JUMP TO
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIzYTJmNjc0Yy04MTI0LTQyZDUtYWFhOS1jZjNlM2I2M2RlZjUiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0ODM3NjA2NSwiZXhwIjoxNzQ4Mzc3MjY1LCJpYXQiOjE3NDgzNzYwNjUsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3ByaXZhY3ktcmVmb3Jtcy1pbi1hdXN0cmFsaWFzLWhpZ2hlci1lZHVjYXRpb24tc2VjdG9yIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvcHJpdmFjeS1yZWZvcm1zLWluLWF1c3RyYWxpYXMtaGlnaGVyLWVkdWNhdGlvbi1zZWN0b3IifQ.qBLREvLjcWk5LQgMjP2pCbb5oZS0tx9fMLyguSdXG_s
    https://www.minterellison.com/articles/privacy-reforms-in-australias-higher-education-sector
    CLOSE
    CONTACT US Search Minter Ellison
    • Insight

    Privacy reforms in Australia's higher education sector

    6 minute read  04.11.2024 Lisa Jarrett, Paul Kallenbach, Eliza Campain, Lachlan McNamara

    We explore how the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill), introduced in September 2024, impacts the higher education sector in Australia.

    On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill) was introduced into the lower house of Federal Parliament. Of the 106 reforms that were either 'agreed' or 'agreed-in-principle' by the Government in its Response to the Attorney-General’s Privacy Act Review Report, the Bill will implement only 23 of these reforms. The journey to comprehensive privacy reform continues to be a lengthy one – we think it unlikely that further tranches will be introduced into Parliament prior to the next Federal election.

    The Bill is currently before Parliament, and was referred to the Legal and Constitutional Affairs Legislation Committee for inquiry and report by 14 November 2024.

    Relevance of the Bill on the higher education sector

    Except for private universities and the Australian National University, the Privacy Act 1988 (Cth) (Privacy Act) does not apply to universities. Rather, universities are required to comply with applicable State and Territory based privacy laws.

    Nevertheless, many universities represent in their privacy policies that their information collection, use and handling protocols are consistent with the Privacy Act. These universities will need to update their protocols, policies and procedures to reflect the reforms if they wish to maintain this representation.

    Additionally, customers, key contractors and university-adjacent entities who are subject to the Privacy Act may require universities to handle information in a manner that is consistent with the Privacy Act. These contractual arrangements may need to be revisited in light of the reforms.

    Key impacts of the Bill on the higher education sector

    APP 11 – security of personal information

    Universities collect large volumes of personal information (including sensitive information) about staff, students, contractors and others. The amendments proposed by the Bill aim to increase transparency and certainty regarding information collected, through amendments to APP 11.

    Currently, APP 11.1 requires an APP entity (such as private universities and the Australian National University) to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The Bill will add a new APP 11.3, which provides that ‘reasonable steps’ in APP 11.1 includes ‘technical and organisational measures’. The Bill’s Explanatory Memorandum gives examples of technical measures as including protecting information through physical measures, software and hardware, whilst organisational measures include steps and processes that an entity should implement, such as employee training on data protection.

    Despite the examples in the Bill's Explanatory Memorandum, there is limited guidance on what constitutes ‘technical and organisational measures’, including practical advice on what entities should do to protect personal information. It is hoped that the Office of Australian Information Commissioner will provide detailed guidance in due course.

    The amendment to APP 11 should prompt universities, and related entities or suppliers, to review their privacy policies and technical and organisational security measures to ensure they are adequate in the context of the types of personal information being collected.

    Doxxing

    The Bill proposes to make 'doxxing' a criminal offence by amending the Criminal Code Act 1995 (Cth). The Bill defines doxxing as the intentional malicious exposure of an individual's personal data online, with the Bill's Explanatory Memorandum detailing the significance of doxxing at length. The higher education sector has recently been caught in the middle of a doxxing controversy, where a political science professor was accused of engaging in doxxing by publishing an internal email on social media platform X (formerly Twitter).

