The Privacy Bill
Long-anticipated changes to privacy regulation in Australia have today been passed by both Houses of Parliament and are now only awaiting Royal Assent to become law.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Privacy Bill) contains substantial amendments to the Privacy Act 1988 (Privacy Act). Amendments include introducing a new set of Australian Privacy Principles (APPs), replacing current credit reporting provisions, and strengthening the investigative and regulatory powers of the Australian Information Commissioner.
Entities that collect or hold information in Australia will need to change their practices to comply with the Privacy Bill before its commencement in 15 months' time. Organisations affected by the changes will need to act promptly in amending their systems and procedures to meet this deadline.
Important changes to the collection and handling of personal information
The new APPs replace the existing National Privacy Principles and Information Privacy Principles (existing Principles), governing the collection, use, disclosure and maintenance of personal information by both public and private sector organisations. Among the important changes from the existing Principles are:
- APP 1 – Open and transparent management of personal information
- APP 4 – Dealing with unsolicited information
APP 4 regulates the receipt of information by organisations, requiring organisations to determine whether the information they receive from a third party could have been collected by them under APP 3. Information that does not meet these standards will generally need to be destroyed or de-identified.
- APP 5 – Notification of the collection of personal information
Existing notification requirements to individuals upon collection of their personal information will be expanded, with organisations required to disclose the circumstances in which they collected the information if not directly from the individual, whether they are likely to disclose the information overseas, and (if practicable) the location of any likely overseas disclosure.
- APP 8 – Cross-border disclosure of personal information
Under APP 8, before organisations may disclose personal information overseas, they must take reasonable steps to ensure that the recipient of the information does not breach the APPs. Importantly, although organisations that meet this requirement will be permitted to disclose information lawfully, they may still be held liable for any breach of the APPs by the recipient and be penalised. This includes situations where they have received a contractual assurance from the recipient that they will treat the information in accordance with the APPs. Organisations can escape liability for the acts of recipients if:
- the organisation reasonably believes that the recipient is subject to laws in its country that protect the information in a substantially similar way to the APPs, and that an individual affected by a breach is able to access that justice system (this may be a difficult threshold to meet)
- the organisation expressly informs the individual that their information will be disclosed overseas, and the individual consents to that disclosure in the knowledge that the organisation will not be held liable for any breaches
- the disclosure is required by law, or a "permitted general situation" applies.
These changes are significant for organisations that currently rely on the exceptions in the Privacy Act permitting overseas disclosures that are subject to a contract – organisations will still be permitted to disclose information in this situation, but may find themselves held liable for breaches outside their control. They also raise the standard of consent required from individuals, meaning that organisations that have relied on individuals' consent may need to review and re-write their consent clauses and options to be protected from sanction under the Privacy Act.
Important changes to powers of the Australian Privacy Commissioner
The amendments also vest additional powers in the Australian Privacy Commissioner. The most important of these is the power to apply to the Federal Magistrates Court or Federal Court of Australia for a penalty of up to A$1.7 million in respect of a corporation where the Australian Privacy Commissioner alleges that the corporation has breached a civil penalty provision. This includes engaging in an act or practice that is a "serious" or repeated interference with an individual's privacy, or breach of credit reporting provisions. The Australian Privacy Commissioner is also empowered to accept written undertakings from entities, and to apply to a Court to enforce these or to order that compensation be paid.
The Australian Privacy Commissioner's powers of investigation have also been strengthened, with the Australian Privacy Commissioner now empowered to conduct own motion investigations regarding a possible breach of any of the APPs ie without a complaint having been made.
Important changes to collection and disclosure of credit information
The Privacy Bill contains a complete overhaul of the law regulating the collection, use and disclosure of information regarding the credit histories and credit ratings of customers. It permits organisations and credit reporting agencies to collect not only "negative" information that they have been able to collect until now (such as a customer's current credit providers, default history and prior credit applications), but also "positive" credit information. This includes more comprehensive information such as the dates on which credit accounts were opened and closed, current credit limits, and repayment history information. These changes will allow organisations to more comprehensively judge the credit-worthiness of customers. However, organisations will need to review their existing processes and be vigilant about the disclosure of credit information, as there are a range of restrictions which will be placed on the use and disclosure of credit information (including as to its use or disclosure overseas).
Our teams have a wealth of experience assisting organisations with respect to their privacy obligations. Please contact us if you want to discuss these implications further.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.