Privacy Act reforms affect privacy policies and practices – Bill tabled by Australian Government
The amendments represent the first of two stages of reforms and, if passed, will come into effect nine months after the amendments receive royal assent. The lengthy amendments (236 pages) in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 are the Government's response to a detailed report by the Australian Law Reform Commission which made nearly 300 recommendations.
The major amendments contained in the Bill are in four main areas:
New Australian Privacy Principles
The existing National Privacy Principles (NPPs) covering the private sector and the Information Privacy Principles (IPPs) covering Commonwealth public sector agencies will be replaced by single set of principles called the Australian Privacy Principles (APPs). The number of principles for the private sector has expanded from 10 to 13.
New requirements under the APPs include a longer list of matters that should be dealt with in privacy policies. In addition, privacy policies must be kept up-to-date and a guidance note in the Bill suggests that privacy policies should be published on each organisation's website.
Since the APPs are at the core of privacy obligations, all organisations will need to review the APPs with care.
New credit reporting provisions
The credit reporting provisions of the Privacy Act will be entirely replaced and a new Credit Reporting Code will be introduced (called the CR Code). The new provisions are based on the APPs, with modifications intended to allow for necessary activities of the credit reporting industry. The Government notes that Australia's consumer credit totalled A$1.113 trillion in 2008 and that credit reporting is dominated by three main credit reporting agencies, storing credit records on millions of Australians.
Credit reporting agencies will be allowed to deal with five new kinds of personal information including the date on which a credit account was open, the current limit of each credit account and the individual's repayment history. Credit providers will therefore have access to additional information with which to assess customers and credit risks. This is balanced by amended obligations relating to matters such as data quality, access and correction, and complaints.
Privacy codes
The Bill provides for the creation of new codes of practice dealing with the APPs and a specific code dealing with credit reporting. APP Codes are intended to supplement the APPs by providing additional requirements about the management of personal information. The Information Commissioner can request the development of an APP Code (usually to apply to an industry sector or group), and may impose an APP Code if that is not done. Once an APP Code is registered, it becomes binding.
The CR Code will be created through a similar process. It will bind all credit reporting agencies and set out which credit providers should also be bound (typically an industry sector such as mortgage insurers). When finalised, the CR Code will become binding and a breach of the CR Code will be a breach of the Privacy Act.
Enhanced powers of the Information Commissioner
The powers of the Information Commissioner have been clarified in some areas and increased in others. The Commissioner may now conduct monitoring and assessment of information held by organisations, particularly to check that information is not being used or disclosed improperly.
The amendments also allow the Information Commissioner to officially recognise particular external dispute resolution schemes in order resolve complaints about interferences with privacy and other practices. The intention is to streamline the resolution of complaints, without requiring the involvement of either the Information Commissioner or the courts. Of course, both remain available.
In respect of breaches of the Privacy Act, the Information Commissioner can accept enforceable undertakings from organisations. If those undertakings are breached, the Information Commissioner can enforce them in the Federal Court or the Federal Magistrates Court. These powers and procedures are similar to those used by other regulators such as Australian Communications and Media Authority (ACMA) under legislation such as the Spam Act and the Do Not Call Register Act.
Conclusion
Once the amendments are passed, Australian organisations – in both private and public sectors – will have nine months to ensure that their privacy policies and privacy practices comply with the changed requirements of the Privacy Act. Organisations that hold substantial amounts of personal information should monitor the progress of the Bill carefully in order to plan the process of updating their policies and practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
