Since 12 March 2014, private sector companies (with a turnover of more than AUS $3million) have needed to comply with new provisions in the Australian Commonwealth Privacy Act 1988 (Act). The Act now contains a new set of thirteen unified Australian Privacy Principles (APPs) which replaced the ten National Privacy Principles (NPPs) (and also the Information Privacy Principles which applied to Commonwealth agencies). Companies had fifteen months to prepare for the changes.
The Act does not distinguish between data controllers and data processors. The obligations in the APPs therefore apply to any company that collects and holds personal information (data).
A new expanded definition of personal information now applies. It includes information or an opinion which, when combined with other information (which may not be controlled by the same entity), identifies an individual or makes the individual "reasonably identifiable". Whether or not an individual is reasonably identifiable from certain information requires a consideration of the cost, difficulty, practicality and likelihood that the information will be linked in such a way as to enable that person to be identified.
This is a significant departure from the previous definition which required only that the identity of the individual concerned be apparent or reasonably ascertainable "from the subject information or opinion".
Required or authorised by law
While the NPPs permitted the collection, use or disclosure of personal information where "required or authorised by law", this is now limited in the APPs to Australian law and also where authorised or required by an Australian court or tribunal order (it does not extend to contractual obligations).
Permitted general and health situations
There are two new definitions that apply in the APPs - a "permitted general situation" and "permitted health situation". These group together many of the permitted exceptions or circumstances to certain obligations in the APPs in relation to the collection, use and disclosure of personal information and government related identifiers.
The APPs contain many similar provisions to the NPPs, but also include some new obligations on how companies must handle the collection, use, disclosure, access, correction and storage of personal information. These generally correspond with enhanced rights individuals now have.
Overarching privacy obligation
Companies must implement practices, procedures and systems relating to their functions or activities so they can comply with their privacy obligations and can deal with privacy inquiries or complaints (APP1). This introduces into the Act the concept of privacy by design.
The content of privacy policies is now prescribed. Companies need to ensure they include all of the information in their privacy policies that is required by APP1.
Collection of personal information:
- there is additional information companies must make individuals aware of. Companies need to update their collection statements to explain how individuals can make complaints and access and correction requests and, where applicable, the overseas disclosures which they are likely to make; and
- if a company receives personal information it did not request, it has to determine whether it could have collected it and if it could not, it must destroy or de-identify it unless it is a Commonwealth record or it would be unreasonable and unlawful to do so.
Use and disclosure of personal information
if a company collects information from a related body corporate, it will be treated as if the primary purpose for the collection of the information was the same purpose for which the disclosing related body corporate collected the information.
There is a new APP that generally prohibits the use and disclosure of information for direct marketing unless an exemption applies. (NPP2.1(c) only applied to use of information for direct marketing purposes).
- Sensitive information may only be used or disclosed for direct marketing purposes if the individual has consented.
- The exceptions to the general prohibition are where:
- consent has been obtained;
- the company has collected the information from the individual who has a reasonable expectation their information will be used in this way and it provides a simple opt out which is not taken up; or
- the company collected the information from the individual but they have no reasonable expectation their information will be used or disclosed in this way or it collected the information from someone else; and it has obtained consent or it is impracticable to obtain consent; and it provides a simple opt out which is not taken up; and in the direct marketing communications it includes a prominent statement that the individual may request not to receive such communications.
- Provisions in the Australian Commonwealth Do Not Call Register Act 2006 (telemarketing) and Spam Act 2003 (electronic direct marketing), override the new direct marketing principle. (Both Acts require consent (inferred or implied).)
- If a company uses information for direct marketing or to facilitate direct marketing by another organisation, the individual can request:
- not to receive direct marketing from the company;
- that their information not be used by or disclosed to other organisations to facilitate direct marketing by those organisations; and
- the company's source of their information.
Government related identifiers
this definition is expanded to include State and Territory government related identifiers (e.g. drivers' licences) as well as Commonwealth related identifiers. Companies are able to use or disclose identifiers where reasonably necessary to verify the individual’s identity for the purposes of their activities or functions.
Overseas disclosure of personal information
under the new accountability provisions of APP8 and section 16C of the Act, while companies may disclose information outside Australia, they are now required, unless an exception applies, to take reasonable steps to ensure the overseas recipient of the information does not breach the APPs (except APP1) in relation to the information. The most relevant exceptions are:
- the company expressly informs the individual that if he or she consents to the overseas disclosure, the company will not be taking any reasonable steps to ensure the overseas recipient does not breach the APPs and the individual consents after being informed of this;
- and if the company reasonably believes that the overseas recipient is subject to a law or binding scheme that protects the information in a similar way to the APPs (countries in the EU may generally be considered to be such jurisdictions) and there are mechanisms the individual can access to enforce the law or scheme.
Any breach of the APPs by the overseas recipient may be treated as being done by the disclosing company, which means the disclosing company may be liable for those breaches. An act does not breach the APPs if it is done outside Australia and it is required by an applicable law of a foreign country.
companies must respond to requests within a reasonable period and give written notice of request refusals. There is a new exception to the requirement to give access if the company has reason to suspect serious misconduct or unlawful activity that relates to its functions / activities, and giving access is likely to prejudice the taking of appropriate action.
- companies must generally correct information if they are asked to do so or are satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. They must give written notice of request refusals; and
- if companies do correct information they previously disclosed to another company, they must, if asked by the individual, take reasonable steps to notify the other company of the correction unless it is impracticable or unlawful to do so.
The Privacy Commissioner will have enhanced functions and powers and will now also be able to:
- apply to court for civil penalty orders (of up to $1.7m for companies) for serious or repeated breaches of the APPs;
- on their own initiative or on request, provide a company with advice about the operation of the Act;
- conduct an assessment in any manner they see fit to determine whether a company is complying with the APPs (or a registered binding APP Code);
- accept written court enforceable undertakings from a company (which they can publish) that it will, for example, take or stop taking specified action;
- allow complaints to be dealt with by an external dispute resolution scheme they have recognised; and
- make broader compensation determinations to reflect injury to feelings and humiliation of any other individual.
A new comprehensive consumer credit reporting system
The credit reporting system in the Act has been repealed and replaced. It has moved from a negative to a positive credit reporting system. It applies to credit providers, credit reporting agencies (credit bureaus) and certain other entities or individuals who are affected credit information recipients. Obligations on these entities will replace APP obligations in many respects in relation to credit and related information. There are restrictions on overseas entities participating in the system. Credit providers must generally be members of a recognised external dispute resolution scheme if they wish to disclose consumer credit information to a credit bureau.