On 16 February 2023, the Attorney-General’s Department released its highly anticipated Privacy Act Review Report 2022 (Report). The Report considers whether the Privacy Act 1988 (Privacy Act) remains fit for purpose in this digital economy where the personal information of individuals is collected and used for a myriad of purposes.
Change to ‘personal information’
A major expected change is to the definition of personal information. This will have significant effects on the information handling of agencies and organisations.
Currently, ‘personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable.
The Report proposes to change the word ‘about’ in the definition to ‘related to’.
This new definition highlights the need for a relationship between the information and the individual, and that personal information includes technical, inferred and generated information (such as ID numbers and IP addresses).
This definition would also bring the Privacy Act into line with terminology and practice in international data protection regimes (such as the General Data Protection Regulation) and other Commonwealth legislation such as the Consumer Data Right.
What does this mean for your organisation or agency?
This proposal will see a significant expansion to the types of information that will be covered by the definition of ‘personal information’. Databases that were otherwise de-identified may soon contain information that reasonably identifies an individual.
This means your organisation or agency should have a privacy framework flexible enough to accommodate an expansion in the amount of data regulated by the Privacy Act and have a review point built in if the proposed amendments are introduced as law.
If you have any questions about the Report or require advice about upcoming amendments, please contact Griffin Legal.