On the road to privacy law reform

Subscribe

On Wednesday 23rd May the long awaited Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was introduced to Parliament[1]. This marks a significant step forward in the process of privacy law reform that started more than 6 years ago, when the Australian Law Reform Commission was given the task of assessing the continuing efficacy of the Privacy Act 1988 (Cth).

Introduction

The highly anticipated Bill officially sets in motion amendment of the Privacy Act 1988 (Cth) (Act) to implement changes arising from recommendations in the ALRC’s 2008 report[2]. It represents “stage one” of reforms, addressing:

  • implementation of a unified set of Australian Privacy Principles (APPs) that apply to both the public and private sector;
  • modernisation of the credit reporting regime, including more comprehensive credit reporting;
  • new provisions on privacy codes and a credit reporting code;
  • clarification of the powers and functions of the Commissioner, with an improved ability to resolve complaints and promote privacy compliance; and
  • other consequential amendments.

Notably, the provisions regarding protection of health information that were also expected to be part of this first stage of reforms are not included. This may now form part of the second stage of reforms, which is expected to also address exemptions under the Act, serious data breach notifications and a potential statutory cause of action for serious invasion of privacy.

Definitions, definitions, definitions

The Bill introduces a number of new defined terms, and amends existing defined terms, in an attempt to address limitations and uncertainty around terms in the current Act.

Some of the key definitional amendments are set out below.

Term

Amendment

“Collects”

This new term reflects the concept in existing s16B of the Act, being that the personal information is collected for inclusion in a record or generally available publication.

“Consent”

This existing definition has been retained, but the Government encourages the Office of the Australian Information Commissioner (OAIC) to develop guidance about what is required for the purposes of the Act.

“De-identified”

This new definition essentially is the converse of “personal information”, ie. information is no longer about an identifiable individual or an individual who is reasonably identifiable.

“Generally available publication” and “record”

These terms have been amended to be more technology neutral and to include the concept of electronic forms and devices.

“Holds”

This new definition clarifies that personal information is “held” if it is in an entity’s possession or control.

“Personal information”

This key definition now refers to an “identified” or “reasonably identifiable” individual, rather than an individual whose identity is apparent or can reasonably be ascertained. The Explanatory Memorandum explains that this change is to ensure consistency with international approach and is not intended to significantly change the scope of the definition. Again, the Government encourages the development of further guidance by the OAIC.

“Permitted general situation” and “permitted health situation”

These terms have been introduced to set out circumstances where collection, use or disclosure of certain types of information will not breach the APPs. They are broadly similar to the exceptions that are set out in the existing privacy principles, with some differences (eg. new exceptions related to diplomatic or consular functions and the defence force).

“Sensitive information”

A new category has been inserted into this definition for biometric information (for the purposes of automated verification or identification) and biometric templates.

As can be seen, further guidance is needed from the OAIC on some definitions and also on what is considered a “primary purpose” for use and disclosure.

All for one and one for all - APPs

The APPs have been drafted on a principles-based level to allow flexibility in application. The APPs will appear in Schedule 1 of the Act, grouped into five parts that are intended to reflect the cycle of an entity’s information-handling, being:

  • consideration of personal information privacy;
  • collection of personal information;
  • dealing with personal information;
  • integrity of personal information; and
  • access to and correction of personal information.

We had a preview of the APPs when the exposure draft was released in June 2010 (summarised in a previous Corrs In Brief publication). The APPs included in the Bill are generally in line with what we saw from the exposure draft, and include concepts that we are familiar with from the existing privacy principles, with some notable differences.

We know that APP1 includes more prescriptive requirements for the contents of an entity’s privacy policy, and the requirement that it is made available in an appropriate form. The Bill contains a note recognising that a privacy policy will generally be made available on an entity’s website, implying that this is an appropriate form for the purpose of compliance with this principle.

APP3 on collection of personal information now distinguishes between agencies and organisations, with organisations only permitted to collect information that is “reasonably necessary” for its functions or activities (but not the broader “or directly related to” ground that is afforded to agencies).

Of course, there has been much discussion already about some of the more significant or controversial changes (foreshadowed in the draft APPs), being:

  • a separate principle addressing unsolicited personal information (a significant change for the public sector, but arguably implied already for the private sector);
  • additional notification requirements at the time of collection, including if the personal information is likely to be disclosed to overseas recipients, and to which countries;
  • stricter direct marketing requirements for organisations, including the requirement to provide an easy opt-out for individuals; and
  • the increased accountability approach regarding cross-border disclosures. The Bill’s APP8 together with s16C mean that both agencies and organisations must take reasonable steps to ensure any overseas recipient does not breach the APPs (subject to certain exceptions), but will remain accountable for the acts of the overseas recipient. Importantly, this provision refers to “disclosure” rather than “transfer”, so is about the broader concept of access to personal information and not just physical movement.

Remedies

Aside from the obvious reputational issues that accompany an entity breaching privacy obligations, it may be considered that the enforcement powers of the Commissioner under the existing Act are fairly limited. In addition, there is a gap under the current Act that the Commissioner has no powers of remedy where the Commissioner undertakes their own investigation; only where an investigation is conducted as a result of a complaint.

The Bill addresses this gap, giving the Commissioner a range of declaration powers following self-initiated investigations that parallel the powers following complaint-initiated investigations. The Commissioner is also given the additional power to require an entity to complete a privacy impact assessment to check its compliance with the Act.

There are significant new civil penalty provisions in the Act, and the Commissioner can apply to the Courts for an order that an entity pay a pecuniary penalty. Most of the civil penalty provisions fall within the credit reporting provisions, but there is a new civil penalty provision that applies to serious or repeated interference with the privacy of an individual (which carries a penalty of $220,000). Whether and how often such measures will be implemented will remain to be seen.

But wait, there’s more

A new Part IIIB of the Act will enable codes to be developed to complement the APPs and prescribe how one or more of the APPs are to be applied to entities that are bound. Entities can develop an APP code of their own motion and request that it be registered, or may be requested to do so by the Commissioner. The Commissioner can also in some circumstances develop and register an APP code. A register of APP Codes will be kept on the Commissioner’s website, and entities must not breach a registered APP Code that binds them.

What’s next?

The progression of this Bill through Parliament will no doubt be followed with interest from many stakeholders, however the timeframe to enactment is uncertain. Most of the substantive provisions have deferred commencement until 9 months after the Bill receives Royal Assent. It may be some time before entities will have to comply with new privacy law requirements, but change will come, so it would be wise for all concerned to know what to expect and be ready for it.


An overview of the new credit reporting is available here


[1] Privacy Amendment (Enhancing Privacy Protection) Bill 2012; Explanatory Memorandum
[2] For Your Information: Australian Privacy Law and Practice (ALRC Report 108)


The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.


Related Content

Contacts

Eddie Scuderi

Partner. Brisbane
+61 7 3228 9319

Profile

Eugenia Kolivos

Partner. Sydney
+61 2 9210 6316

Profile

Helen Clarke

Partner. Brisbane
+61 7 3228 9818

Profile

Philip Catania

Partner. Melbourne
+61 3 9672 3333

Profile