Government response to the Privacy Act Review Report

Yes, there should be a criminal offence associated with it unless the identified information is approved in writing by the owner of that information eg: the person whose personal identity information that has be re-identified from re-identified. Identification of re-identified information is the practice is otherwise known as data scraping of information to identify a person and is used in the OSINT industry and should be enforced.

Yes, proper written consent from the user should be required if that data is collected by anyone or any organisation in Australia.b Also if an organisation even government organisation decides to create a database of let's say for example startups on the government website through scraped data from the internet, and they put it into a database openly accessible to the world, This data is then exposed and corrected and distilled for public viewing. therefore making the users or organisations of which the data is collected about exposed possibly causing such harm as increased spam email, sms and phone attacks. This in turn has the flow on effect of flooding a business or an individual's inbox / sms storage or voicemail box full of unnecessary messages and documents that could possibly also be viral, thus increasing risks to a cyber attack. The individual organisation about which information is collected needs to consent so they have a choice of whether they want that information included or not.

1. Include initial funding to transition to systems and settings and for example, website changes to establish an Updated Privacy Acts consent data protection requirements.

2. Local community information sessions through video conferencing and in person in each community to advise the public of the changes or a national television series and advertising campaign to make people aware of the new Privacy Act.

Yes, employers need to provide a full disclosure of how employees personal information is used in a workplace. Why this is important? An employee may provide very sensitive personal information such as details of their illness, their marital status, their birthday, another very private information that could fully expose them if there is a data breach or if an unauthorised employee accesses it in order to benefit or cause harm. Therefore full transparency between the employer and the employee on what is collected about the employee in terms of personal information and how it's used is very important.

For example, many employers use ERP databases to benefit their business and to do that they collect employee information which is then aggregated so they can undertake forecasts of their business. Should that data ever be stolen or misused it exposes the employees affected. This goes for human resources and payroll systems, and performance KPI, and asset register systems among others.

ERP Definition: "Enterprise Resource Planning (ERP) is a software solution that facilitates the management of various business functions, including human resources, among others. ERP is primarily developed for large organizations that require a comprehensive management system.."

Exceptions would be where the individuals personal information is necessary to save their life. For example, if they are held hostage and and local police officers or detectives or the local newspaper get involved in order to collect information and attempt to locate the person in order to save their life and similar examples. But after that data is collected in order to save a person's life, it then should be deleted when it's no longer required or the person affected can provide consent to keep that data.

Another important point is that government authorities, departments , police and other emergency services when they collect data they need to seek the permission of the person they're collecting data about for their consent unless they are being investigated.

The sanctity of personal privacy and a persons data is very important. Unless the person is in a valid suspicion of a crime, In that case, the data must be collected anonymously so the person does not know about it during an investigation. After a person is released from prison, if they ever get convicted, the authorities need to seek persons permission or consent in storing data if that data is no longer required to be kept.

1. They will need to act as a dispute resolution regarding privacy breaches within an employment environment.
2. And for employees to be able to anonymously report an employer breaching new employment privacy regulations.
3. And also for employers to report an employee that has breach privacy regulations by misusing data of other employees.

Independent bloggers and article writers and influencers would need additional support and training in ensuring that they understand the new privacy act when they collect personal data and release it in their articles, their social media posts or their blogs.

Case scenario 1: HIKVISION and DAHUA Chinese CTV equipment brands already provide products in Australia That include facial recognition, body heat maps that can see inside people's clothing and name tagging of people through facial recognition. these features are available in the latest products from those companies to Australian businesses and individuals. companies that provide facial recognition, fingerprint scanning, temperature measurement for pandemics devices, and any other body data collection devices that is collected. Such features should be outlawed in CCTV brands sold in Australia unless they are required for government surveillance and anti-terrorism reasons.

Case scenario 2: Such companies as Amazon with their whole foods. supermarkets in America use a large amount of cameras to recognise. every shop are coming in. such services and physical locations will keep increasing and clear indication at the entrance of those shops or businesses need to be provided that the customer or citizen is aware that as they enter various data collection points such as biometric data is collected. Also, when entering government facilities and buildings should be a clear sign in red colour should be provided to announce to the person that various biometric data may be collected.

