Publications

Navigating Privacy Law Reform and Preparing for the New Statutory Tort

The Privacy and Other Legislation Amendment Act 2024 (Cth) (“Amendment Act”) was passed by the Parliament in November 2024 and received Royal Assent on 10 December 2024. This Act amends the Privacy Act 1988 (Cth) (“Privacy Act”) and marks the implementation of the first ‘tranche’ of privacy reforms, following the government’s response to the Privacy Act review.

Overview of the Privacy Reform

Several of the amendments in the Amendment Act came into effect immediately after it received Royal Assent, such as:

1. New civil penalties, and powers to investigate and issue notices: new powers were granted to the Office of the Australian Information Commissioner (OAIC) to investigate interferences with privacy, to share information relating to data breaches, and to issue infringement and compliance notices. An organisation’s failure to comply with a compliance notice may result in the imposition of civil penalties.
2. ‘Whitelist’ powers: Ministerial powers to ‘whitelist’ overseas countries that provide substantially similar privacy protections to Australia, to assist entities disclosing personal information overseas. This will allow organisations to transfer data to overseas recipients (including service providers) in whitelisted countries without ensuring additional measures such as contractual warranties and indemnities (requiring compliance with the Australian Privacy Principles) are in place.
3. Requirements for security measures: While the Privacy Act requires ‘reasonable steps’ be taken to protect the security of personal information, the Amendment Act has clarified that this requires implementing ‘technical and organisational measures’.

However, certain other amendments are still to take effect, including:

1. A new cause of action for individuals: the new statutory tort (legal wrong) of serious invasions of privacy will commence on ‘a date to be fixed’ on or before 10 June 2025.
2. Better protections for children: the new Children’s Online Privacy Code will be first developed and then be open to public consultation, noting the OAIC has until 10 December 2026 to register the new Code.
3. Transparency regarding automated decision making: new provisions relating to automated decision making (the use of AI technology to make or guide decision making) have been given a ‘grace period’ until 10 December 2026. This will require organisations to update their privacy policies to disclose when decisions are made using automated processes.

Preparing for the New Statutory Tort

The new statutory tort of serious invasions of privacy is a notable change to Australian privacy law, as privacy will soon be a personal right and actionable without proof of actual damage. Under the new tort, a person will be able to sue for recovery of damages and/or obtain an injunction against a school if:

a) the school has ‘intruded upon their seclusion’ or ‘misused information relating to them’;

b) the person would have had a ‘reasonable expectation of privacy in all the circumstances’;

c) the invasion of privacy was intentional or reckless;

d) the invasion of privacy was serious; and

e) the public interest in the person’s privacy outweighs any countervailing public interest.

The Amendment Act provides some guidance regarding public interests that may outweigh the right to privacy, such as the public interest in freedom of expression and of the media, national security, detection of crime and public health and safety. While the protection of children is not specifically mentioned in the Amendment Act, we consider this will be relevant as a ‘countervailing public interest’.

Current data-driven approaches that schools may engage in (such as targeted marketing, tracking cookies, and personalised advertising) should be scrutinised to see if they still comply with the stricter privacy regulations, and the new statutory tort.

The Privacy Policy and other school policy and procedure documents that have provisions affecting how a school will use and disclose personal information (particularly those that make promises regarding confidentiality and the protection of personal information) should be reviewed and, if necessary, amended. The use of AI (particularly where this is used in decision making) will also need to be assessed over the coming years to ensure that the use of AI to guide decision making is transparent.

The days of vague, implied consent are over. The introduction of the new statutory tort and increased civil penalties requires schools to ensure they obtain explicit, informed consent before collecting and using data and to set out clearly when an individual should not expect privacy.

To navigate these changes, school leaders should consider the following steps:

• Conduct a Data and AI Audit: Review all data collection, storage, and usage practices to identify potential areas of non-compliance. Map out and assess the school’s use of AI in decision making.
• Update Privacy Policies: Ensure that privacy policies and procedures (and other policies dealing with confidentiality and the use of personal information) are up-to-date, legally compliant, and written in a way that is easy to understand. Set out clear exceptions to where an individual may expect privacy (for instance, where there is a countervailing public interest, such as the protection of children).
• Implement Consent Mechanisms: Develop clear processes for obtaining explicit, informed consent before collecting personal data.
• Train Staff: Educate employees on the new privacy laws and their responsibilities in ensuring compliance.
• Establish Breach Notification Procedures: Create a detailed plan for notifying individuals in the event of a data breach.
• Engage with the school community: Engaging with the community about these changes can further enhance trust.

Compliance with privacy reform is not just about avoiding fines and legal repercussions. Schools that prioritise transparency will build stronger relationships and earn trust within the school community.

If you would like specific advice regarding the privacy reforms or your school’s privacy policy, please contact Stephanie McLuckie.