Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth)

Proposed changes to the Privacy Act 1988 (Cth) (Privacy Act) have passed the House of Representatives and is now before the Senate for consideration.   The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Amendments) amends the Privacy Act by introducing:

  • a new definition of personal information;
  • the Australian Privacy Principles (APPs);
  • a more comprehensive credit reporting system;
  • new provisions on privacy and credit reporting codes; and
  • new powers for the Privacy Commissioner.

Changes to the definition of Personal Information

The current definition of Personal Information as contained in section 6 of the Privacy Act states that Personal Information is:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’

The proposed definition of personal information as recommended by the Australian Law Reform Commission (ALRC) is as follows:

 ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.

and

The Office of the Privacy Commissioner should develop and publish guidance on the meaning of ‘identified or reasonably identifiable’

What are the “APPs”?

The APPs will create a single set of privacy principles that will apply to both Commonwealth agencies and private sector organisations.  Previously, the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) applied to the public and private sectors respectively.

The APPs will set out standards, rights and obligations in relation to the:

  • handling and maintenance of information by APP entities;
  • Privacy Commissioners dealing with privacy policies;  and
  • collection, storage, use and disclosure of personal information.

The Bill amends the Privacy Act to create Schedule 1 which will contain the APPs grouped into five sets of principles as follows:

  • APP 1 and 2 – Principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way;
  • APP 3, 4 and 5 – Principles that deal with the collection of personal information, including unsolicited personal information.
  • APP 6, 7, 8 and 9 – Principles about how APP entities deal with personal information and government related identifiers, including principles about the use and disclosure (including cross-border disclosure) of personal information and identifiers.
  • APP 10 and 11 – Principles about the integrity, quality and security of personal information; and
  • APP 12 and 13 – Principles that deal with requests for access to, and correction of, personal information.

What new powers will the Privacy Commissioner have?

The Privacy Commissioner will have enhanced powers aimed to improve the Commissioners ability to:

  • resolve complaints;
  • conduct investigations; and
  • promote Privacy Act compliance.

Furthermore, the Privacy Commissioner will be able to apply to the Court for a civil penalty order against organisations for credit reporting breaches.  Penalties range from:

  • $2,200 to $220,000 – for an individual; and
  • $110,000 to $1.1 million – for a company.

What changes have been recommended by the Senate Committee?

The Senate Committee has largely endorsed the recommendations for the Amendments as passed by the House of Representative, however nine (9) further recommendations have been made regarding the APPs.  Two (2) of the most important relate to:

  • APP 7 (direct marketing); and
  • APP 8 (cross-border disclosure).

APP 7: Direct Marketing

The Senate Committee has made further recommendations to enable individuals to be able to opt out of direct marketing communications regardless of whether an individual would reasonably expect the communication.

APP 8: Cross-border disclosure

The Senate Committee has made further recommendations that require an organisation to inform an individual of the potential consequences of giving consent to disclose Personal Information to an overseas source.

Previously, an organisation could rely upon the ‘reasonable steps’ exception to ensure that an overseas recipient does not breach an APP.  However the Senate Committee recommendation has made clear that an organisation can still be held liable for a breach of an APP by an oversees recipient regardless of the ‘reasonable steps’ exception.

Conclusion

The effect of the proposed Amendments for companies is the potential need to update and change current systems.  This is particularly the case in relation to the way that current marketing and cross border data transfers are conducted.

Further information

If you need advice on the Privacy Act or for information on a Privacy Audit, please contact us for an obligation free and confidential discussion.

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

 

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013

Facsimile: (07) 3221 0031
Mobile 0419 726 535
Twitter: @ITCorporatelaw
Google+

Dundas Lawyers
Street Address Suite 12, Level 9, 320 Adelaide Street Brisbane QLD 4001

Tel: 07 3221 0013

Send this to friend