top of page
  • hello50625

Navigating Australia's Proposed Privacy Reform

In this era of digital transformation, privacy laws need to keep pace with the rapid changes in technology.

Recognizing this, the Australian Government has released its response to the Privacy Act Review Report, setting out a roadmap for privacy reforms that are designed to be fit for the digital age.

This comprehensive guide provides an overview of the key aspects of the reform and outlines practical steps that organizations can take to prepare for the upcoming changes.

The Privacy Act Review Report

The government has agreed, or agreed in principle, to the majority of the 116 recommendations from the Privacy Act Review Report. These reforms aim to enhance transparency, traceability, and risk management in data practices. They also seek to give the regulator more flexibility and a stronger regulatory toolkit, including increased penalties for non-compliance.

Focus on Automated Decision-Making

A key aspect of the proposed reforms is the focus on automated decision-making. The government aims to introduce requirements for transparency and explanation of decisions made by automated processes. This means that organizations will need to understand their automated decision-making processes and ensure they can provide clear explanations of these decisions to individuals.

Enhanced Cybersecurity Measures

Another significant feature of the reforms is the boost to cybersecurity measures. Organizations will need to review their current practices, procedures, and systems to ensure they are in line with the enhanced cybersecurity requirements. In addition, data breach notification requirements may be tightened, potentially requiring organizations to notify affected individuals and the regulator within shorter timelines.

Changes to Data Control and Processing

The reforms may also introduce a distinction between controllers and processors, a concept that aligns with the General Data Protection Regulation (GDPR). This could have implications for the way organizations manage and process personal data.

Direct Marketing, Employee Records, and Individual Rights

The reforms also touch upon areas like direct marketing, employee records, and individual rights. There may be stricter regulations introduced for marketing, targeting, and trading activities. Changes affecting employee records and small businesses will require further consultation.

Shift in Privacy Safeguarding

A significant shift in the reforms is the "fair and reasonable" requirement, which aims to shift the burden of safeguarding privacy from individuals to organizations. This means that organizations will need to take more responsibility for protecting personal data.

Expanded Scope of Personal Information

The scope of personal information governed by the Privacy Act may be expanded to include information that relates to an individual, even if the identity of the individual is unknown. This expands the range of data that organizations need to protect.

Consent and Privacy Notices

Consent has always been a cornerstone of privacy law, and the reforms aim to strengthen this. Consent must be voluntary, current, specific, and unambiguous. In addition, privacy notices should be clear, up-to-date, concise, and understandable.

New Individual Rights

The proposed changes introduce new individual rights, subject to exceptions. These include the right to access and correct personal information, and the right to data portability.

Internal Accountability Measures

The reforms also emphasize the importance of internal accountability measures. Organizations will be required to keep records of processing activities and to implement appropriate governance frameworks.

Direct Right of Action and Statutory Tort

A direct right of action for breaches of the Privacy Act and a statutory tort for serious invasions of privacy may be introduced. This could potentially expose organizations to increased legal risks.

Preparing for the Reforms

Adapting to these reforms will require organizations to develop technical and organizational capabilities. Key steps include assessing governance frameworks, implementing risk assessment practices, ensuring visibility across data estates, preparing for data breaches, and understanding automated decision-making processes. Here are several steps companies should be taking now to prepare for the proposed changes in Australia's privacy reform:

  • Assess Current Capabilities: Companies should baseline their current organizational capabilities, identifying any gaps and opportunities for uplift. This includes reviewing existing privacy protocols and data management systems.

  • Establish a Privacy Risk Management Framework: An operational privacy risk management framework should be established, with clearly defined roles and responsibilities. This will help ensure that all employees understand their part in maintaining data privacy.

  • Ensure Visibility Across Data Estate: Companies need to know where their data is, how much they have, and what types of personal information they hold. This full visibility across the data estate is crucial for effective data management and protection.

  • Prepare for Data Breaches: Develop a comprehensive data breach response plan and practice response processes. This preparation can help minimize the damage if a data breach does occur.

  • Understand Automated Decision-Making Processes: Document how automated decision-making is used within the organization and ensure that these processes are transparent and traceable. This understanding is key to meeting new requirements for transparency and explanation in automated decisions.

  • Enhance Cybersecurity Practices: Review and enhance current cybersecurity practices, procedures, and systems to meet the "reasonable steps" requirement. This may involve investing in new technology or training for staff.

  • Stay Updated on Reforms: Keep an eye on the proposed changes and participate in targeted consultations to help shape and refine the reforms. Staying informed will help ensure that your company is ready for the changes when they come into effect.

  • Consider Impact on Talent Acquisition and Retention: The reforms could have implications for hiring and retaining staff, particularly in the areas of data, privacy, and security. Companies should consider these implications and plan accordingly.

  • Incorporate Reforms into Technology Roadmaps: The regulatory reform should be incorporated into technology roadmaps. This might mean retiring or upgrading legacy systems to ensure compliance with the new laws.

By taking these steps, companies can prepare for the upcoming privacy reforms and ensure that they are in a strong position to comply with the new laws when they come into effect.


The proposed privacy reforms in Australia represent a significant shift in the way personal data is managed and protected. They will have a substantial impact on entities' privacy obligations. However, with careful preparation and a proactive approach, organizations can ensure they are ready to meet these new challenges.

Remember, the aim of these reforms is not just about compliance but also about building trust with customers. By demonstrating a commitment to privacy, organizations can enhance their reputation and potentially gain a competitive advantage.

It's time to start preparing for the privacy reforms today. By understanding the changes and taking practical steps to adapt, organizations can navigate this complex landscape and ensure they are prepared for the digital age.


Recent Posts

See All


bottom of page