Overview of the Australia Privacy Principles
The amendments tighten up the rules around how agencies can collect, use and disclose personal information.
For the first time, new Australian Privacy Principles will apply to both the private and public sectors.
There is a new requirement for agencies to develop detailed privacy policies and make them clear and easily accessible.
The Principles require a higher standard of protection to be afforded to “sensitive information”.
The Privacy Commissioner will also be able to obtain enforceable undertakings from an organisation and apply to the court for a civil penalty order against agencies.
The main changes to the Privacy Act result from the replacement of the current Information Privacy Principles (IPPs) with the Australian Privacy Principles (APPs). Importantly, the APPs align more closely with the current National Privacy Principles, which apply to the private sector, than the IPPs.
This summary sets out the main requirements of the APPs.
APP 1—open and transparent management of personal information
Agencies are required to manage personal information in an open and transparent way. This includes:
- having procedures and systems in place that are reasonable in the circumstances to enable compliance with the new principles
- the kinds of information collected
- how the information is collected
- the purposes for collection
- whether it is likely that the agency will disclose personal information to overseas recipients and, if so, the countries in which they are likely to be located.
APP 2—anonymity and pseudonymity
Where it is lawful and practicable, individuals must be given the option of not identifying themselves when dealing with an agency. Options for anonymity include using cloaking devices, such as pseudonyms.
APP 3—collection of solicited personal information
This principle sets out the standard for collection of personal information by agencies. These standards may differ between agencies.
An agency must only collect personal information that is “reasonably necessary for or directly related to” one or more of its functions or activities.
An agency must only collect “sensitive” information if the individual consents to the collection, and the information is reasonably necessary or directly related to one or more of its functions or activities.
There are exceptions to this general rule. These include:
- where it is required or authorised by Australian law or a court order
- in “permitted general situations”
- in “permitted health situations”, and
- in cases where an enforcement body reasonably believes that the collection of the information is reasonably necessary.
Further, an agency must collect the information:
- by lawful and fair means, and
- directly from the individual concerned unless certain circumstances apply (for example, where it is unreasonable and impractical to do so).
APP 4—dealing with unsolicited personal information
When an agency receives unsolicited personal information it must determine whether or not it could have collected the information in line with APP 3. If:
- it could—the other APPs apply to that personal information, or
- it couldn’t—then steps must be taken to either destroy the information or de-identify it so that it no longer contains personal information. This requirement doesn’t apply if the information is contained in a Commonwealth record.
APP 5—notification of the collection of personal information
When an agency collects an individual’s personal information it must take reasonable steps to
provide notification of collection. This includes providing:
- contact details of the APP entity
- whether information has been collected from a third party or under an Australian law or court/tribunal order (and details about that collection)
- the purpose of the collection
- disclosure information, including to overseas recipients, and
- the consequences of not collecting the information.
APP 6—use or disclosure of personal information
If an agency holds personal information about an individual collected for a particular purpose, the entity must not use or disclose it for another purpose unless:
- the individual has consented to the use or disclosure, or
- the use or disclosure of the information falls within the listed exceptions.
- where the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be used for that secondary purpose. Where sensitive
information is involved the secondary purpose must be “directly related” to the primary purpose
- where required or authorised by an Australian law or a court order
- in “permitted general situations”
- in “permitted health situations”, and
- where an agency reasonably believes that the use or disclosure of the information is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.An agency can disclose biometric information or templates to an enforcement body if it is disclosed in line with the Privacy Commissioner’s guidelines.
APP 7—direct marketing
This principle doesn’t apply to agencies unless they are engaging in commercial activities.
APP 8—cross-border disclosure of personal information
Before an agency discloses personal information to an overseas recipient, it must take reasonable steps to ensure the recipient doesn’t breach the APPs (other than APP 1). This will generally require the agency to enter into a contractual relationship with the recipient.
- the agency reasonably believes the recipient of the information is subject to a law or scheme substantially similar to the APPs
- there is express informed consent to the disclosure of the information
- the disclosure is required or authorised by Australian law
- in “permitted general situations”
- the disclosure is required or authorised by an international agreement relating to information sharing (to which Australia is a party), and
- where the entity reasonably believes the disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body, and the overseas recipient is an equivalent type of body.