3. The research and development and sale of any biometric technology obviously is an in Australia and needs to be licenced and approved to be used in Australia just like Therapeutic & Goods Administration (TGA) does with food and drugs. Why? Because that data affects the body and the person's privacy and can be misused for things like peeping tom's in security rooms (Of course, most security professionals in security rooms will adhere to a code of conduct but there can be bad sheep sometimes) and possible uses in crime.

No research into biometric technology should be done without the user's consent whose data is collected. The organisation or individual who is collecting the daya must seek consent from the user of which data it comes from. Example is app development biometric data collection.

There should be no exception for individuals or for organisations. exception will be in some circumstances is religious organisations and individuals in religious organisations.

CSIRO

- People suffering mental health of vulnerable to financial abuse. APP entities If they know that the individual has mental health issues need to take extra care that that individual is fully capable of understanding privacy consent approvals or data collection details to make an informed decision. If they are incapable of making a decision or it's determined they're not capable of making a decision, the consent of our guardian or parent need to be sought.
- elderly over a certain age are not well versed in technology, so APP entities Need to provide additional explanation of how the technology or technologies will collect their personal information or what are they consenting to without coercion.

In the new Privacy Act, financial institutions by law will be required to act as a protector of people who are vulnerable to financial abuse such as the elderly and those with mental health illness. financial institutions must be enforced to protect unauthorised withdrawal or funds without express permission from those vulnerable to financial abuse. This can be done through two factor authentication and in some circumstances if the amount is big enough they may need to go to a physical branch and consent verbally so there's no coercion. for example, some NDIS providers may coerce an NDIS client to withdraw or transfer funds to the perpetrator's account. are in a criminal situation a person vulnerable to financial abuse. maybe coerced into withdrawing funds.

Further investigation and research on the best practises need to be sought with the financial institutions industry such as banks and financial providers..

Periodic checks of consent from the financial institutions should be sought to all their customers as a preventative measure for those at risk of financial abuse or those no longer having the capacity to consent. For example, initially a customer may not have those issues and set up a bank account, but in a span of a year or two, they may develop a disability or may no longer be incapacity to make consent - They are then vulnerable to financial abuse. periodic checks by banks and financial institutions on the consent for data collection and the consent for accessing financial details needs to be done to ensure that the right people that should provide consent are the ones providing consent over their lifetime.

As mentioned earlier, some levels of financial information or financial funds would be required to be in person in a financial institution to approve the access of that information where possible. If an organisation doesn't have a physical location then they will have to use other approved means of verifying that the holder of the information consents and periodically checks and approves the consent of data collection or information provision.

Redacted text I'll outline some of the thoughts around that question "What would the impact of the proposed individual rights be on individuals, businesses and government?"

- individuals, businesses and government organisations need to respect the privacy of other individuals, businesses and government organisations and they have to seek proper consent and outline what sort of data is collected.

eg,: When it's individuals such as artists collecting information that should be exempted for the purposes of creative expression, or if they are included in privacy regulations changes, they need to have access to free legal writing to be able to write up the necessary legal privacy Act and consent forms on, for example, an artist's website where they have a contact form or someone leaves, feedback etc. or if they creating an artwork which collects a lot of data to create it.

- eg 2: another emerging problem with the privacy regulations is the scraping and collection of data such as pictures, videos and text for the purpose of creating a database for the developing artificial intelligence tools eg Stable Diffusion, ChatGPT etc. All data collected in those data sets needs to have the consent of the holder of that information or piece of data.

add
d. religious exceptions where a personal individual preaching theor beliefs (freedom of expression) or religious organisation (freedom of expression) collects the data about the interested people they preach to in order to provide the religious service that they have consented or they're keeping of information such as do not knock details in order to respect the request not to be visited again. religious organisations should also be free to contact the public through telephone to reach them, for example, in pandemics or to reach out to people through the phone book or publicly available information. other examples if the householders are not home being able to send a letter through post or leave it something at the letterbox.

e. emergency services using various means to save or protect a citizen

- changes in a design of products or websites that include additional collection of information or changes in the adversement providers of the website in the back end, such as Google ads or Facebook Ads etc.. those in between advertising agencies collect different sets of data website members should be advised of changes to that even if it's a small business changing their website.

