The Attorney-General's Department released the Privacy Act Review Report on 16 February. DSPANZ provided a submission responding the report on 31 March 2023.
We welcomed the Privacy Act Review Report and many recommendations which will enhance privacy protections across Australia. In particular, we supported the proposals that better align the Privacy Act with the European Union's General Data Protection Regulation (GDPR) and other international privacy standards.
In summary, this submission raised the following:
- Overall comments on how the Act aligns with GDPR, the importance of consultation with DSPs and the importance of being able to leverage digital identity and business registry services.
- It is crucial to consider the flow-on effects of updating the definition of personal information as it may impact other security incident or data breach reporting obligations across Australia.
- We are interested in working through any potential implications or unintended consequences regarding employment-related reasons for collecting, using and storing geolocation data.
- If the small business exemption is removed, it is essential to also consider the role DSPs will play in making changes and educating their small business users.
- We believe the employee record exemption should largely remain in place but with changes to protect employees and their data better.
- DSPs are required to follow record-keeping requirements under existing employment and taxation law which may create challenges around data retention requirements and the right for individuals to access or erase their personal data.
- Whether automated rostering processes would be classified as automated decision making if the employee record exemption is modified or removed.
- Any penalties within the Act should be aligned proportionally to the size and revenue of an organisation.
Access the full version of the submission here.