Late last year the government passed amendments to the Privacy Act 1988 (Cth), implementing changes to Australian privacy law in a number of areas. These changes take effect from 12 March 2014 and will have a significant impact on the way Commonwealth agencies and private sector organisations collect and deal with various forms of personal information.

The key changes include:

  • a new system of privacy principles, which will significantly affect how private and public sector entities collect and handle personal information; 
  • enhanced enforcement mechanisms; and 
  • for the first time, the introduction of a civil penalty regime for breaches of privacy.

To comply with the new laws, privacy policies will need to be updated and practices, procedures and systems will need to be revised and implemented. Accordingly, if preparations are not already well underway, they should commence or be escalated now in order to achieve full compliance by 12 March 2014.

This eBulletin outlines key reforms made to the Privacy Act 1988 (Cth) by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Reform Act), and the steps regulated entities should be taking now in readiness for 12 March 2014.

The new Australian Privacy Principles

A key change will be the replacement of the current National Privacy Principles (NPPs) applicable to the private sector, and the Information Privacy Principles (IPPs) applicable to the federal public sector, with a unified set of 13 new 'Australian Privacy Principles' (APPs) to regulate the handling of personal information. The APPs will impose obligations on both Commonwealth agencies and private sector organisations (to be known as APP entities) at every stage in the cycle of handling personal information. While the APPs follow the basic thrust of the NPPs and the IPPs, many of the original principles have been expanded, new obligations have been introduced, and in both cases the detail is more prescriptive.

Key changes which will affect the day-to-day privacy compliance of APP entities include:

  • privacy policies - It will no longer be sufficient for APP entities to simply have a policy regarding the management of personal information. There will be a proactive obligation to take reasonable steps to implement practices, procedures and systems that comply with the APPs. This will include having a privacy policy that covers specific types of information.
  • unsolicited information - Entities sometimes receive personal information that they have taken no active steps to collect. This is increasingly common in the digital age where information can be transmitted easily and quickly. The changes will require APP entities to de-identify or destroy unsolicited personal information as soon as practicable if that information is not reasonably necessary for one or more of the APP entity’s functions.
  • health information- The new general rule for the collection of sensitive information will require an entity to obtain the individual’s prior consent. 
  • security - The APPs will introduce an obligation on entities to take reasonable steps to protect personal information from 'interference', such as attacks on their computer systems. This is another example of the new way in which APP entities will need to proactively protect personal information, and will apply in addition to the existing obligations to protect personal information from misuse and loss, and unauthorised access, modification and disclosure.
  • direct marketing - There will be a general prohibition on the use and disclosure of personal information by organisations for direct marketing purposes. In addition to the current framework of permitted circumstances and exceptions, recipients of unsolicited direct marketing will have an important new right to require the organisation to disclose the source of the individual's personal information.
  • cross-border disclosures - The APPs will require greater legal accountability from APP entities who disclose personal information to overseas recipients. This will usually require APP entities to not only ensure that the overseas entity is subject to an equivalent privacy regime, but also that the APP entity can enforce that protection; for example, under a written contract. If these requirements are not met (and none of the exceptions are available), the APP entity can be liable for the privacy breaches of the overseas recipient.

Powers and penalties

Under the Reform Act, the national privacy regulator, the Office of the Australian Information Commissioner (OAIC), will have its functions and powers significantly expanded to include:

  • investigations - the power to investigate and monitor compliance with the privacy obligations and conduct privacy performance assessments; 
  • enforceable undertakings - the power to accept enforceable undertakings by APP entities to take, or refrain from taking, specified actions which may be enforced in court if necessary; and
  • civil penalty orders - the power to apply to the Federal Court or Federal Circuit Court for a civil penalty order.

To date, the OAIC has been seen as something of a 'toothless tiger', given the absence of penalty consequences for breaches of the Privacy Act. This perception will change under the Reform Act. The Federal Court will have the power to award significant civil penalties for serious or repeated breaches of privacy. Penalties of up to $1.7 million can apply to body corporates and $340,000 to APP entities that are not body corporates, including individuals.

Preparing for the Reform Act changes

Given the approaching commencement date, private and public sector entities should now be undertaking review activities to identify corrective actions and prepare for compliance with the Reform Act. These activities include:

  • conducting a privacy audit to examine the extent to which the Reform Act will require changes to current operations;
  • updating staff manuals and undertaking staff training;
  • updating privacy policies, notices and consents; and 
  • reviewing contracts with subcontractors and service providers particularly where they involve disclosure of personal information to offshore service providers.

Watch this space

Controversial proposals to enact mandatory data breach notification laws before the Federal election have lapsed, for now. The Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) was intended to further amend the Privacy Act from 12 March 2014 to impose mandatory data breach reporting obligations on entities regulated by the Privacy Act. Although the Bill was not passed before Parliament was prorogued, it received strong support (including endorsement at the Senate Committee stage), and would have formalised some existing voluntary data breach guidelines1. Accordingly, there may be further privacy developments, and more to do, following the Federal election.

In the meantime

The immediate concern is achieving compliance with the Reform Act changes.