It has been nearly nine months since the Privacy Amendment (Enhancing Privacy Protections) Act 2012 (Cth) (Privacy Amendment Act) came into effect on 12 March 2014 and amended the Privacy Act 1988 (Cth) (Privacy Act) with what are some of the strongest protections Australia has ever seen in relation to privacy law. 

In this Alert, Partner Hayden Delaney and Associate Michele Davis provide an overview of the types of documentation which will need to be reviewed, updated or drafted in order to be compliant with these new changes.

Key Points

In order to be compliant with the changes, the following key documentation is required:

  • Private sector organisation and Commonwealth government agencies must have a privacy policy.
  • Privacy Collection Statements are required to be provided to the individual for each event of collection of personal information either before, at the time of or soon thereafter the collection event.
  • Any organisation or agency which has terms of trade for the payment of their goods and services, greater than seven days, will be deemed a “credit provider” and will require a Credit Reporting Policy, as will other organisations and agencies which are considered a “credit provider” under the Privacy Act.
  • Whenever there is a collection event for credit information, a Credit Collection Statement is required to be provided to the individual either before or at the time of collection.
  • Individuals must be notified (and preferably, their consent obtained) at the time of collection of personal information that their information will be disclosed overseas.
  • Privacy compliance documentation must reflect the actual management of personal information and credit information by an organisation.Failure to implement effective “privacy by design” principles may lead to non-compliance.
  • Those who contravene the Australian Privacy Principles (APPs) could be liable for penalties of up to $340,000 for individuals or up to $1.7 million for corporations, for each instance of a breach.

Privacy: this affects everyone

Most of us have downloaded a mobile app onto our smart phones.  Doing so is undertaken without much thought or consideration as to what happens to the personal information we have provided to the businesses offering us the app.   Earlier this year, 26 privacy enforcement agencies from around the world, including the Office of the Australian Information Commissioner (OAIC) examined a substantial number of free apps as part of the second annual Global Privacy Enforcement Network “Global Sweep”, reviewing the privacy practices of more than 1200 mobile apps.  The OAIC examined 53 popular free iOS apps, with a focus on apps produced by or on behalf of Australian businesses and Australian Government agencies. 

The trend, which was identified as part of the Global Sweep, highlighted the fact that almost 70 percent of the apps failed to provide the user with a privacy policy or even terms and conditions that addressed privacy prior to the app being downloaded.  In Australia, this practice would be in contravention of the Privacy Act and the businesses which provided those apps to the public could be liable for penalties of up to $340,000 for individuals or up to $1.7 million for corporations. 

The Australian Privacy Principles

We have covered these principles previously.

The APPs now set out further detail as to what information is required in an organisation’s privacy policy, which is to inform an individual as to the management of personal information by an organisation.  The key driver behind this principle falls under APP1, which requires an organisation to be “open and transparent” in the manner in which they manage their personal information.

Similarly, the APPs set out extensive instruction of what is to be provided to an individual when an organisation collects personal information (being a “collection event”).  This notification is commonly referred to as a “collection statement” and is to be provided to an individual either before, at the time or shortly thereafter a collection event.  The collection statement must specifically detail, amongst other matters, the purpose(s) and disclosure(s) which will occur in relation to that particular collection event.  What this often means, in practice, is that multiple collection statements are required for an organisation (for example, there is likely to be different purposes behind the collection of personal information from a website enquiry form (such as being able to respond to the enquiry) than there is when an organisation collects personal information from one of its suppliers (such as being able to process the payment of the goods supplied).  Each event of collection of personal information requires a separate collection statement that is specific to that collection event.

Outline of Credit Reporting Provisions

The Privacy Act has undergone substantial amendments in relation to the credit reporting provisions, which has also resulted in a new Credit Reporting Code.  The extent of these amendments are too numerous to mention adequately in an Alert, however, the changes to the credit reporting provisions will affect the following groups of organisations and agencies:

  1. Credit Reporting Bodies: these are organisations or agencies (as prescribed by the regulations) which carry on a credit reporting business;
  2. Credit Providers:the credit reporting provisions under the Privacy Act provide for several types of credit providers, including the obvious credit providers such as banks and retailers. However, most organisations will usually be either:
    1. an agent of a credit provider as the organisation assists a credit provider in processing the application for credit; or
    2. deemed a credit provider as the organisation allows a client or customer to defers the repayment of the cost of the goods purchased or services provided for a period of at least seven days.

If an organisation is considered a credit provider under the credit reporting provisions of the Privacy Act, the Privacy Act and the Credit Reporting Code have imposed significant obligations on them as to how they use and disclose credit information (as defined under the Privacy Act).  Notwithstanding these obligations, what is clear is that each organisation will require a credit reporting policy (which details the management of credit information by the organisation), along with credit information collection statements (which details the intended purpose of collection and the intended disclosures to be made of the credit information collected by an organisation).  The credit information collection statement needs to be provided to the individual before or at the time of collection of personal information.

But it’s not just about the paperwork!

It is important that an organisation’s privacy policy, credit reporting policy and collection statements detail the actual management of personal information by that organisation; privacy compliance documentation must be reflective of the collection, storage, uses, disclosures, access and correction of personal information by that organisation.  In fact, arguably one of the largest legal risks to an organisation resulting from statements in privacy compliance documentation are those risks arising from misalignment of privacy promises with actual privacy practices.  A material difference between what the organisation says in its privacy policy and what the organisation does can result in non-compliance and liability.

In order to assist in ensuring that an organisation is managing the personal information it collects in the manner in which the Privacy Act requires it, an organisation should implement “privacy by design” principles.  “Privacy by design” helps to protect personal information by embedding such protections into the physical infrastructure or design specifications of an organisation’s technological framework.  For example, “access” controls are placed on employee records so that only the human resources department (and specific personnel within that department) have access to certain documentation, or the marketing department only have access to the email addresses of customers who are to be placed on the direct marketing list, as opposed to having access to the entire customer record.  These control mechanisms, along with having a database which provides for a “single source of truth” (i.e. structuring information models so that data is stored once in a central database) will, ultimately assist an organisation in the effective management of the collection, storage, use, disclosure, access and correction of personal information by that organisation.  The control mechanisms will also assist an organisation in complying with its obligations under APP1.2 and APP11; without a centralised database and effective security controls, an organisation is at risk of there being inadvertent or even malicious disclosures of personal information.  In addition, without a centralised database, should an individual seek to have access to their personal information or to correct that information, an organisation may have difficulty ensuring that it has updated each location where the information is held, or may not be aware of all of the types of personal information that the organisation holds about that individual due to it being held in various locations (i.e. the accounts department holds their records separately to the marketing department).

Where to from here?

If your organisation does not fall within the small business exemption or another exemption under the Privacy Act, or if you are an exception to the small business exemption as provided by section 6D(4), you will need to comply with the requirements of the Privacy Act.  Given organisations were provided with a transition period under the Privacy Amendment Act, we expect that the Office of the Australian Information Commissioner, which is soon to be renamed the Australian Privacy Commissioner, will start to target organisations to ensure they are compliant with the changes to the Privacy Act.  Those organisations that are not compliant with the credit reporting provisions or the APPs will be liable for penalties of up to $340,000 for individuals or up to $1.7 million for corporations, for each instance of a breach.  Are you compliant?