As well as privacy law exceptions for research.
A ‘fair and reasonable test’ for handling personal information and research data use rules are new proposals the government wants feedback on before deciding how to overhaul the Privacy Act.
A two-year review of the Act has resulted in 116 proposals to tighten Australian laws and rules, but the government will conduct a further review before deciding which of the 116 to back.
Attorney-General Mark Dreyfus unveiled the 320-page report [pdf] as well as a simpler one-page summary [pdf], but suggested additional vetting of the proposals is needed.
“The government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take,” he said.
The review takes into account two rounds of consultations related to an issues paper in October 2020 and a discussion paper, which also contained a number of proposals, in October 2021.
“Consideration of the benefits and limitations and costs associated with proposals put forward in the discussion paper led to some proposals being reworked, some not being pursued and, in other cases, new proposals being put forward,” the review states.
“As such, some proposals have not had the benefit of stakeholder feedback and will require further consultation prior to implementation.”
The two big changes between the discussion paper and the review are proposals on a “fair and reasonable test” and on specific exceptions for research purposes.
The “fair and reasonable test” would ensure personal information is handled “within individuals’ reasonable expectations and is not harmful.”
Under the proposal, “all entities covered by the [Privacy] Act should conduct a privacy impact assessment before commencing an activity which is likely to have a significant impact on the privacy of individuals and… additional privacy protections should apply to children,” the review states.
Meanwhile, the review also has a carve-out section on research data use cases, which was not part of the earlier discussion paper.
Researchers, mostly in medical and health fields, are already able to use data in certain ways – such as in a “deidentified” state or alternatively with a person’s consent – under existing exceptions in the Privacy Act.
However, a proposed tightening of consent could impact research programs.
The review proposes a GDPR-like ‘broad consent’ to be introduced. In the EU, this is particularly used by genomics researchers to collect samples and data that can be used in multiple programs.
“Broad consent would be given for ‘research areas’ where it is not practicable to fully identify the purposes of collection, use or disclosure of personal or sensitive information at the point when consent is being obtained,” the review proposes.
The move would effectively treat consent differently for medical and health research than for business uses.
Also up for consideration is an expansion of the type of research that would qualify for exceptions in the Privacy Act, but for all researchers to be covered by “a single exception for research without consent”, with a single set of guidelines that makes obligations clear.
The government will now consult on the full package of proposals until the end of March.
A handful of changes to the Privacy Act, including larger fines for breaches, were passed at the end of last year following a series of high-profile data leaks and breaches.