APP 9—adoption, use or disclosure of government-related identifiers
In general this principle doesn’t apply to agencies.
APP 10—quality of personal information An agency is required to protect the quality of the personal information it collects, uses and discloses, and take reasonable steps to ensure that:
- personal information collected is “accurate, up-to-date and complete”, and
- personal information it uses or discloses is “accurate, up-to-date, complete and relevant”.
APP 11—security of personal information An agency must protect and in some cases destroy personal information. This obligation
includes taking reasonable steps to:
- protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, and
- destroy or “de-identify” personal information that is no longer needed for a purpose for which it may be used or disclosed under
the APPs, unless the information is in a Commonwealth record.
APP 12—access to personal information An agency must provide access to an individual to their personal information subject to specific
This principle does not apply where an agency is required or authorised to refuse to give access under the Freedom of Information Act 1982 or other legislation.
The principle sets out the procedural details for requests for access, such as:
- means of access
- access charges, and
- procedures for refusal to grant access.
APP 13—correction of personal information An agency must take reasonable steps to correct personal information it holds on an individual if:
- it believes the information is inaccurate, out- of-date, incomplete, irrelevant or misleading, or
- the individual requests that it be corrected. An agency is not obliged to maintain the
correctness of personal information it holds at
all times. However, when personal information is used or disclosed, an agency may need to correct it before use or disclosure if it is satisfied the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
The other requirements
The main changes to the Privacy Act are contained in the APPs; however, there are other changes that agencies need to understand. This summary sets out some of the key provisions that are not contained in the APPs.
Exceptions to the APPs
The general rule is that an agency covered by the APPs must not act in a way that breaches them; however, there are exceptions. The main exceptions are in “permitted general situations” and “permitted health situations”.
Exception 1—permitted general situations
Personal information may be collected, used or disclosed without breaching the APPs where:
- it is unreasonable or impracticable to obtain the individual’s consent and the agency reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an
individual or is necessary for public health and safety, or
- there is reason to suspect there is unlawful activity or serious misconduct relating to the agency and the agency reasonably
believes that the collection, use or disclosure is necessary to take appropriate action in relation to the matter, or
- the agency reasonably believes it is necessary to help locate a missing person, (providing this is in keeping with any rules made by the Privacy Commissioner), or
- the agency reasonably believes it is necessary for its diplomatic or consular functions or activities.
The Defence Force may also collect, use or disclose personal information where it reasonably believes it is necessary for its overseas operations.
Exception 2—permitted health situations
Health information may be collected, used and disclosed in certain situations without breaching the APPs. This exception is essentially the same
as under the 2000 reform to the Privacy Act, which permits the collection, use or disclosure where the information is necessary to provide a health service to the individual and it is:
- required by or authorised under Australian law, or
- in line with rules established by competent health or medical bodies.
Other obligations not contained in the APPs
Agencies will also need to be aware of obligations and key concepts contained in other provisions of the Act, including:
- the definitions of key concepts, including some of those referred to in the APPs
- expansion of the extra-territorial operation of the Privacy Act
- responsibilities of agencies where they disclose personal information to an overseas recipient
- external dispute resolution schemes
- APP Codes, and
- obligations on agencies if they engage contracted service providers.
Information Commissioner’s guidance, monitoring and advice-related functions
The amendments enhance the Office of the Australian Information Commissioner’s
(Information Commissioner) powers of guidance, monitoring and advice functions, and auditing compliance.
In particular, the Information Commissioner may:
- accept enforceable undertakings from an entity
- apply to the Federal Court or Federal Circuit Court for an order that an entity pay a civil penalty, and
- conduct own-motion assessments of compliance with the APPs.
Privacy developments: what’s next?
The privacy landscape in Australia is rapidly changing as the Government tries to respond to changes in technology and developments in the privacy policies and practices of other countries in the developed world.
While most of the attention has been devoted to reviewing the changes contained in the Privacy Amendment(EnhancingPrivacyProtection)Act 2012, which takes effect on 12 March 2014, there are a number of other areas that are likely to see changes in the near future.
