The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) was introduced into the Australian Parliament on 23 May 2012. The Bill implements the major legislative elements of the Australian Government's first-stage response to the Australian Law Reform Commission report, For Your Information: Australian Privacy Law and Practice. Previously, the Government had released exposure drafts of legislation to implement that response, including an exposure draft of new Australian Privacy Principles.
The key amendments the Bill introduces to the Privacy Act 1988 (Cth) (Privacy Act) are as follows:
- repeal of the National Privacy Principles for the private sector and Information Privacy Principles for the public sector, which are replaced by a single set of 13 Australian Privacy Principles (APPs) that will be applicable to both Commonwealth agencies and private sector organisations (known as APP entities). The APPs broadly follow the form and content of the exposure draft APPs, but contain a number of changes;
- expanding the powers of the Commissioner with respect to investigations, resolution of complaints and increased powers regarding the assessment of an APP entity's privacy compliance;
- more comprehensive credit reporting with improved privacy protections for individuals. The existing credit reporting provisions in Part IIIA of the Privacy Act 1988 will be repealed and replaced by an updated, modernised and more comprehensive credit reporting framework;
- introducing new provisions on privacy codes and the credit reporting code, including powers for the Commissioner to develop and register codes in the public interest that are binding on specified agencies and organisations.
The APPs expand the protections afforded to individuals regarding their personal information, and include additional obligations in relation to the collection, handling and maintenance of personal information by APP entities. Significant changes include:
- sensitive information may (subject to certain exceptions) only be collected by an organisation if the individual has consented to the collection and the information is reasonably necessary for one or more of the entity's functions or activities;
- extending privacy obligations specifically to unsolicited information including a requirement to destroy or de-identify unsolicited information if the organisation could not have validly collected such information under the applicable APPs;
- prohibiting the use of personal information for direct marketing purposes unless specific exceptions apply; and
- changes to how personal information may be sent outside of Australia, including a general obligation on APP entities, before disclosing personal information to an overseas recipient, to take reasonable steps to ensure the overseas recipient does not breach the APPs (subject to specified exceptions). If personal information is disclosed by an APP entity to an overseas recipient and that recipient does an act, or engages in a practice, in relation to that information which would be a breach of the APPs, then (unless a specified exception applies) the Australian entity is taken to have engaged in such activity in breach of the APPs.
The above is a selected list of changes only. Readers should refer to the Bill for a complete understanding of all of the changes which will be implemented by the APPs.
According to the Explanatory Memorandum to the Bill "the purpose of the credit reporting system is to balance an individual's interests in protecting their personal information with the need to ensure sufficient personal information is available to assist a credit provider to determine an individual's eligibility for credit following an application for credit by an individual..."
The new credit reporting regime aims to:
- provide increased consumer rights and protections by including the ability of individuals to better access and correct their personal credit information and lodge complaints directly with the Commissioner;
- give credit providers access to additional personal information to assist them in establishing an individual's credit worthiness;
- place increased responsibility on organisations that hold credit information to justify disputed credit listings; and
- achieve consistency with the recent national reforms to consumer credit laws.
A significant feature of the proposed reforms is the additional data that may be exchanged between credit providers and credit reporting agencies including the date a credit account was opened, the type of credit account opened, the date the credit account was closed, the current limit of each open credit account and repayment performance history about the individual. The additional data will allow credit providers to make more informed decisions on individuals' credit worthiness, therefore enhancing credit risk systems.
The Bill allows for the replacement of existing privacy codes and the Credit Reporting Code of Conduct. A new credit reporting code, to be called the "CR Code" will set out how the credit reporting provisions are to be applied or complied with, and must deal with matters required or permitted by Part IIIA of the Privacy Act as well as any other specified matters.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.