2 – Transparency

Some welcome developments for organisations

Notices

The Discussion Paper sets out a number of proposals which seek to improve collection notices to increase transparency and comprehension by individuals.

The key recommendations include:

  • introducing an express requirement in APP 5 that privacy notices must be clear, current and understandable. This would bring the Privacy Act requirement in line with international regimes such as in the EU and the UK1;
  • limiting the information provided in notices under APP 5 to provide only the most crucial information to individuals, thereby making information easier to comprehend and access;
  • the introduction of standardised privacy notices via an APP code, including standardised layouts, wording and icons2; and
  • strengthening the requirement in APP 5.1 for a collection notice to be provided to an individual unless:
    • the individual has already been made aware of the APP 5 matters; or
    • notification would be impossible or would involve disproportionate effort.3

Overall these changes will likely be a welcome development for organisations, as they will provide clarity on how to comply with the notification requirements in APPs 1 and 5.

However, it remains to be seen whether imposing a more stringent requirement to provide an APP 5 collection notice will result in a significant improvement in understanding by consumers about the use of their personal information. In practice, the items proposed to be included in a more 'limited' APP 5 notice are still reasonably substantial, so the aim of simplification may not be readily achieved. The Government has invited industry feedback on this issue, as well as on whether the increased provision of collection notices will induce 'notice fatigue' or 'information burden' for individuals.

Consent

In a welcome development, the Discussion Paper does not propose to expand the situations in which consent is required for collection of personal information. It does however intend on clarifying, and legislating existing OAIC guidance on, the requirements for obtaining a valid consent.

If adopted, the Privacy Act would be updated to:

  • explicitly require consent to be 'voluntary, informed, current, specific and an unambiguous indication through clear action'. In practice this would mean current practices of bundling consents would need to be re-thought; and
  • introduce standardised consents through an APP code, including standardised layouts, wording, icons or consent taxonomies.

Businesses should consider the manner in which consent is sought in high risk and sensitive settings and ensure that current best practice is met.

Pro-privacy defaults and restricted and prohibited acts and practices

The Discussion Paper notes that certain types of personal information-handling pose a higher privacy risk to individuals and may therefore need to be either carefully restricted or entirely prohibited.

On this basis, the Discussion Paper tentatively proposes adopting 'proceed with caution zones' for certain restricted practices, and is seeking feedback on whether prohibited practices should be designated as 'no go zones' under the Privacy Act.

Alongside this, the Discussion Paper considers a number of mechanisms through which individuals could exercise control in relation to the handling of high risk personal information, including consent through an expansion of the definition of sensitive information (as mentioned above), opt out rights, or provision of explicit notice about the high risk practice.

To further shift the dial towards greater consumer protection, the Discussion Paper contemplates whether entities should be required to enable pro-privacy settings by default, or make privacy settings easily accessible to individuals.

If these proposals are adopted:

  • depending on the level of risk, organisations may need to conduct formal privacy impact assessments and keep records of their accountability measures and decision-making process to demonstrate compliance under the Privacy Act; and
  • individuals would be required to opt in to certain uses or practices that have been restricted or turned off by default; or
  • organisations would have to implement systems that would allow individuals to clearly and easily opt for a set of the most restrictive privacy controls through a single-click option. This would mirror current cookie election mechanisms in the EU, which provide an 'only Necessary Cookies' option.

Footnotes

  1. Discussion Paper, 69.

  2. Discussion Paper, 71.

  3. Discussion Paper, 73.