Following the recently enacted Consumer Data Right law, the landscape of privacy legislation continues to evolve in Australia. On a national level, regulators have bolstered the penalties that can be levied against regulated entities for data breaches. Meanwhile, state legislators in New South Wales have taken steps forward to widened the reach of data subject’s right to access information from the government.
Australia Privacy Act
The Federal Privacy Act 1988 sets out the standards for dealing with personal information, and covers the full life cycle of the collection, use, storage, disclosure, and destruction of personal information. It applies to private sector companies with an annual turnover of at least AU$3 million as well as all Commonwealth and Australian Capital Territory Government agencies. In response to data breaches involving online service providers, the Australian government announced that it intended to amend the Privacy Act 1988 to increase the financial penalties that can be levied for misuse of personal information. If the proposed amendments are implemented, the Office of the Australiana Information Commissioner (OAIC) will be able to administer penalties for serious or repeated data breaches to the higher of:
- AU$10 million;
- three times the value or any benefit obtained through the misuse of information; or
- 10% of the breaching entity’s annual domestic turnover.
Penalties can also be levied against individuals – with the maximum sanctions being imprisonment of five (5) years and/or fine of AU$500,000. Failure to cooperate on efforts related to minor breaches can result in infringement notices of AU$63,000 for corporate entities and AU$12,000 for individuals.
These legislative updates will help bring the Privacy Act in line with the penalties set forth under the Australia Consumer Law as well as establish broader enforcement powers for the OAIC. From a global perspective, the revised framework will also ensure that penalties for data breaches in Australia are more aligned with the fines available in other jurisdictions (most notably, the EU GDPR).
Online service providers, such as Google and Facebook, will also need to comply with a new binding online privacy code being developed by the OAIC. This code will require online service providers dealing with personal information to meet specific requirements regarding data subject consent, requests to cease disclosure of personal information, and implement risk management strategies to protect certain ‘at-risk’ data subject groups, such as children and the elderly.
Some have expressed concerns over the changes to the Privacy Act – stressing the need to demonstrate an actual benefit for consumers against the enormous potential costs to companies, and speculating that consumers might not feel the full effects for years. Industry leaders, such as Communications Alliance CEO John Stanton, note that Australia’s path forward should borrow lessons learned from the introduction of the EU GDPR – ensuring that legislators understand the importance of structuring a privacy framework in a way that fits the digital age, but also recognizes the widespread economic impact of suggested reforms.
New South Wales GIPA Act
Meanwhile, New South Wales has updated the Government Information (Public Access) Act 2009 (GIPA Act) to further strengthen the rights of citizens to obtain access to government information. The GIPA Act has authorized and encouraged access to information held by government agencies – only allowing restrictions when there is an overriding public interest against disclosure.
The GIPA Act defines a record as any document or other source of information compiled, record or stored in written form or by electronic process, or by any other manner or means. Recent updates have expanded this definition to include both hard copy and electronic or digital records held by a government agency. It also furthers the language of the State Records Act 1998, which had defined records as any information created or received in the course of a government official’s duties, regardless of the format or technologies used.
The application of the GIPA Act to electronic and digital records will have significant implications for government officials responsible for that information. The types of government information stored digitally could include:
- emails and attachments;
- messages created by mobile phone text or apps (e.g. SMS, WhatsApp, Facebook Messenger, WeChat, etc.);
- electronic copies of documents;
- database contents from internal business systems and online or SAS applications; and
- audit and access logs.
Agencies have to pay particular attention to the types of technologies being used to conduct business – and then determine how they will capture and store those records pursuant to the GIPA Act. Information found in personal emails or mobile phones can potentially be subject to the GIPA Act if the official used that account or device to conduct government business.
Additionally, the GIPA Act’s definition of digital information now covers a broader variety of audio visual information – recognizing the newer range of technologies used to capture information beyond the traditional understanding of audio visual as closed circuit TV (CCTV) recordings. Examples of this include:
- body cameras or dashcam footage;
- visual recordings or still images of meetings or events;
- audio recordings (e.g. council meetings, interviews, ‘000’ calls);
- video promotional or marketing materials; and
- drone footage captured for regulatory purposes.
This builds on the message relayed in a 2018 report by New South Wales Information Commissioner, Elizabeth Tydd, where she emphasized the fundamental and clear presumption in favor of public disclosure of information. She further stated:
“Access to information, transparency and accountability by public institutions
and public office holders is essential to integrity and the promotion of public trust.
Information is knowledge, power and evidence. It is a sword to combat and a shield
to prevent corruption.”
This framework for the GIPA Act comes as a stinging defeat to officials within the New South Wales government that had recently argued the government should not be forced to accept freedom of information requests electronically. The state government claimed that not all agencies were equipped to handle electronic applications and feared that agencies would be overwhelmed with requests.
From a recordkeeping perspective, government agencies will need to preserve the right to access by considering who holds the records, how access is provided, and in what form access can be provided. Those agencies will need to have policies and procedures in place to manage both hard copy and digital records, and work to ensure that this framework is managed in a way that supports the overall objectives of the GIPA Act.