This article discusses some of the areas in which development is already underway and where we are most likely to see changes in the near future.
At the time of writing, the OAIC has released two tranches of draft APP Guidelines for consultation. A table of the issues covered by the draft guidance is set out at the end of this article.
As there is less than six months to go before the APPs take effect, we expect the OAIC will soon release the remainder of its draft guidance and move very quickly to finalise it in time for the commencement of the new provisions.
In the meantime, the OAIC continues to release guidance on other aspects of privacy that may have implications for entities. For example, the OAIC recently released guidelines for Code Development and External Dispute Resolution Scheme Recognition, which are concepts relevant under the Privacy Act after March 2014. This means entities will need to continually monitor and adapt their privacy policies and procedures in line with the guidance as it is released.
Mandatory Breach Notification Bill
On 29 May 2013, the Privacy Amendment (Privacy Alerts) Bill 2013 (the Bill) to create a mandatory notification scheme for serious data breaches was introduced into Parliament.
The Bill followed on from the Australian Government’s discussion paper, Australian Privacy
Breach Notification, released on 17 October 2012 (see our article “Privacy breaches: mandatory notification a step closer”). The discussion paper followed the Office of the Australian Information Commissioner’s (OAIC) publication, Data Breach Notifications: A Guide to Handling Personal Information Security Breaches (see our article, “Privacy: the sands continue shifting”).
The Bill sets out:
- the requirement on agencies to notify individuals when there has been a serious data breach
- the notification requirements, and
- deemed it a failure to comply with the mandatory notification obligations as an interference with the privacy of an individual for the purposes of the Privacy Act, enlivening the enhanced powers of the Privacy Commissioner to investigate and pursue remedies including civil penalties.
The new Commonwealth Government may restart the process to introduce the mandatory scheme, particularly as the Senate Committee report recommended the Bill be passed. However, comments by the Coalition Senators on the Committee about the timeframe of the Bill, and “regulatory overload” concern in the industry, suggest that more time may be granted for consultation and implementation of the reforms.
Statutory cause of action for serious invasion of privacy
Following a number of high profile privacy breaches, in particular the September 2011 News International phone hacking scandal, the Government released an issues paper
“A Commonwealth Statutory Cause of Action for Serious Invasion of Privacy”. The paper explored some of the key issues raised by the Australian Law Reform Commission’s 2008 recommendation that there be a statutory cause of action for serious invasions of privacy.
Some of the key issues that need to be considered in deciding whether a statutory cause of action should be introduced are also explored in the issues paper. These include: whether there is a need for it; what is the appropriate test; what defences should be available; should there
be exemptions; and how should damages be calculated? For a detailed summary of the main recommendations of the committee report see our article “Suing for invasion of privacy: the Government releases its Issues Paper.”
On 12 June 2013, the former Attorney-General referred the issue to the Australian Law Reform Commission for inquiry and report by June 2014. The ALRC released an issues paper on 8 October 2013, beginning its consultation process for the inquiry.
This issue is complex and divisive. While we expect that the Government will move carefully in this area, if there is a high-profile scandal involving breach by an Australian entity (such as evidence of widespread phone hacking), then there is likely to be public pressure for the Government to act quickly to introduce a statutory cause of action. Fortunately, to date, there is no evidence that this has occurred in Australia.
Next stage response to the ALRC Report The March 2014 amendments to the Privacy Act reflect the first stage of the Government’s
response to the 2008 Australian Law Reform
Commission’s (ALRC) report, For Your Information: Australian Privacy Law and Practice, (which made 295 recommendations for change).
The previous Government stated that the remaining 98 recommendations of the ALRC report would be considered after the progression of the first stage reforms. Assuming the new Government continues to implement the recommendations of the report, we expect to see further consultation undertaken for the remaining recommendations. The mandatory breach notification and statutory cause of action for serious breach of privacy are two of the key issues set out in the remaining recommendations.
While it is acknowledged that keeping pace with technological and privacy developments means that the privacy landscape is likely to continue changing, it is hoped that the new Government will balance the need for changes with the need to provide all stakeholders with the opportunity for appropriate consultation and consideration of any proposed amendments.