- changes to apps privacy settings that collect additional sets of information should be sent as an email as well because they get lost in the approval pop-ups on the app.

- in a physical business, changes to the way data is collected such as CCTV, equipment changes or various biometric collections or data collected at the register or fill out forms on tablets should be announced at the front entrance so that person entering that place knows exactly what will be collected of them. assistance around posters to advise on privacy. regulations should be provided by the government for business premises based on the type of data they collect so various templates for it. and a free consultation service on designing such statements should be provided by the government.

exceptions are the delivery of the service or product that they have requested. so any automated processes that collect data in order to fulfil that product or service should be automatically allowable and not require extensive explanations. but if the customer requested it can be provided but businesses need to thorough guidance on what to provide and how to provide it and legal support from the government to transition. up and website editor providers should assist in that by providing tools to make it easier. same as they've done in Europe for the GDPR.

If I as an individual or as a business or as a government organisation request that I or we are not to be contacted for the purpose of any kind of marketing that verbal request should be respected and no various other forms of marketing should be included regardless of the original type of marketing content whether it's an email, phone or text or other means to social media.

Once I have requested my information to be destroyed or not to be contacted by marketing, that data must be destroyed straight away.

information about individuals or businesses or government organisations that are collected by marketing, teams or agencies in unauthorised ways and then discovered and various companies Then contact these entities without the permission then the affected people can request to have that data erased immediately. the collecting agency or the marketing agency needs to comply and delete the data or run the risk of criminal investigations by the authorities. There should be strong enough incentive to delete the data.

the above guidelines are very complex. Redacted text the proposals finding marketing contact should be in a form of an email or an SMS or a phone call to the persons that will be receiving advertising content advising them, but they've been added to a marketing register and they will receive d marketing material and option to opt out before those campaigns are even sent. Why? because the content may be inappropriate, dirty or not welcome by the recipient.

Redacted textit's hard to keep track of all the marketing data that's being collected about me. about to make it simple if a business is sold and it's marketing data salt to another provider or that data is sold as a product to other businesses, for example, a database of startups or businesses or individuals with their contact details... then each person in that database needs to be contacted to request permission for the data to be sent or sold or transferred across or copied to another provider under the penalty of prison sentences and the penalty of criminal offences. The rule is that I only gave consent to this organisation and not the other for my data and I don't give any permission to another organisation unless they've asked me for My permission. Thats the sanctity of permission.

small businesses do not understand the algorithms beat behind their websites or their apps that are created by other agencies or companies such as Wix website editor or Google Ads. These are complex technical information that a small business should not be required to explain. The relevant vendors from which the small business houses the client data that require those requests should have a forum or a contact point or a detailed explanation or have a page where it explains in detail what data is collected but they can then provide that to the end user.

What these explanations / algorithm information sheets need to be in layman's terms so that the end user can easily grasp what is being done to their data or how the data will be collected are often legal documents are too big and too difficult to understand. Simplicity indoor statements need to be provided by the vendors that provide that service or data.

- For example, when Google ads or Facebook ads collect data on connected websites about different statistics or schematics or details about an individual. that data is then provided in an anonymized way but connected to the users themselves through Google ads or Facebook ads - So then what happens is that an advertiser can quick a few form options and details and is able to target those individuals. so for example, a person struggling with gambling can be targeted by gambling organisations advertisements, and so on with many many many many, many many examples of that. knowing exactly how the algorithms work and how the that is collected and provided to others in very clear, short statements will help the consumer to choose to go with that service or not and it'll incentivise companies to be collecting less data.

APP 11 should require all organisations both private and public and both large, medium and small businesses to have a baseline of cyber security protection around personal information that has been consented in order to maintain basic modern standards of privacy protections. This includes two factor authentication on all places where personal information about users and clients is stored. Anti malware protections on all computers and mobile devices were needed should be included. the backup off client information should be established in case of a ransomware attack. All businesses should be required to take out cyber security insurance in case the data is stolen and compensation needs to be provided to the user. or all business insurance policies should include the coverage of data loss of client data as a result of ransomware attacks. currently the insurance industry of the charges businesses on another policy just for cyber security protection.

