AICD submission on Privacy Act Review

The AICD supports reforms that modernise the Privacy Act to ensure it reflects a modern digital economy where individuals and businesses are engaging, and providing personal information, in new and innovative ways. However, we considered that a number of the proposals in the Discussion Paper require additional detail to enable an informed assessment. Without such material it is difficult to assess the case for change and discern whether any increase in regulatory obligations on entities is outweighed by the public benefit.

The AICD submission also made the following key points:

• Strongly supported greater cooperation amongst regulators and the harmonisation of privacy and related cyber security laws across the Commonwealth and states and territories. Currently, obligations can span a range of pieces of legislation, hampering their overall efficacy.
• Supported amendments to Australian Privacy Principle 11 – Security of personal information (APP 11) to clarify the meaning of ‘reasonable steps’ however we did not support changes being accompanied by a mandatory privacy code. A mandatory code would add to the existing complex patchwork of cybersecurity related obligations faced by entities and boards, and could be counterproductive to the objective of improving cyber resilience across the economy.
• While supportive of a consumer direct right of action in principle, the AICD is concerned that the proposal, if not properly contained, could result in class actions where an entity experiences a sophisticated cybersecurity attack and has suffered a loss of information. The AICD’s preliminary position is that a direct right of action should be reserved for serious breaches of the Privacy Act, rather than those involving cybersecurity attacks on entities.
• Did not support, based on the detail in the Discussion Paper, any changes to the small business exemption. Additional support for small businesses through education, guidance and assistance would be more effective at building cyber resilience than applying the resource-intensive and complex Privacy Act obligations.
• Did not consider that an industry-based funding model for the OAIC, whether a cost recovery model and/or statutory levy, is the most appropriate or efficient mechanism to provide additional OAIC resources.