VICDOC Autumn 2025 - Magazine - Page 72
AMENDMENTS TO THE PRIVACY ACT
-
The first legislative change was a series
of amendments to the Privacy Act 1988,
which came into force on 10 December
2024. The Privacy and Other Legislation
Amendment Act 2024 made a number
of relatively minor amendments to the
Privacy Act – but there are a couple
which are particularly worth noting for
healthcare providers.
The first is the new regime of penalties
and fines under the Privacy Act. It may
be surprising to learn that until now,
only serious or repeated breaches of the
Privacy Act were punishable by monetary
penalties, and the Office of the Australian
Information Commissioner (OAIC) had
to apply to the Federal Court to seek
to impose a penalty. As a result,
it was exceedingly rare for the OAIC
to seek penalties against anyone.
Now, any breach of the Privacy Act –
serious or not – can attract a penalty.
Further, the Privacy Act now gives the
OAIC the power to issue infringement
notices imposing administrative fines
of up to A$330,000 for certain minor
breaches of the Privacy Act, without going
to court – like a parking ticket for privacy
offences. Breaches which can attract an
administrative fine include:
» not having a privacy policy which
complies with the requirements of
the Privacy Act;
» not providing an “opt-out” on direct
marketing communications;
72
AMA VI C TO RIA
» not giving effect to a request by an
individual to opt-out of direct marketing
communications; and
» not responding to a request by an
individual to correct their personal
information within a reasonable period.
As the OAIC does not need to go to
court to issue an infringement notice, we
are expecting that this is a power the OAIC
will use regularly to make an example of
non-compliant businesses. Accordingly, we
recommend that all healthcare providers
get their privacy policy in order and check
they are compliant with these other basic
requirements of the Privacy Act.
The second amendment worth noting is
that organisations which use automated
processes to make decisions that could
significantly affect the rights or interests
of individuals are now required to include
details about their use of automated
decision-making in their privacy policy.
“Automated decisions” are not limited
to wholly automated decisions; they also
include any process in which a computer
does something that is substantially and
directly related to making a decision.
This could include processes which involve
humans, if the human generally follows
the recommendations of the computer.
Healthcare providers will need to consider
whether they use automated decisionmaking in any area of their business –
for example, in assessing job applications.
To give businesses time to amend their
privacy policies, this requirement will not
come into effect until 10 December 2026.
