Privacy Act Amendments

For our school and church clients, some the most significant proposals in this Report pertain to children and vulnerable individuals

The prolific growth of the digital economy was hailed as revolutionary. With a multi-directional exchange of ideas and other forms of expression, online technological advancements have facilitated the inexpensive exchange of information across national and international boundaries[1]. However, the prolific nature of the digital age brings to the fore alarming questions regarding the large caches of information about individuals being generated, used, disclosed and stored, including the young and vulnerable. Research highlights that “Not all young people understand the need to protect their information…[2]. Let us unpack the Privacy Act Amendments.

The vulnerability of people’s information in the digital age has prompted the release in February 2023 of the Privacy Act Review Report (the Report), which contains 116 proposals for reform of the Privacy Act 1988 (Cth) (the Act). As at the date of this article, feedback is currently being sought to the Report.

For our school and church clients, some the most significant proposals in this Report pertain to children and vulnerable individuals.

Children’s Privacy

Children increasingly rely on online platforms, applications and devices in their everyday lives, such that many young people view their online and offline lives as ‘inextricably linked’.

The implications? The Report found that children are increasingly being ‘datafied’, with information regarding their activities, gender, interests and hobbies, location, mental health and relationships being collected.

The proposed solution? Legislatively enshrine child appropriate privacy policies and collection notices. Modelled on the UK’s Age Appropriate Design Code, the proposals would mandate the companies create a safe space for [children] to learn, explore and play, not by seeking to protect children from the digital world, but by protecting them within it.

Specific proposals include:

16.2. Valid consent must be given with capacity, and an entity must decided if an individual under the age of 18 has the capacity to consent on a case-by-case basis. That is, the consent of a child is only valid if one could reasonably expect that the consenting child would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

16.3. Collection notices and privacy policies, in particular for any information addressed specifically to a child, should be clear and understandable.

16.4. Entities must have regard to the best interests of the child as part of considering whether a collection, use or disclosure of information is fair and reasonable in the circumstances.

16.5. Introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’.

The Privacy of People Experiencing Vulnerability

Certain groups of consumers may lack the technical, critical and social skills to engage with the internet in a safe and beneficial manner.

Unlike children however, who constitute an easily definable segment of society, identifying who constitutes a vulnerable person is a more challenging matter. Further, clarifying the issues and identifying the options available to protect these individuals once they are recognised to be vulnerable is a nuanced endeavour.

Presently, the Report has adopted a three-pronged approach:

17.1 The Report proposes the inclusion of a non-exhaustive list of both individual characteristics and situational factors, which can alert an entity to the potential that an individual may be at a greater risk of privacy harms. This would assist entities to take proactive steps to minimise risks.

17.2. Guidance on capacity and consent should be updated to reflect developments in supported decision-making.

17.3. (Less relevant to schools and churches) Further consultation should be undertaken to help ensure that financial institutions can act appropriately in the interests of customers who may be experiencing financial abuse or may no longer have capacity to consent.

Supplementary Provisions

Of course, improved privacy protections for all individuals through a number of the proposals in the Report will address many of the issues faced by children and people experiencing vulnerability. These provisions include:

20.4. Introduce a requirement that an individual’s consent must be obtained to trade their personal information.

20.5. Prohibit direct marketing to a child unless the personal information used for the direct marketing was collected directly from the child and the direct marketing is in the child’s best interests.

20.6. Prohibit targeting to a child [for commercial purposes], with an exception for targeting that is in the child’s best interests.

20.7 Prohibit trading in the personal information of children.

20.8.Targeting individuals should be fair and reasonable in the circumstances. This would be likely require consideration of whether the targeting poses risks of unjustified adverse impact or harm to individuals.

Key Takeaways

The proposed reforms to privacy laws would appear to suggest an increasing need in the future for schools and churches to engage on an even greater scale with privacy related issues.

If you are seeking further assistance in relation to privacy matters, please feel free to contact the writers James Tan (james.tan@corneyandlind.com.au) and Courtney Linton (courtney.linton@corneyandlind.com.au).

[1] Zi En Chow, ‘Evaluating the Approaches to Social Media Liability for Prohibited Speech’ (2019) 51(4) New York University Journal of International Law and Politics 1293.

[2] eSafety Commissioner, ‘Online safety for young people with intellectual disability’ December 2020 (https://www.esafety.gov.au/research/online-safety-for-young-people-intellectual-disability).