The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amendment Act) was granted royal assent in December 2012. The Amendment Act makes significant changes to the current Privacy Act 1988 (Cth) (Privacy Act), particularly in relation to privacy principles, credit information and enforcement. With the exception of small businesses that have an annual turnover of less than $3m, entities that collect personal information (whether they are public or private entities) will need to comply with new privacy regime created by the Amendment Act by March 2014.The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amendment Act) was granted royal assent in December 2012. The Amendment Act makes significant changes to the current Privacy Act 1988 (Cth) (Privacy Act), particularly in relation to privacy principles, credit information and enforcement. With the exception of small businesses that have an annual turnover of less than $3m, entities that collect personal information (whether they are public or private entities) will need to comply with new privacy regime created by the Amendment Act by March 2014.

Privacy Principles

The National Privacy Principles (NPPs) (for private entities) and Information Privacy Principles (for government entities) are being replaced by the Amendment Act with a single regime of privacy principles, named the Australian Privacy Principles (APPs). For the most part, the APPs will apply to government agencies and private organisations alike.

Relevant entities will need to update their privacy policies to reflect the new APPs. Outlined below are the most significant changes that entities should take note of.

APP 1: open and transparent management of personal information

Compared to the current regime, this principle places a higher onus on entities to have practices, procedures and policies in relation to privacy in place.

Under APP 1, entities will need to have procedures in place to deal with inquiries and complaints about an entity’s compliance with the APPs or any applicable codes (currently no such codes exist).

Privacy policies will need to cover the collection and management of personal information by the entity. This obligation at a minimum requires the privacy policy to include:

  • specific descriptions of the kinds of personal information that the entity collects and holds and how it is collected and held (under the NPPs such information needed to only be provided to individuals upon request and a general overview was sufficient)
  • the purposes for which the entity collects, holds, uses and discloses personal information (this should be regularly reviewed and should include any secondary purposes)
  • how an individual may access personal information about the individual that is held by the entity and seek the correction of such information (under the NPPs, policies only needed to state that individuals could access information, not the process of how to access information)
  • how an individual may complain about a breach of the APPs or a registered APP code (if any) that binds the entity and how the entity will deal with such a complaint (this is a new requirement that will oblige entities to implement such policies and train staff accordingly)
  • whether the entity is likely to disclose personal information to overseas recipients and where they are located (this is also new, and ties in with APP 8 which replaces the old regime of disclosure to overseas entities).

APP1 requires entities to ensure that their policy is accessible to the public and free of charge. This requirement can be met by having the policy on the entity’s website, however, where a copy is requested the entity may be required to post a hard copy version to that person. Previously privacy policies were only required to be provided to individuals upon request.

APP 2: anonymity and pseudonyms

Where practicable, individuals must not be required to disclose their identity and may use a pseudonym. Previously there was only the requirement to provide the option of anonymity, the requirement to allow the use of pseudonyms is new.

APP 4: unsolicited personal information

Where an entity receives personal information that it could not have reasonably obtained through solicited means, they must destroy the information. This APP is entirely new and procedures to identify and deal with such information must be developed by relevant entities.

APP 5: notification of collecting personal information

At or before the time information is collected, or if that is not practicable, as soon as practicable after information is collected, the collecting entity must ensure that it lets the individual know: that the information has been collected; the purpose of collection; the consequences for the individual if the information is not collected; the procedure to complain about or amend information; and to which third parties the information may be disclosed to.

Although this requirement was reflected in NPP 1 it is more rigorous in terms of providing information on access, corrections, and complaints.

APP 7: direct marketing

This principle affects private organisations but not public agencies. It replaces the current NPP 2.1(c) on “use and disclosure” of personal information and places more emphasis on gaining consent in relation to direct marketing. It requires entities to have a simple means by which an individual can easily request not to receive direct marketing from the entity or that their information is not provided to third parties that will use their personal information for direct marketing.

APP 8: disclosure to overseas entities

Where Australian entities intend to disclose personal information to overseas entities, APP 8 requires the Australian providing entity to ensure that the overseas entity complies with the (amended) Privacy Act and the APPs in respect to the provided information. Accordingly, entities considering providing personal information to overseas entities will need to consider contractually binding such overseas entities to comply with the new privacy legislation and the Australian entity’s privacy policy.

General

By March 2014, entities which receive personal information will be required to have more comprehensive and transparent policies and procedures in place. Such entities should therefore review their current privacy policy to ensure that it is up-to-date and compliant with the new APPs, especially in relation to: how the entity holds, collects and uses personal information; the purposes of holding, collecting and using personal information; and any how the entity handles complaints in relation to its collection or use of personal information.

Credit Information

Part IIIA of the Privacy Act will be replaced in full by the new credit information provisions contained in the Amendment Act. The Amendment Act makes several notable changes to the current regime in respect to credit information policies, the collection and recording of information, and disclosure of information to overseas entities.

