The Attorney-General, Nicola Roxon, has announced that the long-awaited amendments to the Privacy Act 1988 will be introduced to Parliament in the Winter sitting period, which commenced on Tuesday 7 May with the budget sittings.
The proposed amendments stem from the 2008 Australian Law Reform Commission report on the effectiveness of Australian privacy laws. That report, "For Your Information: Australian Privacy Law and Practice", made 295 recommendations for change.
The Government is responding to those recommendations in two stages. The bill to be introduced to Parliament reflects the first stage Government response, which addresses 197 of the ALRC's recommendations.
What changes can we expect?
A copy of the bill is not yet available – we expect to see it when it is introduced into Parliament. Based on the Attorney-General's media release and the exposure drafts released previously however, we expect that the bills will include the following reforms.
A new set of Australian Privacy Principles
The bill will introduce a new set of Australian Privacy Principles (APPs), to replace the existing Information Privacy Principles (which apply to Australian and ACT Government agencies) and National Privacy Principles (which apply to private sector organisations, with some exemptions). For private sector organisations, the new APPs will include changes such as:
- tighter controls on the use of personal information for direct marketing (with a distinction being drawn between the use of information collected from the individual and information collected from third parties);
- the extension of privacy protections to unsolicited information (including a requirement to destroy or de-identify this information unless the organisation would have been permitted to collect it under the new APPs); and
- more restrictive controls on transborder data flows (with transferring organisations generally having greater accountability for personal information after it has been transferred) and a requirement that any likely transborder data flows must be mentioned in privacy collection statements and privacy policies.
Strengthening the powers of the Privacy Commissioner
The bill will contain provisions strengthening the powers of the Privacy Commissioner to enforce the Privacy Act, including provisions allowing the Commissioner to:
- seek civil penalties in the case of serious or repeated interferences with privacy;
- conduct performance assessments of private sector organisations that handle personal information;
- make a determination following an investigation conducted on the Commissioner's own initiative (not just when investigating a complaint from an individual, as is currently the case); and
- accept written, court-enforceable undertakings from organisations that they will take or refrain from a specified action.
Changes to the Credit Reporting Regime
The bill will also seek to simplify and improve the (currently very complex) credit reporting provisions in the Privacy Act, including by:
- expanding the categories of credit reporting information that can be held by credit reporting agencies;
- requiring organisations to substantiate disputed credit listings;
- making it easier for individuals to access and correct their credit reporting information; and
- simplifying the complaints process, by allowing individuals to complain directly to the Privacy Commissioner (rather than having to first direct their complaint to the relevant organisation).
The second stage response
The Government's second stage response, which will proceed once the first stage reforms have further progressed, will look at the ALRC's remaining 98 recommendations, which cover issues such as:
- the clarification or removal of certain exemptions from the Privacy Act (including the employee records exemption and the small business exemption);
- a scheme for compulsory notification of serious data breaches;
- the introduction of a statutory cause of action for serious invasions of privacy (an issues paper was released in relation to this in September 2011, and the Government is currently considering the submissions it received in response);
- privacy and decision-making issues for children and authorised representatives; and
- national harmonisation of privacy laws (which will be partially dealt with in stage one).
What will organisations need to do?
It is not clear how long the bill will take to progress through both houses once it has been introduced.
Given the potentially significant changes that organisations will need to make, a Senate Committee has recommended that there should be a transitional period between the time the amendments are passed and the time that organisations are required to comply. It is not clear how long this period will last however.
Over this time, organisations will need to take steps such as:
- reviewing and modifying where necessary their direct marketing practices;
- amending privacy policies and privacy collection statements;
- determining whether any unsolicited personal information is collected and, if so, considering how this information will be managed;
- reviewing the circumstances in which personal information is transferred overseas, to determine whether those transfers comply with the more restrictive requirements that will be imposed, and considering whether new and more specific consents should be obtained;
- (if they are credit providers) reviewing and amending credit documentation and processes; and
- conducting training about the changes for staff whose jobs involve the collection or management of personal information.
Where to from here?
As the Attorney-General has announced that legislation introducing the first stage of privacy amendments will be introduced in the Winter sittings, we expect to see it very soon.