    Universities may find themselves impacted by doxxing in multiple ways:

    • Staff sharing internal communications or personal information about individuals, potentially leading to harmful consequences;
    • Students posting information online about staff members; and
    • University-affiliated individuals (including students) sharing information on politically sensitive topics or geopolitical issues.

    In light of the above, it is crucial that universities review their policies and procedures, along with student codes of conduct and terms of use for university ICT systems, to ensure that they adequately address doxxing and assist the university to mitigate risks in the event that such an incident occurs.

    Facilitating overseas data flows

    The Bill proposes changes to APP 8 with the aim of supporting the free flow of information across borders. More specifically, the Bill proposes a 'white list' mechanism to prescribe countries with substantially similar privacy laws, in order to assist entities to assess whether to disclose personal information to an overseas recipient.

    Currently, an APP entity (i.e. private universities or the Australian National University) must ensure that an overseas recipient complies with the APPs in relation to personal information disclosed to it and is liable for any breach of the Privacy Act by the overseas recipient. However, if the APP entity reasonably believes that the recipient of the information is subject to a similar privacy regime, the APP entity is not accountable. In practice, this exception is rarely used due to the challenge of verifying equivalent privacy regimes.

    The Bill will address this shortcoming by enabling the Government to prescribe equivalent privacy regimes through regulation. We await further clarification as to which countries will be included in the ‘white list’ – though it seems likely that the white list will not cover some jurisdictions that universities regularly work with or operate in.

    This reform is a timely reminder for universities (particularly private universities) to review and update their policies and procedures around disclosing personal information to overseas recipients, and be ready to update these documents once the white list has been implemented.

    Automated decision-making systems

    The Bill recognises the privacy risks associated with automated decision-making (ADM) systems and proposes to address this issue by requiring APP entities (i.e private universities and the Australian National University) which use ADM systems to update their privacy policies to expressly outline when personal information will be used by a computer program to make a decision that ‘could reasonably be expected to significantly affect the rights or interests of an individual’. This is required if a computer program is making, or doing a thing substantially or directly related to the making of, the decision.

    Essentially, even if there is a ‘human in the loop’ in the decision-making process, if the decision is substantially made or influenced by AI or another ADM system, this will need to be disclosed in the university's privacy policy.

    Some examples of where the higher education sector may utilise ADM systems as part of their functions include decisions relating to staff benefits, selection of grant funding, commercialisation opportunities, and student intakes and performance.

    Concluding remarks

    The Bill represents a step towards enhancing privacy protections in Australia, albeit with a limited scope of immediate reforms. Universities (except for private universities and the Australian National University), while not directly governed by the Privacy Act, should remain vigilant and proactive in updating their privacy protocols to align with these changes, especially if they represent compliance with the Privacy Act in their policies or engage with entities that are subject to it.

    In addition, private universities should ensure their policies, procedures, and contractual arrangements are robust and adaptable to these reforms to mitigate risks and maintain trust with their stakeholders.

    As the legislative process unfolds, it is crucial for the higher education sector to stay informed and prepared for further developments, ensuring they can quickly and efficiently adapt to the reforms as they are enacted

    Please contact us to explore how the privacy reform may impact your organisation.

    Contact

    Tags

    SOUL conference Education Higher Education Education consulting MinterEllison Consulting
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIwZTMyZjdhMS05MDBmLTRjMWItYjIxMi02MTAwYWFlYzc4NWEiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTc0ODM3NjA2NSwiZXhwIjoxNzQ4Mzc3MjY1LCJpYXQiOjE3NDgzNzYwNjUsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL3ByaXZhY3ktcmVmb3Jtcy1pbi1hdXN0cmFsaWFzLWhpZ2hlci1lZHVjYXRpb24tc2VjdG9yIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvcHJpdmFjeS1yZWZvcm1zLWluLWF1c3RyYWxpYXMtaGlnaGVyLWVkdWNhdGlvbi1zZWN0b3IifQ.7NVX3hBhxUd3Avu_RUJGOHL74H4ugCGIhJlq0fE93XY
    https://www.minterellison.com/articles/privacy-reforms-in-australias-higher-education-sector

    Read next

    © 2025 MinterEllison