Proposed changes to the Privacy Act 1988 (Cth) (Privacy Act) have passed the House of Representatives and is now before the Senate for consideration. The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Amendments) amends the Privacy Act by introducing:
- a new definition of personal information;
- the Australian Privacy Principles (APPs);
- a more comprehensive credit reporting system;
- new provisions on privacy and credit reporting codes; and
- new powers for the Privacy Commissioner.
Changes to the definition of Personal Information
The current definition of Personal Information as contained in section 6 of the Privacy Act states that Personal Information is:
‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’
The proposed definition of personal information as recommended by the Australian Law Reform Commission (ALRC) is as follows:
‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.
and
The Office of the Privacy Commissioner should develop and publish guidance on the meaning of ‘identified or reasonably identifiable’.
What are the “APPs”?
The APPs will create a single set of privacy principles that will apply to both Commonwealth agencies and private sector organisations. Previously, the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) applied to the public and private sectors respectively.
The APPs will set out standards, rights and obligations in relation to the:
- handling and maintenance of information by APP entities;
- Privacy Commissioners dealing with privacy policies; and
- collection, storage, use and disclosure of personal information.
The Bill amends the Privacy Act to create Schedule 1 which will contain the APPs grouped into five sets of principles as follows:
- APP 1 and 2 – Principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way;
- APP 3, 4 and 5 – Principles that deal with the collection of personal information, including unsolicited personal information.
- APP 6, 7, 8 and 9 – Principles about how APP entities deal with personal information and government related identifiers, including principles about the use and disclosure (including cross-border disclosure) of personal information and identifiers.
- APP 10 and 11 – Principles about the integrity, quality and security of personal information; and
- APP 12 and 13 – Principles that deal with requests for access to, and correction of, personal information.
What new powers will the Privacy Commissioner have?
The Privacy Commissioner will have enhanced powers aimed to improve the Commissioners ability to:
- resolve complaints;
- conduct investigations; and
- promote Privacy Act compliance.
Furthermore, the Privacy Commissioner will be able to apply to the Court for a civil penalty order against organisations for credit reporting breaches. Penalties range from:
- $2,200 to $220,000 – for an individual; and
- $110,000 to $1.1 million – for a company.
What changes have been recommended by the Senate Committee?
The Senate Committee has largely endorsed the recommendations for the Amendments as passed by the House of Representative, however nine (9) further recommendations have been made regarding the APPs. Two (2) of the most important relate to:
- APP 7 (direct marketing); and
- APP 8 (cross-border disclosure).
APP 7: Direct Marketing
The Senate Committee has made further recommendations to enable individuals to be able to opt out of direct marketing communications regardless of whether an individual would reasonably expect the communication.
APP 8: Cross-border disclosure
The Senate Committee has made further recommendations that require an organisation to inform an individual of the potential consequences of giving consent to disclose Personal Information to an overseas source.
Previously, an organisation could rely upon the ‘reasonable steps’ exception to ensure that an overseas recipient does not breach an APP. However the Senate Committee recommendation has made clear that an organisation can still be held liable for a breach of an APP by an oversees recipient regardless of the ‘reasonable steps’ exception.
Conclusion
The effect of the proposed Amendments for companies is the potential need to update and change current systems. This is particularly the case in relation to the way that current marketing and cross border data transfers are conducted.
Further information
If you need advice on the Privacy Act or for information on a Privacy Audit, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights on privacy law compliance and APP
-
Privacy Act amended to increase penalties up to $50 million
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
-
What should APP Entities include in a data destruction policy?
This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.
-
Uber breaches Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
International companies can be bound by Australian privacy laws
Australian Intelligence Community (AIC) Commissioner Falk determined how the Office of the Australian Information Commissioner (OAIC) will assess if international entities have an Australian Link to Privacy Act 1988 (Cth).
-
Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?
Organisations must act ensure compliance with the Privacy Act 1988 (Cth) reforms. Learn more about the thirteen new Australian Privacy Principles (APP’s) the penalties for non-compliance, and the steps you can take to protect your business.
