Toughening up reporting obligations for data breaches and allowing Australians the ‘right to be forgotten’ online are proposed in the review into the country’s Privacy Act.
Federal Attorney-General Mark Dreyfus, who commissioned the review after Labor’s election last May, will release the full 3750-page report on Thursday.
Mr Dreyfus said the review was needed because the Privacy Act 1988 had not kept pace with changes in the digital world, especially given recent major data breaches.
Millions of Optus and Medibank customers had their information stolen by hackers in the largest data breaches ever seen in Australia in September and October last year.
Improved handling of customer data and reporting of breaches are covered in the review, including how long personal information should be retained.
The report proposes “that entities should determine, and periodically review, the period of time for which they retain personal information”.
It also proposes enhancements to the Notifiable Data Breach scheme to ensure “quick action can be taken to minimise harm to affected individuals” should there be a breach.
The proposed reporting obligations would include notifying the Information Commissioner within 72 hours of becoming aware of a data breach.
The authors of the report said the 116 proposals were designed to better align Australia’s laws with global standards of information privacy protection and properly protect Australians’ privacy.
Among the proposals will be a shift towards a European Union-style approach to data privacy, such as “rights to object, to request erasure and to have search results de-indexed.”
Erasure, or the ‘right to be forgotten’, allows individuals to force data controllers to delete personal data when it’s no longer needed for the purposes for which it was collected.
It’s expected greater individual rights will form a large part of the debate around changes to the Privacy Act.
Following the Medibank and Optus hacks, the government increased penalties for breaches of customer data for serious or repeated privacy breaches from $2.22m to whichever is the greater of $50 million; three times the value of any benefit obtained through the misuse of information; or 30 per cent of a company’s adjusted turnover in the relevant period.
At the time, the government indicated the changes to penalties was just the first step.
Mr Dreyfus said strong privacy laws were essential to Australians’ trust and confidence in the digital economy and digital services provided by governments and industry.
“The Australian people rightly expect greater protections, transparency and control over
their personal information and the release of this report begins the process of delivering
on those expectations,” a statement said.
The government is now seeking public feedback on the 116 proposals.
Submissions on the report are due on March 31. More information available from the Attorney-General’s Department’s website.