Vulnerable Australians need better data protection following recent major breaches, a sweeping review of privacy legislation has found.
Enhanced guidelines on data destruction, boosted reporting obligations for breaches, new penalties and new powers for the information commissioner are among 116 proposals the report makes.
Attorney-General Mark Dreyfus commissioned the Privacy Act review shortly after taking office last year, while the government increased penalties for serious breaches following the Optus attack in 2022 which exposed the personal details of customers.
"Strong privacy laws are essential to Australians' trust and confidence in the digital economy and digital services provided by governments and industry," Mr Dreyfus said in a statement.
"The Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams."
The review, which says its proposals are to bring Australia's protection laws in line with global standards, noted "considerable confusion" from stakeholders about what personal information legislation covers.
It proposes better guidelines for what steps should be taken to destroy and de-identify stored data, adding entities should periodically review how long they are retaining data.
It also calls for further review of surrounding laws as to what personal data needs to be retained, to see if they correctly balance privacy risks with other objectives.
New reporting obligations would require the Information Commissioner to be told about a breach within three days of it happening.
The commissioner would also have stronger powers for public investigations and determinations, along with stiffer civil penalties.
Mr Dreyfus, who received the report on Wednesday, said it was the latest sign the government was taking data protection seriously.
"Following those breaches the government acted swiftly to significantly increase penalties under the Privacy Act for serious or repeated privacy breaches and give the Australian Information Commissioner improved and new powers," he said.
"The Australian people rightly expect greater protections, transparency and control over their personal information and the release of this report begins the process of delivering on those expectations."