- barrier of government requirements on data collection in some industries. A government run digital verified 100 point ID system to connect to applications and websites would make it easier to sign up to services without provision of sensitive documents that are required to be stored by companies. financial assistance to each business to enhance their security around client data.
- current technical constraints of the apps and websites and services they use to deliver services and products to customers. manufacturers and vendors of hardware and software need to work with government to add features and settings that will make the compliance of the new privacy act easy for all businesses, government and individuals.
- over detailed complexity around the privacy Act makes it hard for organisations to comply with it. So the privacy act needs to be simple, concise and to the point. and simplified explanations of each aspect of the privacy act should be provided by government.

Small businesses should be given technical and legal support line and email and web resources on all the legal compliance required and the APP entity should also support the small business non APP entity in assisting them to establish the required controls with the support of the government agencies concerned. they're Hello Greg, I went for a walk yourself off. After the privacy act is established should be provided so that small businesses can have a chance and time to establish new settings and procedures in place.

The extra territorial scope of the act should be amended to introduce additional requirements to demonstrate an Australian link and how it relates to the person's data, leaving the country and arriving. large companies like Google and Facebook transfer the data all over the world. the Australian link should be clearly defined and how it leaves Australia and returns back to Australia. That topic is a little bit confusing so I hope this helps. It has to make sense to the end user and the everyday person.

Ideally in Australia, client data should be start within Australia like many countries have embraced, such as the european union requires companies to store the data of European citizens within Europe. This provides greater data protection for Australians.

An example of an exemption would be the disclosure of personal information of a terrorist or a criminal in Australia to the international public or international law enforcement bodies.

If an individual that is an Australian citizen is in an emergency situation or in a disaster zone overseers, the authorities need to be careful what personal information they revealed to the public and the media to protect their privacy. If that person is unavailable to provide consent to disclose data then family members closest to them, need to be given the option to consent in behalf of them or powers of attorney.

Any other public disclosure of information about persons in Australia to obviously is sources should be limited and the person needs to provide consent for that to happen. For example, Australian government cannot just provide personal details of the citizens to other countries and other government organisations obviously is without the permission of those citizens.

APP entities should be required to notify of all data breaches small and large and the APP entities should not have a 3 million or over turn over but any type of APP entities even under 3 million should be required to report notifiable data breaches. This is to let customers know they were affected by a data breach, small or large. If only a small group of people are affected then only those people need to be advised, not publicly. but if the entire client database is breached, they need to be all notified and the public needs to be notified by the notifiable data breach agency.

Small businesses under $3 million should be required to report data breaches if they are aware of it. this may be a burden for small business but the most businesses in Australia are small business so they all need to play a part. But for small business, they do not need to be notified publicly just to their users to protect their survival as a small business. They also need to be provided with assistance in in terms of cyber security recovery or funding to hire someone.

APP entities and small businesses should be required to have a bit baseline of basic cyber hygiene tasks and preventative measures such as antivirus, backups, 2 factor authentication where possible and strong passwords 14 characters or more and unique passwords. and a number of other settings and measures. A regular audit should be done for all APP entities and a voluntary audit by a small businesses. The new privacy act is not pretty but it's it'll help upscale the cyber security in Australia to a new standard and have every APp Entity take it seriously. Non compliance in audits should result in fines to prevent non compliance.

The underlying universal privacy principles should be adhere to when designing the new privacy Act. these include respecting the privacy of a person, respecting the privacy of the personal data that is stored by providers, companies and individuals (in a way they are the custodians of the personal data of the person that they collected from. so in a way they are custodians of their data I should treat it that way - It's not theirs. it's the data of the person that provided the data). breaches of the privacy Act should be enforceable
fine or criminal proceedings reasonable to the size of the business or entity to act as a deterrent. lessons learnt from the GDPR in Europe should be undertaken in this Australian privacy Act change. reasonable amount of time should be provided to organisations once the new privacy act is passed so that no one is left behind or ends up losing their business or goes into bankruptcy because they cannot afford the settings, adjustments and changes to the business to meet the requirements of the new privacy act.