Response 988241518

Back to Response listing

Personal information, de-identification and sensitive information

Should there be a criminal offence for re-identifying de-identified information? What exceptions should apply?

Agree where there is malicious intent.

Should consent be required for the collection, use, disclosure and storage of other tracking data, such as health data, heart rate and sleeping schedule, in addition to precise geolocation tracking data?

Yes, I think as a principle consent should be required to collect any data and that by opting out there is no worse service (so genuine opt out options).

Employee records exemption

Noting the current individual rights contained in Australian Privacy Principles 12 and 13, and the proposed individual rights in proposals 18.1, 18.2 and 18.3, what specific exceptions (if any) should apply to these rights in the employment context?

No exemptions should apply except that while a person is an employee and after a reasonable time period after the requirement to delete data at request (I would suggest one financial year for tax records the employee may require).

If privacy protections for employees were introduced into workplace relations laws, what role should the privacy regulator have in relation to privacy complaints, enforcement of privacy obligations and development of privacy codes in the employment context?

Legal enforcement rights to ensure complaint resolutions are upheld would be a requirement/capability I would suggest for the regulator.

Individual rights

What would the impact of the proposed individual rights be on individuals, businesses and government?

I would suggest that given privacy consumer/individual rights exist firmly in the European Union, and to an extent California that similar or greater protections can be introduced with a net social benefit and the impact to business is manageable.

Direct marketing, targeting and trading

What would be the impact of the proposals in relation to direct marketing on individuals, businesses and government?

While there would be some impact, the overriding impact to the individual outweighs impact to the business (who can still trade and advertise without the data). The California Consumer Privacy Act requires businesses to request permission to sell data and for the individual not to be discriminated against by declining. I suggest this approach is already working in a large economy and therefore can be introduced in Australia (potentially with even greater privacy protections) with negligible impost.

Overseas data flows

Should the extraterritorial scope of the Act be amended to introduce an additional requirement to demonstrate an 'Australian link' that is focused on personal information being connected with Australia?

I agree with this.

Notifiable Data Breaches

Should APP entities be required to take reasonable steps to prevent or reduce the harm that is likely to arise for individuals as a result of a Notifiable Data Breach? If so, what factors should be taken into account when determining reasonable steps?

Yes. But not sure on factors to take into account for a reasonable steps test.

Provide general feedback or upload a written submission

If you would like to provide general feedback on the Privacy Act Review Report please provide your response

I think the principles of being able to request for an entity what data it has on you and that one's request to delete that data, not sell that data (with a prompt before data is collected), inform you whom it has been sold to previously, and for the burden to pass on requests to delete data not falling to the individual who's data was sold are vital. A strong regulator with the resources to ensure compliance and education is also needed. Lastly, an individual should never be discriminated against by choosing the option not to have their data collected. Alignment with EU standards at a minimum would be of benefit for streamlining implementation (although going further for protections would be even better).