- The Commonwealth Government has today passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Act) which contains major reforms to the Privacy Act.
- The Act incorporates a number of further amendments added since the original bill was introduced in May.
- New Australian Privacy Principles will replace the current National Privacy Principles (applicable to the private sector) and Information Privacy Principles (applicable to the Federal public sector).
- Key areas impacted: direct marketing, cross-border data disclosure, privacy policies and notices, credit reporting.
- The enforcement powers of the Privacy Commissioner will be expanded, including the ability to seek penalties of up to $1.1 million.
- For most of the new provisions, entities will have 15 months to comply once the amending Act receives Royal Assent.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Act) was passed by Parliament today. The Act makes significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), giving effect to more than half of the 295 recommendations in the 2008 Australian Law Reform Commission (ALRC) report on privacy laws (ALRC Report).1 Amongst other things, the reforms include a new set of Australian Privacy Principles (APPs), revised credit reporting provisions and penalties of up to $1.1 million.
This article examines the major changes to the Privacy Act, as well as noting some key amendments made by the Senate this week to the original Bill introduced in May.
Extended implementation period
The majority of the new provisions to be introduced by the Act have a deferred commencement of 15 months from the day after the Act receives Royal Assent to allow the entities sufficient time to prepare. This has been increased from 9 months. If Royal Assent is given in December, then the effective date will be in March 2014.
The extended period acknowledges industry concerns around implementing the reforms, as well as allowing further time for the Office of the Australian Information Commissioner (OAIC) to develop guidance material, and for the new Credit Reporting Code of Conduct to be developed, approved and registered.
The reforms passed today include the following notable differences from the original Bill:
- organisations will only need to allow individuals to use pseudonyms where reasonably practical (APP 2)
- the heading for APP 7.1 is now ‘Direct marketing’ rather than ‘Prohibition on direct marketing’, although the substantive obligations remain the same
- credit providers cannot ‘default list’ consumer debtors until 14 days after notice of intention to default list
- the minimum amount for default listing has been raised from $100 to $150
- credit providers will have greater ability to disclose debtor information to offshore agents, related companies and credit managers, and
- a range of other changes to the credit reporting provisions have been made.
The Australian Privacy Principles
The new APPs will replace two sets of privacy principles which currently apply under the Privacy Act: the Information Privacy Principles (IPPs) (for the Federal public sector) and the National Privacy Principles (NPPs) (for the private sector).
The thirteen APPs will apply to both Federal government agencies and private sector organisations (which are defined collectively as 'APP entities'). Mostly, the APPs apply equally to all entities, however there are some areas where 'agencies' and 'organisations' are treated differently. For example, organisations must only collect personal information reasonably necessary for their functions and activities, whereas agencies also have the right to collect information 'directly related to' their functions and activities.2
The APPs are more closely based on the NPPs, so the changes made by this Act are more extensive for the public sector. The APPs do however include a number of changes that private sector organisations should be aware of, including some of those discussed in this update.
Privacy policies and notices
The APPs will require privacy policies and notices to be expanded to include the following additional details:
Click here to view table.
Further requirements will also apply under the credit reporting provisions.
APP 7 is a new direct marketing principle, however it will not apply to the extent that the Spam Act or the Do Not Call Register Act apply. APP 7 is expressed to apply to organisations rather than agencies, however agencies may need to comply in relation to their commercial activities by virtue of the existing section 7A of the Privacy Act.
Where the direct marketing involves a use or disclosure of sensitive information, consent will be required.
For other personal information:
- consent will only be required if it is reasonably practical to obtain it and either the information was collected from a third party or the individual would not reasonably expect the direct marketing
- organisations must give individuals the ability to opt out, and
- individuals must not have previously opted out.
An exception is provided for contracted service providers to Federal government agencies.
In all cases individuals will have the right to:
- request the source of their personal information
- opt out of receiving direct marketing communications from the organisation, and
- opt out of disclosure of their personal information for third party marketing.
