Major privacy reforms
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the Act), which amends the Privacy Act 1988 (Cth) (Privacy Act), implements wholesale reforms to the Australian privacy protection framework. The amendments implemented by the Act will come into force 15 months after the Act receives royal assent, after which time the new privacy regime will apply equally to Australian Government agencies and private organisations alike.
Key reforms include a new set of 13 Australian Privacy Principles (APPs) to replace the current Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) for the private sector. The Act also confers expanded powers on the Australian Information Commissioner and updates the current credit reporting system to allow more comprehensive credit reporting with improved privacy protections for individuals.
Background to amendments
The Act reflects the legislative elements of the Australian Government’s initial response to a report tabled by the Australian Law Reform Commission (ALRC) in August 2008 entitled “For Your Information: Australian Privacy Law and Practice”. The report was the product of an inquiry by the ALRC which ran for more than two years and considered the extent to which the Privacy Act and related state and territory laws provided an effective framework for the protection of privacy in Australia.
Some of the key drivers for privacy reform identified by the Commission included the emergence of technology and social media in Australian society, the alignment of Australia’s privacy protection regime with those of its key trading partners and the complex nature of the state, territory and federal regulatory approaches.
The first stage of the Australian Government’s response to the ALRC Report, of which the Act forms part, seeks to address 197 of the 295 recommendations made by the Commission. The Government is currently considering the details of its second stage response which will address proposals to clarify or remove certain exemptions from the Privacy Act, implement a requirement for serious data breach notifications and introduce a statutory cause of action for serious invasion of privacy.
One of the key reforms implemented by the Act is the fusion and enhancement of the current IPPs and NPPs. Under the former national framework for privacy protection, the IPPs regulated privacy protection in the public sector while the NPPs governed privacy protection in the private sector. The Act substitutes a single set of 13 principles known as the APPs for these separate sets of principles.
Broadly, the APPs can be grouped into 5 categories:
- Principles which require agencies to consider the privacy of personal information when designing information systems (APP 1 and 2);
- Principles which deal with the collection of personal information including the receipt of unsolicited personal information by agencies (APP 3, 4 and 5);
- Principles governing the use and disclosure of personal information including direct marketing, the use of government related identifiers and the disclosure of personal information to recipients outside Australia (APP 6, 7, 8 and 9);
- Principles relating to the integrity, quality and security of personal information (APP 10 and 11); and
- Principles concerning requests for access to, and correction of, personal information (APP 12 and 13).
Overview of changes from the existing legislative scheme
Many of the APPs reflect regulatory elements contained in the existing IPPs and NPPs, however the APPs also include some significant changes from the former regime which take into account the issues identified in the ALRC Report.
Of particular note is the introduction of APP 4 which has no equivalent in the former regulatory framework and deals with the receipt of unsolicited personal information. In accordance with the new APP 4, where an agency receives personal information which it did not ask for, the agency must, within a reasonable period of time, determine whether (if the agency had sought the information) it could have collected the information lawfully under APP 3.
If the agency determines that the personal information could not have been collected lawfully, it must destroy the information and de-identify it where it is otherwise lawful to do so. If the personal information could have been collected lawfully, the rest of the APPs apply as if the information had been collected in that manner.
An additional requirement is also included in APP 11 which deals with the security of personal information. Under the new APP 11, an agency must take reasonable steps to destroy or de-identify personal information if the agency no longer needs the information for any purpose for which the information may be lawfully used or disclosed and the information is not otherwise required to be kept under an Australian law or court order. No such obligation arose under the former privacy protection regime and the requirements of the new APP 11 will need to be factored in to any document retention polices.
The Act also confers additional power on the Information Commissioner to conduct investigations and assessments, resolve complaints through conciliation and external dispute resolution schemes and promote compliance with privacy obligations.
What to do to ensure your agency is compliant
Given the wholesale reforms implemented by the Act, agencies will need to review their privacy policies and information systems to ensure their ongoing compliance. Particular areas of focus include policies relating to the receipt of unsolicited information, cross-border disclosure of personal information and the retention of personal information.