The OAIC has released its report regarding the 2023 Australian Community Attitudes to Privacy Survey (2023 Report). The Australian Community Attitudes to Privacy Survey is a longstanding study commissioned by the OAIC to evaluate the Australians’ awareness and understanding of, and behaviour and concerns relating to privacy, which this year builds on the Attorney General Department’s recent Privacy Act Review Report and associated consultation process (see our article The most sweeping reforms to Australian privacy law in over twenty years).

The 2023 Report provides a number of key insights in relation to a range of privacy related issues, including:

• the harms that result from privacy breaches; and
• digital technology (including AI and biometric technology).

This article sets out some of the key findings of the 2023 Report.

Privacy awareness in the spotlight

The 2023 Report finds that privacy is a major priority for Australians, but that awareness and understanding of privacy laws (and how to enforce individual rights) is low. 90% of Australians say they have a clear understanding of why they should protect their personal information, but only 50% understand how they can protect it. More than 60% of Australians see the protection of their personal information as a major concern in their lives and 82% care enough about protecting their personal information to do something about it; however, 57% do not know what to do to ensure it is protected.

The 2023 Report also finds that, after quality and price, data privacy is the third most important factor for people in choosing a product or service. The majority of Australians place a high degree of importance on their privacy in this regard, with 70% of Australians saying that their privacy is ‘extremely’ or ‘very’ important and another 26% stating it is ‘quite’ important when choosing a product or service.

Privacy law reform community support is strong

In the context of the Privacy Act Review Report, the 2023 Report finds that the Australian public is generally in favour of privacy reform that enhances individuals’ privacy rights. 69% of Australians said they are aware privacy law that protects the privacy of individuals, but 89% of people want the government to legislate further in this area.

Indeed, nearly all survey participants expressed that they would like additional rights under the Privacy Act 1988 (Cth) (Privacy Act) (according to the below percentages), including the right to:

• ask a business to delete their personal information (93%);
• object to certain data practices while still being able to access and use the service (90%);
• seek compensation for a breach of privacy (89%);
• know when their personal information is used in automated decision-making if it could affect them (89%); and
• ask a government agency to delete their personal information (79%).

The role of organisations in public trust

The 2023 Report finds that public trust in organisations’ use of personal data is low. Less than half of respondents trust organisations to adhere to a range of their fundamental privacy obligations, including to:

• only collect the information they need;
• use and share information as stated in relevant collection notices or privacy policies;
• store information securely;
• give individuals access to their personal information; and
• delete information when no longer needed.

58% of respondents expressed that they do not know what organisations do with their data, with 50% agreeing, or strongly agreeing, that that they consider they have no choice but to hand over their personal information if they wish to access a service. Notably, 91% of Australians also expressed concern about the prospect of their personal data being sent overseas.

Privacy breaches are one of the biggest privacy risks Australians face

75% of Australians consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Almost 50% say they would stop using a service if their data was involved in a data breach. However, most Australians are willing to remain with an organisation that has suffered a data breach, provided the organisation quickly takes action, such as implementing steps to prevent customers from suffering harm. 24% of Australians see implementing proactive steps to protect the information they hold as the second most important action required to protect their privacy interests. The most important action, according to 26% of respondents, is organisations only collecting the information necessary to provide their relevant product or service.

Digital technologies impacts in data management and privacy

Biometric information

The 2023 Report highlighted that Australians are generally more at ease more with one-to-one uses of their biometric information than they are with one-to-many uses and biometric analysis. A common method of one-to-one use involves the process of confirming a person’s identify by comparing their biometric information with their own existing information (i.e. when passing through passport control at an airport). Conversely, one-to-many uses of biometric information involve comparisons of individuals’ biometric data against large databases that contain the information of many individuals.

The survey respondents’ comfort with the use of biometric information also varied significantly depending on the context. However, the 2023 Report found that people are most comfortable with the collection and use of their biometric information in border security and law enforcement contexts, and they are more likely to trust the public sector to collect and use this kind of information than private sector businesses.

Artificial Intelligence

Overwhelmingly, the 2023 Report shows that 96% of Australians would like certain conditions in place before AI technology is used to make decisions that might affect them, such as the right to have a human review the decision. Although support levels were low across the board, Australians are slightly more comfortable with government agencies using AI leveraging their personal information to make decisions about them (20%) than they are with private sector businesses doing so (15%).

Children’s privacy of paramount importance

Parents in Australia expressed anxieties about their children’s technology use, and the means by which organisations are handling the personal information of minors. 79% of parents stated that protecting the personal information of their children was a major concern, while only 50% of parents feel they are in control of their child’s data privacy. Responses highlighted the tension between enabling children to be technology-capable whilst also protecting them from anticipated harms. Notably, 91% of parents responded that the privacy of their child is of high importance when deciding to provide them with access to digital devices and services, with 79% of parents expressing discomfort with business tracking the location of their child without permission and selling their children’s personal information to third parties. More generally, 89% of people considered that practices involving the online tracking, profiling and targeting of advertising to children to be ‘not fair and reasonable'.

Key take aways of the OAIC Privacy Survey Report

In light of the survey responses, potential law reform, and the rapidly changing technology landscape (including the rise of AI and increased use of biometric information), organisations should ensure their data handling practices not only comply with their legal obligations, but appropriately align to public attitudes and expectations in respect of responsible data usage. Organisations should place individuals at the centre of their deliberations when establishing and reviewing their data handling practices.

The 2023 Report also highlights the importance for businesses to:

1. maintain open, transparent and effective procedures to manage personal information;
2. establish robust cyber security practices; and
3. mitigate risks related to data breaches and associated reputational damage.

Public and private sector organisations should ensure they are open and transparent in relation to their personal information handling practices as a means of maintaining consumer trust. It is clear from the survey responses that the public places considerable importance on these issues, and so organisations should do so as well.

In particular, organisations should ensure their privacy policies, collection notices and consents and data governance procedures are:

• up to date;
• legally compliant;
• accurately reflective of, and tailored to, their current business practices, information handling processes and the nature of the information collected; and
• drafted in a clear and accessible manner.

The 2023 Report indicates that most Australians are willing to remain with an organisation that has suffered a data breach, so long as they the organisation quickly takes action, and that they also expect businesses to implement proactive steps to protect their data, Businesses can mitigate the compliance risks and reputational impact of a data breaches by establishing comprehensive data breach response plans and otherwise taking proactive steps to develop, implement and maintain cyber attack preparedness. In particular, organisations should:

• ensure IT security systems are robust and fit for purpose;
• routinely conduct vulnerability and penetration tests; and
• regularly test, review and update their incident response plans.

For further information on cyber security and cyber preparedness, please refer to our 2023 Perspectives on Cyber Risk report.

MinterEllison provides full-service IT legal and cybersecurity consultancy services with extensive experience in privacy, data protection, cybersecurity and software and IT service procurement. Please contact us if you would like assistance ensuring your business’ compliance with the Privacy Act, cybersecurity preparedness, understanding privacy legislative reform processes or responding to a suspected data breach incident.