Under the proposed APP 8.1, an entity that discloses personal information to a recipient outside of Australia will be require to take 'such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs'. The government has indicated that in practice this will often involve entering into a contractual relationship with the overseas recipient.3
Under the new cross-border disclosure regime, Australian entities that disclose personal information to overseas recipients will generally be liable for privacy breaches committed by those recipients—although the Australian entities may have recourse through their contracts. As the government acknowledges, this reflects a shift away from the 'adequacy approach' seen in NPP 9 and the EU to an 'accountability approach', as adopted by APEC and Canada.4 The government also comments that the 'chain of accountability' is not broken simply because an overseas recipient engages a subcontractor.5
There will be some exceptions to the 'reasonable steps' and accountability obligations. One of these is where the recipient is subject to a law or binding scheme similar to the APPs which gives appropriate enforcement rights to the individuals. Guidance from the OAIC is anticipated on this point. Notably, contractual provisions will no longer be sufficient alone to avoid accountability. Consent will also provide an exception, but must be more explicit than under the current NPP 9.
Some concerns have been raised in the media that the new APPs will significantly reduce the use of offshore cloud computing services. It is hard to see this being the case. While retaining data in Australia or a jurisdiction with similar laws will be more attractive in that it will overcome the accountability issue, we expect to see cloud computing customers seeking to use contractual measures to protect themselves in case they are held liable for a breach by the provider. This is not to say that cloud computing won’t raise concerns for Australian entities, but that is already the case today.
It should also be noted that APP 8 is not intended to apply 'where personal information is routed through servers that may be outside Australia.'6 Entities will however need to take reasonable steps to ensure that personal information routed outside Australia is not accessed by overseas recipients as this will be considered disclosure.7
As noted above, the credit reporting provisions have been further amended since the original Bill with the effect that credit providers will have greater ability to disclose debtor information to offshore agents, related companies and credit managers. In making these further amendments, the ‘accountability’ approach applicable to APP 8 has been extended to those disclosures. Accordingly, Australian credit providers are required to take steps to ensure that those third parties comply with the relevant APP and credit reporting provisions. If the offshore party breaches those provisions, Australian credit provider is responsible.
The current Privacy Act credit reporting regime is significantly overhauled through these reforms. The new approach is a move towards 'more comprehensive' credit reporting, allowing credit reporting agencies to record five new 'positive' data sets such as account opening/closing dates, in addition to previous 'negative' indicators such as payment defaults.
One of the new data sets, repayment history, will only be available to regulated National Consumer Credit Protection Act lenders who are subject to responsible lending obligations. This will tend to exclude some other credit providers such as utilities who offer services on a 'post-paid' basis.
A parallel process of redrafting the Credit Reporting Code of Conduct is also under way, with an issues paper having been released in March.8
Enforcement - penalties up to $1.1 million
The Act sets out a number of new enforcement powers and functions for the Information Commissioner, including the ability to:
- accept written undertakings that may then be enforced in court
- seek civil penalties of up to $1.1 million for serious or repeated breaches, or for certain credit reporting breaches
- require Federal government agencies to conduct privacy impact assessments
- undertake privacy performance assessments, and
- recognise external dispute resolution schemes.
Once the amendments receive Royal Assent, there will be 15 months to get ready for compliance with the new regime. Entities covered by the Act should undertake the following key steps in preparing for compliance:
- If your organisation does not already have a chief privacy officer, determine who should have responsibility for managing your organisation’s privacy review project, and which other internal stakeholders should be engaged.
- Update privacy policies, notices and consents, aligning and consolidating where appropriate. Allow lead times for printing and distribution. Consider implementing new versions in advance, at least for new customers/contacts, to avoid the need to re-contact them.
- Reviewing outsourcing practices and other disclosures of personal information to third parties and foreign countries. Develop standard clauses and review ongoing contracts.
- Review personal information flows and handling practices generally, including storage and security.
- Review commercial and consumer credit applications and arrangements, particularly where your organisations conducts consumer credit checks (e.g. when conducting credit assessments on sole traders or guarantors).
- Develop internal procedures for key processes.
- Train staff on your organisation’s privacy obligations.
- Allow enough time to implement necessary IT changes before the new requirements take effect.