Australia: Privacy law reform - put it on your 2013 to-do list!

The collection, use and storage of personal information by Government Agencies and private sector organisations will change as a result of the passing of recent amendments to the Privacy Act 1988 (Cth) ¹. Consequently these entities will now need to carefully consider their existing arrangements and those currently under negotiation to ensure compliance by March 2014. Non-compliance has been addressed by reforms providing increased powers to the Privacy Commissioner and civil penalties of up to $1.1 million for an offence involving 'serious or repeated interference with the privacy of an individual' by a body corporate.

Background

On 29 November 2012, the Federal Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill). The Bill amends the Privacy Act 1988 (Cth) and represents the Government's first stage response to 197 of 295 recommendations identified in the Australian Law Reform Commission Report (ALRC Report) No. 108 released four years ago.

The remaining 98 recommendations will form the Government's second stage response. ²

Apart from amending the Privacy Act 1988 (Cth) the reforms extend to a plethora of other Acts and Codes (for example, the Freedom of Information Act 1982 (Cth), the Telecommunications Act 1997 (Cth) and the Crimes Act 1914 (Qld)).

What are the amendments to the Privacy Act?

The list below deals with the amendments to the Act that we consider to be most relevant to our clients and the industries in which they operate.

1. Australian Privacy Principles: It's a case of 'out with the old and in with the new' in the context of Privacy Principles. The Information Privacy Principles (IPP) for the public sector and the National Privacy Principles (NPP) for the private sector will be collectively replaced by the Australian Privacy Principles (APPs). The end result is one set of Privacy Principles for all sectors that deal with the collection, storage, security, use, disclosure and quality of personal information. We note the following APPs:
2. • APP 7 - restricts the use or disclosure of personal information for direct marketing
     (unless one of the exceptions applies). Exceptions to this APP include:
   • Personal information other than sensitive information which has been collected from an individual or a third party – where an individual would reasonably expect the information collected to be used for direct marketing purposes and the individual has not opted out; and
   • Contracted service providers for the Commonwealth - if the organisation is a contracted service provider for the Commonwealth, that organisation may use or disclose personal information for the purpose of direct marketing if the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract and the use or disclosure is necessary to meet (directly or indirectly) such an obligation.
   • APP 8 - disclosure of personal information off-shore

   • This APP now brings into the net Commonwealth Agencies in addition to organisations. The APP permits the disclosure (as opposed to the transfer) of personal information and ensures that any personal information disclosed overseas is subject to the Privacy Act 1988 (Cth).
     If personal information is sent to a 'related body corporate' outside of Australia, this APP will apply. However, the intention of the APP is not to apply where personal information is routed through servers outside of Australia.
     Conversely, if a third party accessed the personal information on a server located outside of Australia, this would constitute a disclosure (and breach by the organisation that provided the personal information to the overseas third party) for the purpose of the APP. In this regard, to ease an organisation's compliance and risk management burden there are a number of exceptions. For example:

   • Where the organisation has a 'reasonable belief' that the overseas recipient is subject to legal or binding obligations to protect personal information in at least a substantially similar way to the protection provided by the APPs; or
   • If the disclosure is required or authorised by law.

2. Credit Reporting: Australia is moving away from a 'negative reporting system' to a 'positive' or 'comprehensive credit reporting' system for credit reporting purposes. This means additional credit history information about an individual will become available to the credit reporting industry. This 'positive' information includes additional information about an individual's ongoing credit arrangements (ie, maximum credit limit and type of credit). In addition this information extends to an individual's repayment history over two years (which is subject to exceptions). The interaction of the APP with the new credit reporting code will be expressly stated throughout the Act. In most cases, the credit reporting provision will replace the relevant APP.
3. Interaction with Other Acts: Some of the general provisions under the APPs will be displaced by the specific provisions already dealt with under other Acts, for example the Spam Act 2003 (Cth) and the Do Not Call Register 2006 (Cth).
4. Increased Commissioner Powers: The Commissioner may now conduct an assessment on a range of matters relating to an APP. The Commissioner may also apply to the Federal Court or the Federal Magistrates Court for an order that an entity has contravened a civil penalty provision and pay the Commonwealth a pecuniary penalty. The maximum penalty for a body corporate for serious and repeated interferences with privacy is up to $1.1 million.

New section 13G has been inserted which deals with the concept of a 'serious breach or repeated interferences' with the privacy of an individual'. Although not expressly defined, the Explanatory Memorandum to the Bill provides that the ordinary meaning of 'serious' and 'repeated interference' will apply. To assist Commonwealth Agencies and private sector organisations the Office of the Australian Information Commission will publish guidelines listing the criteria on which to pursue a civil penalty will be made which will hopefully provide further clarity as to the meaning of these concepts.

When will the amendments apply?

The key privacy provisions will not apply until 15 months after Royal Assent. As Royal Assent is expected to occur shortly, it seems likely these provisions will apply from March 2014. This will ensure the ICT industry and the Australian Information Commissioner have sufficient time to revise and implement changes to their systems and processes, and draft relevant guidelines and the new Credit Reporting Code of Conduct respectively.

The remaining provisions will apply from the day the Act receives Royal Assent. These provisions mostly deal with the commencement date, transitional provisions and legislative references to other Acts amended by the reforms.

We recommend you plan ahead to ensure your business efficiently complies with the reforms. A benefit of planning early can be the cost savings at the contract negotiation or renewal stages where you are considering contracting with a party for a term spanning over March 2014. Further, early compliance is now highly recommended given the increased powers of the Commissioner and the significant civil penalties payable in the event of a breach.

How can we help you?

Our team can proactively assist you to:

• Review and advise on your current privacy policy, customer consents and disclosure statements and direct marketing material to ensure they conform with the reform. For example:
• • Whether the personal information you collect may or should be collected (ie, is it reasonably necessary for a particular purpose?)
  • How will you ensure the personal information is maintained in a secure environment?
  • What information is available to you regarding the regulatory privacy framework of overseas jurisdictions in which your clients/customers personal information is stored?
  • What is your retention policy? (ie, how long will you keep personal information before destroying or de-identifying it and how will you do this?);
• Draft revised privacy policies, customer consents , disclosure statements and direct marketing materials to ensure they conform with the Act;
• Prepare staff training and/or privacy and data protection process manuals (to ensure risks are identified and resolved before its too late);
• Educate your staff about the reforms (including the consequences of a breach);
• Implement a privacy self-audit program, including conducting an initial Privacy Impact Assessment of current business processes ; and
• Review agreements (eg, outsourcing or cloud computing) where personal information will be held off-shore.

Footnotes

¹ Explanatory Memorandum – Privacy Amendment (Enhancing Privacy Protection Bill) 2012, Addendum to the Explanatory Memorandum – Privacy Amendment (Enhancing Privacy Protection Bill) 2012 and Supplementary Explanatory Memorandum – Privacy Amendment (Enhancing Privacy Protection Bill) 2012.

² No release date has been communicated at the time of writing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.