On 29 November 2012, the Australian Parliament completed the first stage of a reform process initiated in early 2006 by passing the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill). The new provisions are not expected to commence before March 2014 or a later time 15 months after Royal Assent. However, in view of the strengthened powers the new legislation confers on the Privacy Commissioner, and the possible monetary penalties of up to $1.1 million for a breach, organisations and businesses should start reviewing their policies, practices and processes as soon as possible to ensure they will be ready to comply with the enhanced privacy protection regime under the amended Privacy Act.
We outline below the main features of the new legislation and refer to the comments we made on the Bill after its introduction to Parliament in the June 2012 issue of Acumen (see Christine Ecob and Tania Juric, 'Privacy Act gets a Revamp') for the details. The principal changes from the original Bill concern the extension of the implementation period from 9 to 15 months after Royal Assent, an obligation to allow individuals to use pseudonyms only where it is practical for the APP entity to deal with individuals in such situations, and changes to the credit reporting provisions.
Currently, two sets of privacy principles co-exist: the Information Privacy Principles (IPPs), which apply to Federal government agencies, and the National Privacy Principles (NPPs) that govern the handling of personal information by private sector entities (or organisations). The IPPs and NPPs will be replaced by a single set of privacy principles, the Australian Privacy Principles (APPs). Contained in a new Schedule 1 of the Privacy Act the APPs will be applicable to agencies and organisations (APP entities). While many of the 13 APPs are based on the existing IPPs and/or NPPs, there are some notable changes including:
APP 1.4 contains a list of items that an APP entity's privacy policy must contain. This includes the type of information collected, the manner of collecting and holding personal information, as well as complaint mechanisms. The list is not exhaustive, so covering the items specified in it will not necessarily mean that your privacy policy complies with the legislative requirements.
Under the current regime, the transfer of personal information by an organisation in Australia to a third party located in a foreign country is prohibited unless an exception under NPP 9 is met, for example the individual consents to the transfer or the recipient of the personal information is subject to obligations similar to those under the NPPs in relation to the handling of personal information. The new regime changes the focus from 'transfer' to 'disclosure' of personal information. Further, APP 8.1 removes the existing prohibition but imposes a positive obligation on APP entities to take reasonable steps, in the circumstances, before the information is disclosed to ensure the overseas recipient does not breach APPs 2-13 in relation to the information. The APP entity will be liable for breaches by the overseas recipient. Exceptions to APP 8.1 apply, such as where the individual consents to the disclosure of his or her personal information after having been informed expressly that APP 8.1 would not apply in the event of consent.
The new Privacy Act will strengthen the enforcement powers and functions of the Privacy Commissioner, including the ability to:
In a media release published after the passing of the Bill, the Privacy Commissioner Timothy Pilgrim set the tone by stating: 'While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases'.
For more information, or for assistance with your compliance assessment or privacy policy review, please contact Christine Ecob.