Privacy Law Reforms: Stage 1 Completed

Articles Written by Prashanth Kainthaje (Partner)

On 29 November 2012, the Australian Parliament completed the first stage of a reform process initiated in early 2006 by passing the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill). The new provisions are not expected to commence before March 2014 or a later time 15 months after Royal Assent. However, in view of the strengthened powers the new legislation confers on the Privacy Commissioner, and the possible monetary penalties of up to $1.1 million for a breach, organisations and businesses should start reviewing their policies, practices and processes as soon as possible to ensure they will be ready to comply with the enhanced privacy protection regime under the amended Privacy Act.

We outline below the main features of the new legislation and refer to the comments we made on the Bill after its introduction to Parliament in the June 2012 issue of Acumen (see Christine Ecob and Tania Juric, 'Privacy Act gets a Revamp') for the details. The principal changes from the original Bill concern the extension of the implementation period from 9 to 15 months after Royal Assent, an obligation to allow individuals to use pseudonyms only where it is practical for the APP entity to deal with individuals in such situations, and changes to the credit reporting provisions.

Single set of principles

Currently, two sets of privacy principles co-exist: the Information Privacy Principles (IPPs), which apply to Federal government agencies, and the National Privacy Principles (NPPs) that govern the handling of personal information by private sector entities (or organisations). The IPPs and NPPs will be replaced by a single set of privacy principles, the Australian Privacy Principles (APPs). Contained in a new Schedule 1 of the Privacy Act the APPs will be applicable to agencies and organisations (APP entities). While many of the 13 APPs are based on the existing IPPs and/or NPPs, there are some notable changes including:

  • reference to new definitions of 'personal information' and 'sensitive information'. In particular, sensitive information will include biometric information and templates;
  • an obligation to manage personal information in an open and transparent way. The list of items that must be included in an APP entity's privacy policy has been extended, and the privacy policy must be readily available;
  • an obligation to establish practices, procedures and systems that enable compliance with the APPs;
  • a general prohibition, subject to exceptions, on direct marketing
  • the introduction of a new privacy principle in relation to unsolicited personal information that imposes an obligation to destroy personal information if the APP entity should not have collected the personal information; and
  • a new regime in relation to the cross-border disclosure of personal information.

Privacy policies

APP 1.4 contains a list of items that an APP entity's privacy policy must contain. This includes the type of information collected, the manner of collecting and holding personal information, as well as complaint mechanisms. The list is not exhaustive, so covering the items specified in it will not necessarily mean that your privacy policy complies with the legislative requirements.

Cross-border disclosure of personal information

Under the current regime, the transfer of personal information by an organisation in Australia to a third party located in a foreign country is prohibited unless an exception under NPP 9 is met, for example the individual consents to the transfer or the recipient of the personal information is subject to obligations similar to those under the NPPs in relation to the handling of personal information. The new regime changes the focus from 'transfer' to 'disclosure' of personal information. Further, APP 8.1 removes the existing prohibition but imposes a positive obligation on APP entities to take reasonable steps, in the circumstances, before the information is disclosed to ensure the overseas recipient does not breach APPs 2-13 in relation to the information. The APP entity will be liable for breaches by the overseas recipient. Exceptions to APP 8.1 apply, such as where the individual consents to the disclosure of his or her personal information after having been informed expressly that APP 8.1 would not apply in the event of consent.

Enhanced powers of the Privacy Commissioner

The new Privacy Act will strengthen the enforcement powers and functions of the Privacy Commissioner, including the ability to:

  • seek civil penalties of up to 1.1 million in the case of serious breaches of privacy;
  • accept enforceable undertakings, similar to those accepted by the Australian Competition and Consumer Commission, by APP entities to take certain actions or refrain from taking certain actions to ensure compliance with the Privacy Act; and
  • conduct compliance assessments as well as direct agencies to conduct privacy impact assessments in relation to proposed activities.

In a media release published after the passing of the Bill, the Privacy Commissioner Timothy Pilgrim set the tone by stating: 'While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases'.

What next?

For more information, or for assistance with your compliance assessment or privacy policy review, please contact Christine Ecob.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).