30 May 2012
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth):
- contains new Australian Privacy Principles (APPs)
- implements more comprehensive credit reporting provisions
- introduces a revised regime for privacy codes and credit reporting codes
- increases the power of the Commissioner to determine complaints.
Businesses need to become familiar with the proposed changes and consider how the changes may impact on their privacy policies and procedures.
On 23 May 2012, a Bill containing long awaited amendments to the Privacy Act 1988 (Cth) was finally tabled in the House of Representatives.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 contains amendments implementing the Government's first stage response to recommendations first proposed by the Australian Law Reform Commission (ALRC) in 2007.
The Bill contains new Australian Privacy Principles (APPs), implements more comprehensive credit reporting provisions, introduces a revised regime for privacy codes and credit reporting codes and increases the power of the Commissioner to determine complaints.
The key milestones in the protracted reform process have been as follows:
- in January 2006, the adequacy of Australia's existing privacy laws was referred to the ALRC;
- the ALRC released an interim report in September 2007, followed by a final report in August 2008;
- he Australian Government released an exposure draft of new privacy principles in June 2010, to be known as the Australian Privacy Principles (APPs);
- in January 2011, the Government released an exposure draft of legislation containing provisions dealing with the collection, use and disclosure of information for credit reporting purposes;
- both Government responses were referred to the Senate Finance and Public Administration Committee for consideration;
- in June 2011, the Senate Committee published 29 recommendations on the Government's exposure draft of the Australian Privacy Principles;
- in October 2011, the Senate Committee published 30 recommendations on the Government's response to the draft credit reporting provisions;
- on 14 May 2012, the Australian Government responded to the Senate Committee's recommendations;
- on 23 May 2012, a Bill implementing the first round of reforms was tabled in the House of Representatives.
Structure of the Bill
The substantive elements of the legislation are contained in six schedules, namely:
- Schedule 1 – Australian Privacy Principles;
- Schedule 2 – Credit Reporting;
- Schedule 3 – Privacy Codes;
- Schedule 4 – Other Amendments to the Privacy Act;
- Schedule 5 – Amendment of Other Acts;
- Schedule 6 – Application, transitional and savings provisions.
Some key concepts
Some of the key changes introduced by the APPs, apart from the creation of a single set of Privacy Principles, include:
- an amended definition of "Personal Information" reflects the ALRC recommendations by introducing a degree of flexibility and technology-neutrality. Specifically, the definition provides:
Personal Information means information or an opinion about an identified individual, or an individual whose reasonably identifiable:
a. whether the information or opinion is true or not; and
b. whether the information or opinion is recorded in a material form or not.;
- the term "Consent" continues to be defined as simply meaning "expressed consent or implied consent". The Explanatory Memorandum encourages the development and publication of appropriate guidance by the Commissioner about what is required of agencies and organisations to obtain an individual's consent for the purposes of the Act;
- the definition of "Sensitive Information", which has always been afforded a higher level of protection in the private sector, is amended slightly but more significantly, the restrictions on the collection and use of sensitive information will now be binding upon public sector agencies;
- the various existing exemptions, some of which have proved contentious (such as the small business exemption and the employment records exemption), are unaffected by the Bill.
Structure of the APPs
As recommended by the ALRC, the Bill amalgamates and refines the existing Information Privacy Principles and National Privacy Principles to create a single set of principles, to be known as the Australian Privacy Principles, which regulate Commonwealth agencies and private sector organisations. The APPs are contained in five parts:
- Part 1 – Principles dealing with the management of personal information (APP 1, APP 2);
- Part 2 – Principles dealing with the collection of personal information (APP 3, APP 4, APP 5);
- Part 3 – Principles dealing with the use and disclosure of personal information (including direct marketing and cross-border disclosure) (APP 6, APP 7, APP 8, APP 9);
- Part 4 – Principles dealing with the integrity, quality and security of personal information (APP 10, APP 11);
- Part 5 – Principles dealing with request for access to, in correction of, personal information (APP 12, APP 13).
Section 16A creates the concept of a "permitted general situation" which stipulates, in a positive sense, certain activities in which an entity might engage which will be deemed not to breach the privacy of an individual.
Various "permitted general situations" are listed in a table, and include the use of personal information for the purpose of preventing a serious threat to life, health of safety, circumstances involving suspected unlawful activity or misconduct of a serious nature, assisting in the location of a missing person, establishing the defence of legal claim, engaging in a confidential alternative dispute resolution process, exercising a diplomatic or consular function and, in the case of the Defence Force, purposes associated with war like operations, peace keeping or humanitarian assistance.
Key APP provisions
The approach adopted by the draft APPs reflects, amongst other issues, the following which require special note:
- APP 1.2 introduces a positive obligation to implement practices and procedures relating to an entity's functions to ensure compliance with the APPs, and the Explanatory Memorandum states that this may include staff training, establishing procedures to receive and respond to complaints and enquiries, developing information to explain an entity's policies and procedures, and establishing procedures to identify and manage privacy risks and compliance issues.