In the meantime, agencies will need to keep on top of developments in the area, particularly the OAIC’s final APP guidance, which is expected in the coming months, and ensure that the guidance is reflected in their practices and procedures under the APPs by 12 March 2014.
Topics covered by the draft OAIC APP Guidance
Key areas covered by draft guidance
APP 1 open and transparent management of personal information
APP 2 anonymity and pseudonymity
APP 3 collection of solicited personal information
Topics covered by the draft OAIC APP Guidance (cont’d)
The Privacy Act amendments make numerous changes to the way agencies collect, hold, use and disclose personal information. Agencies already have systems and procedures to comply with current privacy obligations. What needs to happen now is to identify what the new obligations are and how to adapt existing practices and procedures to achieve compliance. A high level approach to becoming compliant has these phases:
PLAN AUDIT ANALYSE AMEND IMPLEMENT
One of the key steps in the toolkit involves designing and conducting the privacy audit.
Design and conduct a privacy audit
An important step in the compliance process is to conduct a privacy audit to identify the
current privacy practices and procedures to then compare them against the new obligations to determine areas of non-compliance.
A privacy audit is designed to identify:
- types of personal information you currently collect, hold, use and disclose
- types of personal information you may collect, hold, use and disclose in the future
- how you collect, hold, use and disclose that information
- what legislation, policies and procedures currently govern your agency’s collection, holding, use and disclosure of personal information
- where these activities take place, and
- what may be “reasonable steps” in the context of your agency and in relation to individual information collection processes.
The audit project team should involve senior management from the legal, FOI, IT, media relations and HR areas in your agency.
Assess current privacy compliance To collect privacy compliance information, each area within the agency will need to be
investigated. As an initial step, a questionnaire
is useful to identify current practices and get the managers thinking about how their current practices may need to change.
The best questionnaires contain appropriate guidance to assist line areas to understand relevant concepts, for example, the collection, use and disclosure of sensitive information.
At a minimum, the questionnaire should ask each area to identify their current practices around the key stages of the information lifecycle. To help you we have included a list of items your questionnaire should cover below.
Validation and clarification
After the questionnaires have been completed and analysed, the audit team should meet with line areas to ensure they understood the question and validate the responses; identify any areas of risk and non-compliance and discuss appropriate compliance strategies.
Prepare audit report
The audit report will present the audit team’s findings and identify:
- key privacy issues and risks facing the agency
- the level of privacy compliance within the agency, and
- recommendations to ensure compliance with privacy obligations.
Privacy compliance survey topic suggestions
- The systems, policies and procedures in place to ensure compliance with the area’s privacy obligations
- The privacy training and guidance material used by the area in carrying out their functions
- The results of any privacy compliance audits that have been undertaken
- Any complaints handling process in place regarding the collection, holding, use and disclosure of personal information
- Any complaints or enquiries received in the past
- Any specific legislation that governs their current privacy practices
- The types of personal information that it collects
- Any personal information that it collects that is “sensitive information”
- Any government identifiers to the personal information
- Whether it’s lawful/practical for people to remain anonymous when dealing with the area
- Why that personal information is required for its functions
- Any legal requirement or authorisation to collect the personal information
- How the personal information is collected
- How the area informs the person of its policies and procedures for collection of the personal information
- What the area informs the person about the collection of the information
- The terms of any consent that a person gives to the collection
- Any unsolicited personal information that is received
- How the area uses the information collected
- Why the information is required to be used for the area to exercise its function
- Any legal requirement or authorisation to use the information
- How the individual is informed of that use
- The terms of any consent to that use
- The policies and procedures the area follows that govern use of personal information
- Any personal information disclosed
- Any personal information disclosed overseas and, if so, where and under what conditions
- How the individual is made aware of the disclosures
- Terms governing any disclosure to third parties and terms of any consent to disclosure
- Any legal requirement or authorisation to disclose the information
- Policies and procedures the area follows that govern disclosure of personal information
5. Storage and security
- How is the personal information stored
- What security measures are in place to ensure protection against loss, unauthorised access, use, modification or disclosure
- What security policies/procedures are governing the handling and storage of personal information apply to the area
- What protocols/procedures govern adding, amending or deleting personal information
- What legal requirements/authorisations apply to storing/destroying personal information
6. Information integrity
- How can an individual access their personal information
- How are they made aware of the area having their personal information
- How are they made aware of their ability to access their personal information
- Any legal requirement or authorisation governing refusal or access to the information
- The policies and procedures the area follows that govern a person’s access to personal information
- How does the area ensure that the personal information is accurate, relevant, up-to-date, complete and not misleading
AAPT hacking case study:
what would happen if it was an agency under the new law?
