The new baker's dozen - Australian privacy principles

In May 2012, the Federal Government tabled in Parliament the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill). The Bill seeks to implement the first stage response to the recommendations of an Australian Law Reform Commission report into federal privacy laws, published in 2008. Whilst the Bill makes changes to credit reporting requirements, privacy codes and the powers of the Privacy Commissioner, the single most important change is creation of a single set of privacy principles called the Australian Privacy Principles (APPs).

The APPs are a single set of thirteen (13) privacy principles covering the collection, quality, use, storage, security and disclosure of personal information for both private sector organisations and Commonwealth agencies. The APPs are intended to replace the National Privacy Principles (NPPs) for private sector organisations and the Information Privacy Principles (IPPs) for public sector organisations currently under the Privacy Act 1988 (Cth) (Privacy Act).

The APPs cover the following thirteen principles:

APP 1 Open and transparent management of personal information

APP 2 Anonymity and pseudonymity

APP 3 Collection of solicited personal information

APP 4 Dealing with unsolicited personal information

APP 5 Notification of the collection of personal information

APP 6 Use or disclosure of personal information

APP 7 Direct marketing

APP 8 Cross-border disclosure of personal information

APP 9 Adoption, use or disclosure of Government related identifiers

APP 10 Quality of personal information

APP 11 Security of personal information

APP 12 Access to personal information

APP 13 Correction of personal information

There are a number of key differences between the proposed APPs and the existing NPPs and IPPs. These differences include:

a requirement for entities to have clearly expressed and up-to-date privacy policies (that is, privacy policies should be living documents)

a requirement for privacy policies to expressly include details as to whether personal information is likely to be disclosed to overseas recipients and if so, in which countries such recipients are likely to be located

a requirement that the privacy policy must be made available free of charge

an express inclusion of personal information that it is received by an entity, even where the entity has not doing anything to solicit the information (unsolicited information) into the protection of the APPsa

requirement that any unsolicited personal information must be destroyed or otherwise de-identified if such personal information could not have otherwise been collected by the entity directly or is not otherwise contained in a Commonwealth record

a general prohibition on direct marketing, except where:

»» the individual has been given the opportunity (by simple means) to effectively opt-out of the direct marketing communications and has not elected to do so and

»» either the individual has given consent or the personal information was collected from the individual directly, and would have reasonably expected their personal information to have been used for that purpose or it is impracticable to obtain consent

a right for any individual to require any organisation using their personal information for direct marketing to cease and to disclose the source of the information used in direct marketing by the organisation

a requirement that organisations must take all steps, as are reasonable in the circumstances, to ensure that any overseas recipients of personal information do not breach the APPs and

a requirement that entities holding personal information must take steps to prevent interference with personal information.

The information above is not exhaustive and further details of the changes as well as other changes can be found in the Bill available at www.aph.gov.au.

Small business operators exempt from compliance with the NPPs, remain exempt from compliance with the APPs, but can at any time elect to opt-in and adopt the APPs.

The Bill has been referred to the House Standing Committee on Social Policy and Legal Affairs (24 May 2012) and Senate Legal and Constitutional Affairs Legislation Committee (19 June 2012). A report is expected from the Senate Legal and Constitutional Affairs Legislation Committee on 14 August 2012.

The Bill if enacted will make significant changes to federal privacy legislation in Australia.

Register Now As you are not an existing subscriber please register for your free daily legal newsfeed service.

The new baker's dozen - Australian privacy principles

Tags

Related Australia articles

The Australian Privacy Principles - one set of privacy principles to rule us all part 1 *

Federal Parliament passes comprehensive reforms to the Privacy Act 1988 (Cth) *

Privacy law reforms tabled in parliament *

Privacy reforms passed with amendments *

Privacy reforms: government releases draft of new Australian privacy principles *

Related international articles

Popular articles from this firm

A bank as ‘mortgagee in possession’ may be subject to closer scrutiny *

Indemnity clauses in commercial contracts: how to achieve desired contractual risk allocation *

High Court to rule on consequences of breach of fiduciary duty *

Legal implications of the NFP governance standards *

ASX releases final guidance note on continuous disclosure obligations *