- APP 2 introduces a new right of an individual to deal with an entity through the use of pseudonym;
- APP 3 restates the existing principle that personal information may only be collected where it is reasonably necessary for an entity to pursue a legitimate function, the Explanatory Memorandum emphasising that personal information cannot be collected on the "off chance that it may become necessary for one of its functions or activities in the future, or that it may be merely helpful";
- APP 4 provides that unsolicited personal information must be afforded the same privacy protection as solicited personal information;
- APP 5 requires that an individual must be made aware of how and why personal information is, or will be, collected and how it will be dealt with by an entity;
- APP 6 reflects the existing IPPs 10 and 11 and NPPs 2 and 10 with respect to the use or disclosure of personal information, the Explanatory Memorandum anticipating that the Commissioner will develop specific guidance about the meaning of the "primary purpose" of collection;
- APP 7 deals with direct marketing, broadly prohibiting direct marketing by private sector organisations (subject to certain exceptions) while broadly permitting direct marketing by government agencies (on the basis that it is important for them to retain the ability to communicate legitimate and important information to individuals);
- APP 8 extends cross-border data flow restrictions to the public sector for the first time. Significantly, the Principle purports to follow the "accountability approach" favoured by the APEC Privacy Framework as opposed to the "adequacy approach" adopted in the European Union. Whereas the existing NPP 9 prohibits cross-border disclosure unless adequate safeguards are in place, the new APP 8 permits cross-border disclosure but the discloser remains accountable for ensuring that the data is handled overseas in accordance with the provisions of the Act. APP 8 does not apply to the overseas internal disclosure of personal information within a single entity, but it does apply if personal information is sent to a related body corporate outside of Australia (notwithstanding the general exemption relating to the transfer of personal information related bodies corporate). There is no express reference to a need to obtain a contractual commitment from an overseas recipient to comply with the APPs but rather the discloser is required to take reasonable steps to ensure compliance with the APPs and the Explanatory Memorandum acknowledges that this would normally involve an entity entering into a contractual relationship with an overseas recipient;
- APP 9 restricts the use of government related identifiers by the private sector, thus continuing the philosophy enshrined in the existing legislation which seeks to avoid government related identifiers becoming universal identifiers;
- APP 10 requires an entity to take reasonable steps to preserve the quality of stored personal information (that is, ensuring that it is accurate, up to date and complete);
- APP 11 requires an entity to take reasonable steps to preserve the security of personal information;
- APP 12 entitles an individual to obtain access to personal information held by an entity upon request, subject to specific exceptions; and
- APP 13 imposes an obligation on an entity to take reasonable steps to correct personal information if it is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
Schedule 2 amends the Credit Reporting provisions which were inserted into the Privacy Act 1988 under Part IIIA in 1991. Consistent with the ALRC's recommendations, the Bill permits more comprehensive credit reporting processes. Additional types of information may be incorporated into credit reports, namely:
- the date a credit account was open;
- he type of credit account opened;
- the date the credit account was closed;
- the current limit of each open credit account;
- repayment performance history about the individual (available only to credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act and, under limited circumstances, to mortgage insurers for mortgage insurance purposes).
The philosophy underpinning the expansion of personal information available to credit providers is to help prevent over-indebtedness and to lower credit default rates amongst individuals.
The Explanatory Memorandum emphasises that there are additional consumer protections created by enhanced obligations and processes dealing with notification, data quality, access and correction, and complaints.
Small businesses, which remain broadly exempt from the legislation, will be bound by the CR Code if they elect to participate in the credit reporting system.
Schedule 3 introduces a new Part III B dealing with Codes of Practice known as either APP Codes or a CR (credit reporting) Code.
An APP Code may be developed by an entity which can then seek registration of the code by the Commissioner. The Commissioner may also develop an APP Code if an entity has failed to comply with a previous request by the Commissioner to develop a code or if the Commissioner declines to register a requested APP Code. APP Codes do not replace the APPs but supplement them, and a breach of a registered APP Code is deemed to be an interference with privacy.
The CR Code will set out how one or more of the credit reporting provisions are to be applied or complied with. It will bind all credit reporting agencies A breach of the registered CR Code will be an interference with privacy for the purposes of section 13.
Other amendments to the Act
Schedule 4 reforms the functions and powers of the Commissioner, improving the Commissioner's ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.
Specifically, the Bill provides the Commissioner with, amongst other things, the ability to assess an entity's handling of personal information, recognise external dispute resolution schemes and deal with the conciliation of complaints.
Schedule 4 also amends section 5B of the Act which deals with extra-territoriality, extending the extra-territorial operation of the Act to organisations and small businesses with an Australian link.
Compatibility with human rights
In accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, a Statement of Compatibility with Human Rights was prepared and tabled. The Statement concluded that:
The Bill is compatible with human rights because it advances the protection of human rights, primarily protection against arbitrary interference with privacy, and, to the extent that it may also limit other human rights, those limitations are reasonable and proportionate.
For further information, please contact:
Gordon Hughes, Partner, Ashurst
Tim Brookes, Partner, Ashurst