Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): In health crises, hospitals may need to disclose patient information to state authorities under emergency declarations.
Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Medical research institutes use standard contractual clauses when sharing patient data overseas.
Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Healthcare facilities must provide redress for harm caused by data breaches, including mitigating any potential damage.
|Clarification of Personal Information: Hospitals must consider data like IP addresses from online consultations as personal information.|
Sensitive Information: Genetic testing labs must implement heightened security measures, like encryption and strict access controls, for genomic data.
Small Business Exemption Removal: Small clinics will now need comprehensive privacy policies and data protection practices.
Fair and Reasonable Information Handling: Patient data used for research must be transparent and within ethical guidelines.
Enhanced Data Breach Obligations: Hospitals must report breaches within 72 hours to authorities and affected patients.
Organisational Accountability: A privacy officer in a healthcare provider must oversee data handling and staff training on privacy policies.
High Privacy Risk Activities: New patient data systems require Privacy Impact Assessments before use.
Automated Decision-Making (ADM) Policies: Telehealth apps using ADM must clearly disclose how decisions impact patient care.
Direct Marketing, Targeting, and Trading: Pharmaceutical companies must comply with strict rules for marketing based on healthcare professionals’ data.
Children’s Privacy: Paediatric services must ensure digital platforms comply with new rules on children’s data.
Vulnerability Protections: Hospitals need extra data protection measures for patients with mental health issues eg: encryption
Simplification of Terms and Obligations: Healthcare IT providers need clear distinctions in their roles as data processors or controllers.
Overseas Data Flow Regulations: Research firms must use standard contractual clauses for international data sharing.
Expanded Individual Rights: Patients can ask hospitals to delete or explain the use of their medical records.
How the Privacy Act Review Affects the Education Sector
Here is a collection of principles that could impact the education sector and potential use cases:
|Agreed In Full||Agreed In Principle|
|Purpose Identification for Consent (Proposals 14.2 & 14.3): A high school clearly states why it’s collecting personal information, like health records or educational support services.|
Amendment to Objects of the Act (Proposals 3.1 & 3.2): A primary school ensures the protection of student and parent information, aligning educational needs with privacy rights.
Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Schools adhere to guidelines on securely destroying or de-identifying records, such as counselling notes.
Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): Schools may disclose student information to authorities in emergencies under specific conditions.
Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Schools are required to identify, mitigate, and provide remedies for any harm caused by a data breach.
|Clarification of Personal Information: Schools handling online learning data must treat technical details, such as login information, as personal information.|
Small Business Exemption Removal: Small tutoring services must ensure compliance with the Privacy Act, including data protection and breach notification.
Enhanced Data Breach Obligations: Schools must rapidly inform parents and authorities of any data breaches, adhering to the 72-hour notification rule.
High Privacy Risk Activities: Schools implementing student tracking systems must evaluate privacy risks beforehand.
Automated Decision-Making (ADM) Policies: Learning platforms using ADM for student paths need transparent data use policies.
Direct Marketing, Targeting, and Trading: Educational apps must adhere to new regulations on targeted advertising to students.
Children’s Privacy: Schools need to safeguard children’s data on educational platforms, avoiding improper collection or use.
Simplification of Terms and Obligations: Educational software companies must understand their data handling roles when providing services to schools.
Overseas Data Flow Regulations: Universities collaborating internationally must ensure appropriate data transfer agreements.
Expanded Individual Rights: Parents and students can request schools to delete or detail the use of their personal data.
Where to from here?
Understanding these changes and preparing for their implementation is crucial for non-profits, healthcare providers, and educational institutions. The Privacy Act also plays a vital role in cyber security, but it’s not often discussed as part of a robust cyber security strategy,
Unlike others who solely focus on the Australian Cyber Security Centre’s Essential 8 framework, our cyber security solution, CyberShield, goes above and beyond that framework. CyberShield is a unique offering focused on compliance and governance measures, coupled with robust security tools and managed IT Services. The solution is also tailored according to your industry requirements.
Discuss your industry requirements and book a consultation with the team today.
C-Suite & Board Training: Because it all starts at the top!
Take your first step towards a stronger, more secure and compliant business by registering your interest for our half-day certified C-Suite & Board training. We’ll cover:
- Data security and privacy compliance
- Potential risks to your business and how to address them
- Personal liabilities
- Crisis management recommendations
- Best practices for policies and procedures
- And more!