An area of the Privacy Act that could be improved is consent in regards to Privacy Principle 3 – collection of solicited personal information.
The definition of consent in the Privacy Act is quite loose, being defined at 6(1) “consent”: “express consent or implied consent” (Privacy Act 1988, 2022). There are a number of places in the Privacy Act where consent is expressly required (e.g, throughout Part IIIA) but not in regards to collection of personal or sensitive information.
APP 3.1, 3.2 and 3.3 provide a lot of leeway for the collection of personal information that is extraneous to the purpose of which it is being collected. There is no need for consent in 3.1 and 3.2 – 3.3 requires it – but remembering that consent can be implied – and the data collected only needs to be “reasonably necessary for one or more of the entity’s functions or activities” (Privacy Act 1988, 2022). Following these provisions, an entity could collect whatever personal information they can pry out of an individual, as long as there is some connection to its activities. One could argue that collecting the information is one of its activities and justify collecting any personal information!
In contrast, the GDPR definition of consent has a much clearer (at Article 4, paragraph 11) and is “freely given, specific, informed and unambiguous … by a clear affirmative action” (Intersoft, 2016). The definition relates to consent in regards to personal data, not an abstract self referencing concept like the Privacy Act’s definition which gives it context and makes it easier to understand. Building on the GDPR’s clearer definition is Article 7 Conditions for consent, which outlines how consent should be accepted, recorded, that it can be withdrawn and that the personal data collected with the consent is required for the purpose.
The Privacy Act treats consent and collection of information as two distinct actions, where consent may or may not be required for the collection of information. Whereas the GDPR links them explicitly at Article 7 paragraph 4. The Privacy Act has a fractured approach to privacy, with different types of information (e.g. personal and sensitive), different types of personal information (i.e., financial information in Part IIIA). This may come back to the only type of personal information being protected in the Criminal Code Act 1995 being personal financial information in Part 10.8.
To overcome the issues outlined in APP 3, I think that it should be amended to include provisions that mirror the GDPR Article 7. This could allow more rigour in the collection, use and storage of personal information, without the need for a full review of the Privacy Act. Taking a broader view, I think that an amendment to The Criminal Code Act 1995 Part 10.8, to change the focus from “personal financial information” (Criminal Code Act 1995, 2022) to “personal information” (keeping financial specifics where appropriate) could lead to a less fragmented approach to privacy.
References
Criminal Code Act (Cth), (1995). https://www.legislation.gov.au/Details/C2019C00043/Html/Volume_2
Intersoft. (2016, July 13). General Data Protection Regulation (GDPR) – official legal text. General Data Protection Regulation (GDPR). https://gdpr-info.eu
Privacy Act 1988, (2022). https://www.legislation.gov.au/Details/C2021C00452
