During the 2020 financial year, consumers made over 4,000 complaints about telecommunications providers related to a user’s privacy.
The Privacy Act 1988 gives the Australian Information Commissioner the discretion to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints. The guidelines give consumers the ability to make complaints about privacy issues with their telecommunications provider/s directly to the Telecommunications Industry Ombudsman (TIO).
The TIO, in a submission [PDF] to consultation on the ongoing review of the Privacy Act, said during FY2020, it received 4,328 complaints involving privacy issues.
The wide-ranging review is considering the definition of personal information; whether existing exemptions for small businesses, political parties, and the storing of employee records to comply with the Act should remain; whether individuals should gain the power to drag privacy violators to court; and whether a privacy tort should be created.
The review was agreed to as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.
The Attorney-General’s Department (AGD) posed a total of 67 questions as part of a discussion paper late October.
Also providing a submission [PDF] was Telstra and its Telstra Health subsidiary, which has previously come under fire for its troubled Australian cervical and bowel cancer screening registers project.
Telstra said it considers much of the Privacy Act to be fit for purpose, noting there is scope for developing or updating guidance in some areas. It said that in over 30 years since, the Privacy Act principles are still accurate and relevant, and that it remains in strong support of a principles-based, technology neutral regime.
“The principles-based approach to the development of the Privacy Act … has resulted in an Act that has stood the test of time, and we consider remains fit-for-purpose,” the telco wrote.
It also said there was no need for additional legislated protections for de-identified, anonymised, or pseudonymised information.
“Information that has been de-identified should no longer be regarded as personal information and, therefore, should not be regulated under the Privacy Act as its use or disclosure should have no privacy-related consequences for any individual,” Telstra said.
It does not support a recommendation made by the ACCC that the notification requirements in the Privacy Act be amended to require all collections of personal information to be accompanied by a notice from the entity collecting the personal information. Instead, Telstra said the focus of any reforms on notification should focus on ensuring that notices are only provided where they are meaningful, for example, where there is a change that may legitimately prompt a consumer to change their behaviour.
Telstra believes consent should only be one of the lawful bases for data use, and that there is no need for changes to control and security within the Act.
“The [Digital Platforms Inquiry] report recommended that a direct right of action be introduced in order to provide individuals greater control over their personal information and to provide an additional incentive for APP [Australian Privacy Principle] entities to comply with their obligations under the Privacy Act. We do not agree that a direct right of action is the best way to achieve these aims, and see a well-resourced OAIC as a more effective way of continuing to pursue the Privacy Act’s objectives,” Telstra said on the suggested introduction of a direct right of action or statutory tort.
Elsewhere, Deloitte said [PDF] the creation of a standardised notice framework has the potential to provide benefit to consumers by reducing complexity and increasing their engagement. It also said consideration should be given to strengthening and expanding consent requirements in the Privacy Act.
“These include the opportunity to take more control of their personal information, drive more meaningful consumer interactions with organisations, and unlock the wider benefits of information sharing in a more transparent way, while minimising unexpected collections, uses, and disclosures of information that can cause significant negative consumer sentiment towards organisations,” it wrote.
Deloitte said strengthening consent requirements would likely help individuals make more informed choices about how, when, why, and with whom they share their personal information. It said this would likely lead to better outcomes for both organisations and individuals.
“In order to produce the desired outcomes from the consent process, it is important that the consent obtained is meaningful,” it said.
In its submission [PDF], Salinger Privacy has asked for the definition of personal information to be amended to include a drafting note to the effect that location data, device identifiers, and online identifiers — including cookies, IP addresses, MAC addresses, user IDs — are examples of data, identifiers, or techniques which can render an individual able to be discerned or recognised as an individual distinct from others.
“We further submit that there should be included a drafting note (or a new definition in the Act) to the effect that ‘device’ is to be read expansively, and can include a vehicle such as a car, a mobile device such as a mobile phone, a wearable such as a fitness tracker or location monitor, an implantable such as a pacemaker, or a household device such as a smart TV,” it added.
Salinger also submitted that the definition of de-identified in the Privacy Act should be replaced with a new definition: “Anonymous data means data from which no individual is identifiable”.
It also said that the political exemption provided within the Privacy Act should be abolished.