Caroline Hayward and Cecilia Askvik recognise Data Privacy Day and set out how to organisations can leverage this day and privacy reforms as a strategic opportunity to build robust privacy practices and lasting customer trust.
Read on for the latest in KWM’s inhouse-centred series: From our inhouse to yours.
Today 28 January, marks Data Privacy Day, also known as Data Protection Day. It commemorates the signing of the Council of Europe’s Convention 108 in 1981, the first legally binding international treaty to protect privacy in the digital age. Data Privacy Day is an annual event to raise awareness on the right to data protection and privacy.
Organisations are encouraged to use this day as an opportunity to raise awareness about the importance of safeguarding personal information online and ensure robust and effective privacy practices are in place.
At the end of last year, Australia welcomed the first step in reforms to the Privacy Act 1988 as the Privacy and Other Legislation Amendment Bill 2024 (Cth) was passed by both Houses of Parliament. While many key reform proposals were not included in this first tranche of privacy reforms, the Attorney-General has committed to continue advancing proposals that the Government has agreed to in principle. One such proposal relates to rights of the individual, such as a right to erasure.
Managing individuals’ requests to exercise their privacy rights often involve navigating short timeframes and can have substantial operational impacts. In-house counsel should be involved to ensure your organisation handles individuals’ requests effectively and in compliance with privacy laws.
Rights of the individual
The Privacy Act acknowledges that personal information is essential for organisations to carry out their activities and functions; however, it also recognises the need to balance this with the protection of individuals’ privacy. A central part of safeguarding privacy is ensuring that individuals can exercise control over their personal information.
The Privacy Act therefore grants individuals some control over their personal information and ensures there is transparency about how it is used. Under the current regime, organisations must use privacy notices and privacy policies to inform individuals why their personal information is collected, how it will be used, and to whom it may be disclosed. Organisations must also implement practices and procedures to handle individuals’ complaints and inquiries. Additionally, individuals can request access to their personal information, have incorrect personal information corrected and opt out of receiving direct marketing.
However, privacy and data protection frameworks around the world offer individuals far greater transparency and control over their personal information compared to the Australian regime. Some of the rights offered under other frameworks include the right to erasure, the right to object and the right to data portability.
Under the Privacy Act, organisations must respond to a request within a reasonable period after the request is made. A reasonable period will not usually exceed thirty days.
How privacy reforms could redefine individuals’ rights
The first tranche of privacy reforms introduced a statutory tort for serious invasion of privacy, but it did not introduce any of the new or expanded rights of individuals under the Privacy Act that were proposed in the Privacy Act Review Report. However, the Government has agreed-in-principle to expand individuals rights as part of the ongoing reforms.
The proposed changes would recognise rights directed at improving transparency and at giving individuals more control over their information and are expected to be introduced in a second tranche of privacy reforms. If these changes are introduced, it will align the Australian framework with privacy and data protection frameworks globally.
The rights that have been proposed to improve transparency include:
- right to access and explanation; and
- right to object to the collection, use and disclosure of personal information.
The rights that have been proposed to give individuals more control over their information include:
- right to correction;
- right to erasure; and
- right to de-index internet search results.
The Government has also agreed-in-principle that organisations must notify individuals at the point of collection about their rights and provide reasonable assistance to respond and assist in individuals’ exercise of their rights. It has also been agreed-in-principle that organisations must acknowledge receipt of a request to exercise a right of an individual within a reasonable timeframe and provide a timeframe for responding. Organisations would still need to respond to requests to exercise a right within a reasonable timeframe.
Ensuring privacy compliance through effective data governance
To ensure compliance with the Privacy Act and anticipated reforms, organisations must have oversight and control over the personal information they hold.
The Privacy Act requires organisations to take proactive steps to establish and maintain practices, procedures, and systems that ensure compliance with the Australian Privacy Principles (APPs) and enable organisations to address inquiries or complaints from individuals. This includes implementing procedures and practices that allow an organisation to identify and manage privacy risks at every stage of the information lifecycle.
Since personal information is only a subset of data, establishing such practices and procedures must form part of an organisations broader data governance program and align with existing data strategies.
Empowering individuals in the age of data
Privacy reforms in Australia have introduced new obligations and increased penalties, but the reforms also raise customers awareness about privacy and heighten concerns about how organisations collect, use and disclose their personal information.
To effectively respond to individuals’ requests to exercise their rights under the Privacy Act, your organisation must have a comprehensive understanding of the data it holds. It is therefore critical that organisations establish a data inventory by conducting thorough data mapping exercises to identify what personal information is held, where it is stored, for what purposes it is collected and how it is used and disclosed.
Once there is a data inventory in place, your organisation should develop practices and procedures for handling privacy rights requests. In developing these practices and procedures, the following should be considered to ensure your organisation responds effectively to privacy rights requests and that responses are provided within a reasonable timeframe:
- Understanding individuals’ rights: Ensure that relevant stakeholders have a comprehensive understanding of the specific rights granted to individuals under the Privacy Act, including if any exceptions apply.
- Internal policies: Develop internal policies which clearly outline how requests will be received, verified and responded to, including steps to ensure there is clear communication with individuals and timeframes within which certain steps should be completed.
- Stakeholder involvement: Consider which stakeholders should be involved and how to ensure clear lines of communication between departments.
- Verification of identity: Establish a verification process to verify the identity of individuals while ensuring the minimum amount of personal information needed is collected.
- Complex requests: Consider if procedures can be developed to handle voluminous and complex requests, such as providing personal information in a commonly used, machine-readable format.
- Facilitate the exercise of rights: Establish processes that make it easy for individuals to exercise their rights. Privacy policies should inform individuals about their privacy rights and provide detailed information about how to exercise them. This could also include creating online forms for submitting requests and providing a way for individuals to give feedback.
- Training and awareness: Ensure relevant staff are trained on the Privacy Act requirements and relevant processes.
- Implementation: Create implementation plans for efficient implementation across the organisation.
- Documentation and record-keeping: All requests received should be documented to provide an audit trail and help demonstrate compliance.
In-House Legal Teams to help Navigate and Safeguard Privacy Rights
In-house legal teams play an important role in handling individuals’ requests to exercise privacy rights. With their in-depth understanding of privacy laws, in-house counsel should be involved to:
In-house legal teams can also provide strategic advice to senior management and leadership teams on privacy matters which can help shape your organisation’s privacy compliance program and minimise the risk of regulatory investigations and penalties.
A day to celebrate
There are several ways organisations can leverage Data Privacy Day to recognise the significance of this day and demonstrate their commitment to privacy and data protection:
- Design an educational campaign
- Run webinars and workshops
- Conduct a privacy policy review
- Conduct employee training
- Launch privacy initiatives
The lasting impact of Data Privacy Day
Hopefully this article has inspired you to proactively ensure your organisation not only meets its ongoing privacy compliance obligations but is also prepared for any upcoming privacy reforms.
Further information
If you or someone in your organisation need further guidance on this topic, please reach out to your KWM contact or Michael Swinson.
Check out other insights from the Office of General Counsel team here and subscribe to KWM Pulse using the button below to stay across upcoming articles in areas of interest.
If you want a particular topic covered by our From Our Inhouse To Yours Pulse series, please reach out to the Inhouse Counsel Series editor, Yasmin Milligan, via LinkedIn.
