On 12 March 2014, extensive amendments to the Privacy Act 1988 (Privacy Act) came into force with the introduction of the Australian Privacy Principles (APPs) which have brought about a number of significant changes as to how “personal information” is to be collected, handled and disclosed by organisations with an annual turnover of greater than AU$3 million.
In this article we look at the key changes to the Privacy Act and we discuss how the changes are likely to impact the insurance industry.
The Key Changes
- the types of personal information that an organisation collects and holds;
- how the organisation collects and holds personal information;
- to whom the organisation discloses personal information; and
- if the organisation is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located.
- Cross-border disclosure of personal information – the new provisions introduce a general obligation on organisations, before disclosing personal information to an overseas recipient, to take reasonable steps to ensure the overseas recipient does not breach the APPs (subject to specified exceptions). We discuss the practical implications of this change further below.
- Collection of unsolicited personal information - where an organisation receives unsolicited personal information (for example, through a social media platform), it must determine within a reasonable period whether that personal information could have been collected lawfully. If not, then the unsolicited personal information must be destroyed or de-identified.
- Direct marketing – the provisions have introduced new rules on how personal information can be used for direct marketing. These rules work in conjunction with the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth) which also apply to direct marketing. The new rules provide that individuals may request the source of personal information held by an organisation about them. This obligation is expected to pose a challenge for many organisations whose IT systems are not configured to record that information.
- Credit Reporting – the changes have brought about a simplified and enhanced correction and complaints process for individuals, and the introduction of civil penalties for breaches of certain credit reporting provisions.
- Collection of sensitive information – under the new rules, sensitive information, including for example medical and health records or details of criminal prosecutions may (subject to certain exceptions) only be collected by an organisation if the individual has consented to the collection and the information is reasonably necessary for one or more of the organisation’s functions or activities.
The Privacy Commissioner, who is charged with monitoring and enforcing breaches of the new rules, has been provided with a range of new powers including the power to:
- conduct an assessment of whether the personal information held by an organisation is being kept in accordance with the APPs;
- make various determinations relating to the acts and practices of an organisation, such as compensation for loss suffered by individuals as a result of any interferences of an individual’s privacy;
- accept enforceable undertakings by organisations in respect of breaches of the Privacy Act. Undertakings could include the payment of a fine, implementation of new systems and procedures, privacy training for staff, compliance reporting and audits; and
- apply for civil penalty orders for serious or repeated interferences with privacy of up to A$340,000 for individuals and A$1.7 million for corporations.
As a result of the recent Budget it is proposed that the Privacy Commissioner from 2015 will form part of the Human Rights Commission.
Proposed further reforms
The Privacy Amendment (Privacy Alerts) Bill 2014 (2014 Bill) was introduced on 20 March 2014, and had its second reading in the Senate. The 2014 Bill relates to the mandatory notification of data breaches. While the 2014 Bill may yet change, if it is passed in its current form the proposed laws will require an organisation or agency to notify privacy breaches to the Privacy Commissioner if there is a “real risk of serious harm” to the affected individuals.
A notification to the Privacy Commissioner will need to include various details regarding the privacy breach, such as the personal information that was accessed and steps that individuals should take in response to the breach. In some circumstances the organisation or agency will also be required to notify the affected individuals or to publish public notices, which could of course potentially cause significant commercial and reputational damage.
Impact of the changes
On the compliance front, organisations should ensure that they have reviewed their Privacy Policies and other relevant policies (for example, policies relating to IT security and document retention and destruction) and reviewed their internal systems to cater for the new privacy amendments.
In particular, organisations should ensure that they take reasonable steps to ensure that overseas recipients of personal information collected in Australia do not breach the requirements of the APPs. Organisations may wish to consider putting in place specific contractual obligations with overseas entities regarding the storage, handling and use of personal information. Other contractual provisions that may warrant consideration include potential indemnities for breaches, compliance with specific security standards, procedures for handling access requests and complaints by individuals and rights of audit over how the personal information is held.
In terms of the impact of these changes on the industry, if the 2014 Bill is introduced and mandatory breach notification become a feature of the Australian privacy regime, Australia may follow in the footsteps of the United States, where class actions emanating from mass breaches of privacy obligations are occurring with increasing frequency.