In May 2012, the Federal Government tabled in Parliament the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill). The Bill seeks to implement the first stage response to the recommendations of an Australian Law Reform Commission report into federal privacy laws, published in 2008. Whilst the Bill makes changes to credit reporting requirements, privacy codes and the powers of the Privacy Commissioner, the single most important change is creation of a single set of privacy principles called the Australian Privacy Principles (APPs).
The APPs are a single set of thirteen (13) privacy principles covering the collection, quality, use, storage, security and disclosure of personal information for both private sector organisations and Commonwealth agencies. The APPs are intended to replace the National Privacy Principles (NPPs) for private sector organisations and the Information Privacy Principles (IPPs) for public sector organisations currently under the Privacy Act 1988 (Cth) (Privacy Act).
The APPs cover the following thirteen principles:
APP 1 Open and transparent management of personal information
APP 2 Anonymity and pseudonymity
APP 3 Collection of solicited personal information
APP 4 Dealing with unsolicited personal information
APP 5 Notification of the collection of personal information
APP 6 Use or disclosure of personal information
APP 7 Direct marketing
APP 8 Cross-border disclosure of personal information
APP 9 Adoption, use or disclosure of Government related identifiers
APP 10 Quality of personal information
APP 11 Security of personal information
APP 12 Access to personal information
APP 13 Correction of personal information
There are a number of key differences between the proposed APPs and the existing NPPs and IPPs. These differences include:
- a requirement for entities to have clearly expressed and up-to-date privacy policies (that is, privacy policies should be living documents)
- a requirement for privacy policies to expressly include details as to whether personal information is likely to be disclosed to overseas recipients and if so, in which countries such recipients are likely to be located
- an express inclusion of personal information that it is received by an entity, even where the entity has not doing anything to solicit the information (unsolicited information) into the protection of the APPsa
- requirement that any unsolicited personal information must be destroyed or otherwise de-identified if such personal information could not have otherwise been collected by the entity directly or is not otherwise contained in a Commonwealth record
- a general prohibition on direct marketing, except where:
»» the individual has been given the opportunity (by simple means) to effectively opt-out of the direct marketing communications and has not elected to do so and
»» either the individual has given consent or the personal information was collected from the individual directly, and would have reasonably expected their personal information to have been used for that purpose or it is impracticable to obtain consent
- a right for any individual to require any organisation using their personal information for direct marketing to cease and to disclose the source of the information used in direct marketing by the organisation
- a requirement that organisations must take all steps, as are reasonable in the circumstances, to ensure that any overseas recipients of personal information do not breach the APPs and
- a requirement that entities holding personal information must take steps to prevent interference with personal information.
The information above is not exhaustive and further details of the changes as well as other changes can be found in the Bill available at www.aph.gov.au.
Small business operators exempt from compliance with the NPPs, remain exempt from compliance with the APPs, but can at any time elect to opt-in and adopt the APPs.
The Bill has been referred to the House Standing Committee on Social Policy and Legal Affairs (24 May 2012) and Senate Legal and Constitutional Affairs Legislation Committee (19 June 2012). A report is expected from the Senate Legal and Constitutional Affairs Legislation Committee on 14 August 2012.
The Bill if enacted will make significant changes to federal privacy legislation in Australia.