Senate Committee's report on Australian privacy principles exposure draft released

Articles Written by Tania Juric

The Senate Finance and Public Administration Legislation Committee (Senate Committee) has now released its report on the Exposure Draft of the new Australian Privacy Principles (APPs). The new APPs will form part of a new Privacy Act. This is the first of four parts to be released by the Senate Committee on the Australian Government's reforms to the Privacy Act 1988. The second part containing new credit reporting provisions and enhanced protections for the handling of credit reporting information is due to be released by the Senate Committee on 6 October 2011. Further parts to be released relate to health information and the functions and powers of the Australian Information Commissioner.

Key Recommendations of the Report

Some of the Key Recommendations of the Senate Committee in its Report are as follows:

  • The Department of the Prime Minister and Cabinet (Department) should reassess the draft APPs with a view to improving clarity through simpler terms.
  • The Office of the Australian Information Commissioner (OAIC) should develop guidance on the new definition of "personal information" and the meaning of "consent". ("Consent" is currently defined in the Privacy Act 1988 as express or implied consent).
  • The Government and the OAIC should consider a transitional period for entities to fully comply with the new Privacy Act.
  • In relation to cross border disclosure of personal information:

(a) The Department should develop explanatory material to clarify the term "disclosure"; and
(b) The OAIC should develop guidance on the types of contractual arrangements required to comply with APP 8. (See further below).

  • In relation to security of personal information: Clarification should be provided regarding the meaning of the new term "interference". APP 11 provides that an entity must take such steps as are reasonable to protect personal information from misuse, "interference" and loss and from unauthorised access, modification or disclosure.
  • The OAIC to provide guidance on the meaning of "destruction" in relation to personal information no longer required and the appropriate methods of destruction of that information.
  • The OAIC to develop guidance in relation to direct marketing to vulnerable people.
  • Clarification should be provided that a reasonable period of time in which an organisation must respond to a request for access to personal information would not usually be longer than 30 days and that access charges imposed by an organisation should not be more than is necessary to recoup costs incurred by the organisation.

Cross-border disclosure of Personal Information

Current National Privacy Principle 9 prohibits cross-border "transfers" of personal information unless an organisation falls under one of the listed exceptions. Corresponding new APP 8 allows for "disclosures" of personal information to an overseas recipient but renders the disclosing entity accountable for the overseas recipient's acts and practices unless the disclosing entity falls under a listed exception. The Government envisages that most Australian entities will have contractual arrangements to manage any increased liability and therefore the Senate Committee has called for guidance from the OAIC on these contractual arrangements as a matter of priority.

APP 8 is arguably wider than current NPP 9 as it is no longer limited to a "transfer" or cross border movement of personal information but now covers a mere "disclosure" of personal information. Such a disclosure could occur when an overseas recipient accesses personal information regardless of whether it is stored in Australia or elsewhere. The Government however, has stated that disclosure should not be taken to have occurred in situations where information is securely routed through servers outside of Australia. It will therefore be important for entities to ensure the security of their information systems.

Senate Committee Conclusions

The Senate Committee has recommended that the structure of the APPs be simplified to improve clarity but it is not expected that there will be significant redrafting of the APPs. However, it is likely that changes to entities' practices and policies will be required given the new requirements for privacy policies which will enable individuals to access additional information. The Senate Committee acknowledges that in some instances the compliance burden on entities may increase, however it is of the view that the benefits outweigh the compliance costs. Also, many principles include a "reasonableness" test for the matters or steps to be undertaken and therefore the Senate Committee is of the view that entities will have sufficient flexibility in complying with the APPs.

What happens next?

The Senate Committee will report on all four parts of the Australian Government's reforms to the Privacy Act 1988. It is likely that some consequential changes will need to be made to the APPs in order to make it clear how each part interacts. Once the Senate Committee has reported on all four parts and any recommendations are taken into account, all parts will be consolidated to comprise a new Privacy Act.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).