Commissioner found that the publication was not a disclosure by AAPT.
APP 6.1 sets out similar requirements about the use and disclosure of personal information as
applications were installed and the parts of the server they related to or who was responsible for the maintenance and management of the application.
Recently, AAPT customer data was hacked and published on the internet. Following an own motion investigation, on 15 October, Australian Privacy Commissioner, Timothy Pilgrim, found AAPT had breached the Privacy Act in respect of the incident.
The case provides a useful scenario to examine what would the result be if the same issues arose for an agency under the new law. In particular, the case provides useful guidance around the Commissioner’s thinking on:
- what constitutes “disclosure” and what constitutes “use”
- what your obligations are when you use a third party server, and
- what your training obligations are.
This case involved AAPT’s company data (including customers’ personal information) being accessed and stolen by Anonymous, an international network of “hacktivists”, between 17 and 19 July 2012. Anonymous subsequently published the data on the internet.
The data was held on a server managed by WebCentral Pty Ltd, a web-hosting business unit of Melbourne IT. Under the contract between AAPT and WebCentral, WebCentral was required to fully manage and maintain the server, except for the custom application content and data, which was the responsibility of AAPT.
Anonymous accessed the data though the “Cold Fusion” application installed on the server, which was a “customer-managed application” and was AAPT’s responsibility under the contract. AAPT was using an old version of Cold Fusion, which was known to have vulnerabilities.
When Melbourne IT became aware of the attack it notified AAPT, which immediately disconnected from the network and took steps to ensure the data could not be further compromised.
Own motion investigations
It is worth noting that this matter involved an own motion investigation in response to media reports of the hacking by Anonymous. Accordingly, agencies cannot rely on the fact that they have not received a complaint as an indication that any privacy breaches will not be pursued.
Under the new provisions, the Commissioner’s powers will be enhanced, including through clarifying and strengthening the Commissioner’s own motion investigations of any act or practice that may interfere with an individual’s privacy
or a possible breach of APP1. Further, agencies may also have notification requirements if the mandatory notification legislation is introduced.
Who held the data?
Under NPP4.1, an organisation is required to take reasonable steps to protect personal information it held from misuse and loss and from unauthorised access or disclosure. The question in this case
was whether AAPT or WebCentral held the data. The Commissioner took the view that AAPT held the data despite it being stored on WebCentral’s server. Accordingly, AAPT had the obligation under NPP4.1.
APP11.1 is the equivalent of NPP4.1 so, in circumstances where an agency outsources the data storage, it will still be likely to be regarded as holding the information under the new provisions and have obligations to protect the information.
Was the publishing of the data a disclosure by AAPT?
An organisation may only use or disclose personal information for the primary purpose of collection under NPP2.1. As the publication of the data was not for the primary purpose of the collection, the Commissioner examined whether the publication amounted to disclosure by AAPT.
As the data was made public through the malicious actions of Anonymous, the
NPP2.1, so this test will remain relevant for the new provisions.
Reasonable steps to protect personal information
The Commissioner found AAPT failed to take reasonable steps to secure the personal information as required by NPP4.1.
In assessing whether reasonable steps had been taken, the Commissioner examined the Cold Fusion application to determine whether it
was suitable in the circumstances, the contract between AAPT and WebCentral and AAPT’s awareness and management of the privacy protection measures under the arrangements.
The Commissioner noted that AAPT used a seven year-old version of Cold Fusion, which was known to have vulnerabilities. While the security “patches” on the version used by AAPT were up- to-date, the failure to use newer versions of the
application that did not have the vulnerabilities of the older version, meant that AAPT had not taken reasonable steps to protect the information.
