19 min read

GDPR and Australian Privacy Laws – Privacy by design and the right to be forgotten

Featured Image

GDPR and Australian Privacy Laws – Privacy by design and the right to be forgotten

Things are becoming clearer as the EU learns to adjust to the GDPR Directive. Although its early days, there are a couple of clear features that Australia will need to consider.

  • Privacy by Design and Default

  • The Right to be Forgotten [Erased]

Whilst Australia does expect that IT systems are in place to support these requirements, our legislation is not as specific as that of the GDPR Directive.

Before you read any further, does the GDPR apply to your Australian Business?

If you are working with any EU citizens data, then the GDPR applies to you. When considering GDPR remember it applies to EU data subjects not Australian data subjects.

The significant factor for Australia is the GDPR’s extra territorial reach.

  • Data controllers or processors outside of the EU who are processing personal data as part of their goods / services to individuals within the EU (whether free or charged) fall under the GDPR.

  • Data controllers or processors who are monitoring behaviour of individuals within the EU such as online tracking, cookies, or collecting or receiving data about EU subjects also fall under the GDPR.

GDPR has exclusions for small businesses ONLY if data collection is NOT a regular occurrence or part of the core business.


This is a core change and specific to GDPR requirements not yet formally required under Australian Law (unless data subjects are from the EU or UK).

GDPR Requirements

Privacy by design demands privacy protections to be planned, designed and built into any data collection or storage system as the standard default position regardless of any additional concepts being added.

Privacy by design requires architecturally imbedded privacy controls not an add on. In other words, they form an integral part of the architectural design and structure of any IT system or tool collecting or transmitting personal data.

The starting point is to undertake a Privacy Impact Assessment (Risk Assessment) to identify Privacy by Design needs.

Privacy by design includes a lifecycle process of:

  • Proactive approach of risk identification through a Privacy Impact Assessment [PIA]

  • Privacy as a default setting – automatic protections in place

  • Privacy imbedded into the architecture of IT systems

  • Full scope of system functionality with end to end security

  • Visibility and transparency

  • Respect for user privacy

Australian Requirements

The Australian Privacy Principles [APP] are structured to reflect the information lifecycle from privacy planning to collection of personal information, use and disclosure, quality and security and access and correction.

Organisations are required to take reasonable steps to implement practices, procedures and systems relating to their functions or activities that will ensure that they comply with the APPs and are able to deal with any privacy inquiries or complaints. A failure to meet either of these obligations will mean that the organisation has breached the Privacy Act and could be liable for penalties.

This is Australia’s answer to privacy by design.


GDPR Requirements

The title is self-explanatory. Personal data must be erased immediately:

  • where the data is no longer needed for the original processing purpose, or

  • the data subject has withdrawn his/her consent and there is no other legal ground for processing, or

  • the data subject has objected and there are no overriding legitimate grounds for the processing, or

  • erasure is required to fulfil a statutory obligation under the EU law.

The data controller is automatically subject to statutory erasure obligations and must also comply with a data subject’s right to erasure. The law does not describe how the data must be erased. The definitive outcome is that it is no longer possible to discern personal data without disproportionate effort. It is generally considered sufficient if the data media has been physically destroyed, or if the data is permanently over-written using special software that prevents access to the original data.

Australian Requirements

In Australia privacy law is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP). The Australian Law Reform Commission (ALRC) made a move in Europe’s direction, recommending that a “right to deletion of personal information” be inserted as an amendment to the Privacy Act as another APP however this is unlikely to occur in the near future.

The government’s data security agenda focuses heavily on data retention, evidenced by the the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).

The closest Australia currently gets to this requirement is the right to have personal information corrected as set out in APP 12 and 13.

APP 12: An APP entity holding information about an individual must provide that individual with access to the information if the individual requests it. An APP entity is an agency or organisation.

APP 13: An APP entity must take reasonable steps to confirm and correct any personal information if it is satisfied the information is:

  • Inaccurate

  • Out-of-date

  • Incomplete

  • Irrelevant

  • Misleading

  • An individual requests the entity correct the information.

Neither of these rules stretches to force an organisation to delete an individual’s records, and under APP 12, it is at the entity’s discretion to correct the personal information.

Where to from here?

Whilst there are other issues to consider including the need for a Data Privacy Officer [DPO], both privacy by design and the right to be forgotten are by far the most challenging of GDPR requirements for Australian organisations given that both issues require information security systems planning and structure to meet these needs.

Firstly undertake a risk assessment, audit and gap analysis of data storage and systems practices [whatever you want to call it] to:

  • Determine what is personal data

  • How personal data is secured

  • How personal data is stored

  • Where personal data is stored – every location

  • What data and from where is it shared with 3rd parties or other integrated with other processes?

Now identify and quantify risks associated with your findings.

  • What options (Costs / Timelines / IT / Training / Policy etc.) are available to fill the gaps / control the risks?

  • Put an improvement plan in place.

Confirm you IT systems comply with the following:

  • IT systems can cope with right to access and right to be forgotten

  • Data portability / transfer capabilities

  • Deletion of information on request capabilities

  • Built in / design as default security measures e.g. encryption

  • Access controls – need to know and approved in place

  • Reasonable retention not forever process in place

The need for a Data Privacy Officer [DPO]

Determine whether you need a DPO based on whether your core activity requires systematic monitoring of data subjects or large scale processing of sensitive data.

As an ‘outreach’ country affected by GDPRs jurisdictional reach you must have an EU-based representative [this representative can fill the DPO role].

DPO’s must be autonomous, knowledgeable in GDPR requirements however, DO NOT have to be employed. The DPO can be external to the organisation on the basis of a service contract to an individual or an organisation.