Credit reporting bodies and credit providers are expressly required by the Amendment Act to take reasonable steps to implement practices, procedures and systems to ensure they comply with the new credit reporting regime (and to ensure that they are able to adequately handle complaints made by individuals relating to their compliance with the new regime). Just like the new personal information regime, affected entities need to ensure they are compliant with the new credit information rules by March 2014.

Banks, retail businesses that issue credit cards, entities who carry on businesses which (substantially) involve the provision of credit, suppliers of goods and services on credit/payment terms, equipment lessors and hire purchase credit providers will all fall within the definition of “credit providers” contained in the Amendment Act and will therefore need to ensure they comply with the new regime.

Credit information policies

Credit providers and credit reporting bodies will need to develop two separate privacy policies to ensure that their privacy obligations for both personal and credit information are met. They will be required to have one general policy (which would cover requirements under the APPs) and a separate credit reporting policy dealing with credit information. Like APPs policies, an entity’s credit reporting policy should be made available on the entity’s website.

In certain respects the credit information provisions in the Act completely override the APPs in relation to credit information. Whether an APP is overridden depends on the type of credit information and whether the relevant entity is a credit provider or a credit reporting body. Therefore, although matters included in a credit information privacy policy will be similar to those contained an APP privacy policy (such as overseas disclosure, direct marketing and complaints), in certain respects, they will be different.

Collection and recording of credit information

The most substantial difference between the existing credit reporting provisions in the Privacy Act and the new provisions contained in the Amendment Act is the introduction of 5 new categories of credit information which can be collected. The majority of these new categories fall within the new definition of “consumer credit liability information” (CCLI). They include:

  • the type of consumer credit provided (the definition of “consumer credit” has also been extended to include loans for acquiring, maintaining or improving residential property for investment purposes)
  • the date on which the consumer credit is entered into
  • the maximum amount of credit available, and
  • the day on which the consumer credit is terminated.

The other new category of information which is regulated by the new credit reporting provisions is repayment history information (RHI). This information can include:

  • whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit
  • the day on which the monthly payment is due and payable, and
  • if the individual makes the monthly payment after the due date, the day on which the payment is made.

Unlike the current regime under the Privacy Act, the new credit reporting information regime permits positive RHI (i.e. details of payments made on time) to be reported in addition to negative RHI (i.e. details of payments missed). This is a change from the “negative” credit reporting regime which is currently in place under the Privacy Act.

Credit providers will be entitled to collect such RHI from December 2012. From March 2014, they will be permitted provide such information to credit reporting bodies to be used in determining the persons’ suitability for being provided with credit.

Retention periods

The retention period (after which credit information is required to be destroyed) for the new categories of information is 2 years. For CCLI information, the retention period commences on the day that the relevant consumer credit is terminated. For RHI, the retention period commences on the day on which the relevant monthly payment was due.

Further, under the new regime the time required to elapse before default information can be disclosed to a credit reporting body after the giving of a written notice has been defined as 14 days, as opposed to the previous requirement of a reasonable time.

Disclosure of credit information to overseas entities

Previously entities could only disclose credit information to overseas entities if they had an ‘Australian link’. Under the new regime credit information may be provided to overseas entities regardless of whether they have a link to Australia or not. However, the providing entity must ensure that the overseas entity complies with the amended Privacy Act with respect to the provided information.

Accordingly, entities considering providing credit information to overseas entities should consider contractually binding such overseas entities to comply with the relevant parts of the new credit information provisions contained in the Amendment Act in addition to the Australian entity’s privacy policy.

Other changes to credit information regime

Among other things, the new credit information regime will also introduce specific provisions relating to the following, which will also need to be considered by credit reporting bodies and credit providers before March 2014:

  • pre-screening, which is permitted in relation to certain direct marketing of consumer credit (provided that the information used is not CCLI and the individual has not requested that its information is not used for that purpose)
  • freezing of credit providers’ access to credit reporting information in certain cases where an individual suspects it has been the victim identity theft or fraud. This applies where a credit reporting body has received notice from an individual of the suspected identity theft of fraud, and
  • the use of de-identified information (credit information which is no longer about an individual who is reasonably identifiable), which may be disclosed for the purposes of conducting research in relation to credit, but for no other purpose.

Enforcement

The Information Commissioner will have broader functions and powers under the new regime, which is intended to encourage greater compliance with privacy laws in Australia. For example they will be able to:

  • seek civil penalties of up to 2000 penalty units (which equates to $340,000 for individuals and $1.7m for corporations) for serious or repeated breaches, or for certain credit reporting breaches as well as criminal penalties (previously, these penalties were up to $30,000 for individuals and $150,000 for organisations)
  • accept enforceable undertakings not to breach individuals’ privacy
  • undertake privacy performance assessments, and
  • recognise external dispute resolution bodies.

The new privacy laws which are being introduced by the Amendment Act are more onerous than the privacy laws currently in place. Entities with turnovers of more than $3m per annum that collect personal information should seek legal advice in order to ensure that their practices, procedures, and policies will reflect the new regime by March 2014. Considering the complexity and scope of the changes, entities ought to begin the process of updating their practices, procedures, and policies now.