The Commissioner identified several deficiencies in the security of data provisions in the contract between AAPT and WebCentral including:
- data was not assessed to determine whether it included personal information and its sensitivity
- existing or emerging security risks were not required to be identified and addressed, and
- vulnerability scanning and the effectiveness of the Cold Fusion application was not required to be undertaken.
This led to the conclusion that AAPT did not have adequate contractual measures in place to protect the data held on the compromised server.
The Commissioner noted that it was unclear whether AAPT was aware of what personal information was on the server, what Cold Fusion
Based on the known deficiencies in the version of the application used, the inadequate contractual arrangements in place and the lack of knowledge and management of the security measures in place, the Commissioner found that AAPT had failed to take reasonable steps to secure the personal information.
To address these issues, the Commissioner recommended AAPT:
- conduct regular reviews of all IT applications held internally or with external providers to ensure AAPT is aware of applications held
- take steps to ensure all IT applications held internally or externally, which hold or use personal information, are subject to vulnerability assessment and testing and regular vulnerability scanning
- clearly allocate responsibility for management of applications
- conduct regular audits of AAPT’s IT security framework to ensure security measures are working effectively, and that policies and procedures relating to data security are being complied with
- undertake steps to ensure appropriate classification of data it holds either internally or externally, including whether it includes personal information and the sensitivity
of that information, and
- review the terms of the contracts it has with IT suppliers that hold or manage AAPT data to ensure clarity around which party has responsibility for identifying and addressing data security issues (such as vulnerabilities
associated with old versions of IT applications). As APP11.1 imposes the same requirements on
agencies as NPP4.1 did on AAPT, agencies in
AAPT’s position would also be in breach of the new provision (along with existing IPP4). The recommendations made by the Commissioner provide some useful guidance on what he regards
as “reasonable steps” in the circumstances to discharge your obligations under the new provisions.
Reasonable steps to destroy or permanently de-identify personal information that was no longer in use
The Commissioner found AAPT had breached its obligation to destroy or permanently de-identify personal information that was no longer in use.
To comply with this obligation an organisation is required to develop systems or procedures to identify information it no longer needs
and a process for how the destruction or de- identification of the information will occur.
In AAPT’s case, the Commissioner noted that these policies were available on the company’s internet; however, they were not followed in this case and that there was a low awareness among staff of them. As a result, AAPT had not taken the reasonable steps required by NPP4.2. Importantly, this finding highlights that having a policy that complies with the requirements is not enough. Organisations also have an obligation to train their staff to comply with the policy and take reasonable steps to ensure that the policy is implemented.
This area of information destruction and
de-identification is one of the key areas where the obligations of organisations and agencies differ.
Under APP6.2, the obligation to destroy or de-identify the personal information does not apply to information contained in a Commonwealth record, to ensure that the agency’s obligations under the Archives Act can be complied with.
Penalties for breach
As the case involved breaches of NPPs, the Commissioner was unable to impose a penalty on AAPT.
Under the new APPs, which impose the same requirements on agencies as the NPPs in question (with the exception of record destruction), the Commissioner has enhanced enforcement powers included in the ability to accept and compel compliance with enforceable undertakings and, in the case of serious or repeated breaches, seek civil penalties of up to $1.7 million.
The AAPT case highlights the following key points:
agencies continue to have privacy obligations for personal information, even when it is stored on third party servers and is not physically “held” by the agency, such as a “cloud” application
a malicious act by a third party may result in the Commissioner commencing an “own motion” investigation into whether the agency is in breach of its privacy obligation, it does not require a complaint by a third party or for something to be done by the agency or its service provider
where personal information is held by a third party, contractual arrangements for data protection and security need to be clear and adequate, and
it is not sufficient for an agency to simply have privacy policies and procedures. It must also ensure staff are trained and regularly made aware of and implement those policies and procedures.
The Commissioner’s recommendations also provide a timely reminder of the sort of steps agencies are required to take
the case provides useful guidance around the
Commissioner’s thinking on:
what constitutes “disclosure” and what constitutes “use”
what your obligations are when you use a third party server, and
what your training obligations are.
to fulfil their privacy obligations.