Changes to Australian Privacy Laws: What has happened and what you should do
What has happened:
- The privacy laws have been amended;
- A set of 13 Australian Privacy Principles have replaced the previous National Privacy Principles;
- New comprehensive credit reporting system; and
- Strengthened powers of the Australian Information Commissioner.
What you should do:
- Review and update Privacy Policies;
- Review and update contracts;
- Educate and train staff on changes; and
- Review and update business processes.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (‘the Amending Act’) received Royal Assent on 12 December 2012 and commenced on that day. The Amending Act changes the current privacy laws as set out in the Privacy Act 1988 (Cth) (‘the Act’) and will generally impact those engaging in cross border transactions, direct marketing, cloud computing, data collection, outsourcing, and credit reporting.
The changes include:
- thirteen new Australian Privacy Principles (‘APPs’) that detail new requirements for dealing with unsolicited information;
- significant consumer credit reporting reforms; and
- an increase in powers for the Australian Information Commissioner (‘Commissioner’).
The changes will keep Australia on par with major trading partners and bring the law in line with the social and technological advances of the digital age, in particular cloud computing.
Familiarity with the amendments is key to ensuring that current privacy policies, contracts and procedures of entities holding and collecting information in Australia will remain compliant with the privacy laws.
The Australian Privacy Principles (APPs)
The amendments to the Act supplement and consolidate the content of the current Information Privacy Principles (‘IPPs’) and National Privacy Principles (‘NPPs’) into one set of APPs. Organisations that need to comply with the APPs will be referred to as ‘APP entities’. An APP entity includes private organisations to which the old NPPs applied and government agencies that previously adhered to the IPPs.
An APP code can also be created at the request of the Commissioner or developed by an APP entity at their own initiative. Upon registration, it will operate to impose additional requirements and will not replace the APPs. This is useful for specific industries and professions that may engage in acts or practices that are exempt from the privacy laws or use technology of a particular kind.
The APPs are contained in schedule 1 of the Amending Act which divides the principles amongst five parts.
- Part 1 ensures management of personal information in an open and transparent manner;
- Part 2 sets out requirements for dealing with unsolicited information;
- Part 3 deals with principles governing the use and disclosure of information and government related identifiers;
- Part 4 upholds the integrity, quality and security of personal information;
- Part 5 allows individuals access to and enables them to correct their personal information.
The following are the key changes to the Privacy Act.
1. Openness and Transparency
- be made freely available to individuals;
- be kept up to date;
- clearly express the kind of information that entity will hold and how it will attempt to obtain it;
- specify how consumers can access their records and amend them;
- set out an entity’s process for handling complaints and an individual’s ability to report breaches;
- make methods of data collection known to individuals where it is not solicited directly from them; and
- disclose that information may be shared overseas and the locations specified where practicable (if any).
2. Unsolicited Information
Where an entity receives information that it did not intend to collect, it must be destroyed or de-identified if that entity determines that it would not have been able to gather that information itself. Information must also be destroyed if it is no longer needed for a lawful purpose under the APPs.
3. Accountability for outsourcing
Prior to disclosing personal information to offshore entities, all reasonable steps must be taken to ensure that the disclosing party has complied with Australian privacy laws. Generally, there will be greater requirements for those partaking in outsourcing and cross border arrangements.
An organisation can minimise the risk of liability by expressly alerting individuals that their personal information will be shared overseas, clearly articulating the agents and countries where that information will be shared and gaining their consent to such disclosure.
In addition, contracts should be amended so that parties (eg. agents) who may have access to personal information agree to comply with the APPs.
4. Credit reporting provisions
The Amending Act will have a significant impact upon the handling of consumer credit information. The new laws are intended to provide a fuller and fairer account of credit history when assessing the risks of extending credit for domestic purposes. This will be achieved by permitting disclosure of positive information, such as repayment history and dates that credit accounts are opened. This overhaul enables more comprehensive credit reporting to better assess ‘credit-worthiness’ of applicants.
Credit reporting bodies will need to update their policies and procedures to more readily allow for an individual to access, correct and resolve any issues with their personal information. Consumers will also benefit from freezing of access to information where identity fraud is suspected.
5. Penalties for non-compliance
The Australian Information Commissioner’s powers have been expanded under the Amending Act reforms. The Commissioner will have the power to issue guidelines to a non-compliant entity or vary their registered APP code by including additional requirements for compliance.
Breaches of the Privacy Act will be deemed an interference with privacy and could lead to an entity being subject to investigation by the Commissioner. The Commissioner also has the power to initiate investigations of its own accord without any complaint having been received.
Serious or repeated breaches of personal privacy can be prosecuted by the Commissioner in the Federal Court and Federal Magistrates Court. Corporations found in breach of privacy laws can face monetary penalties of up to $1.1 million and non-corporate entities can face monetary penalties of up to $220,000.
Section 4AA of the Crimes Act 1914 has been amended to increase the amount of a penalty unit from $110 to $170. This means that the maximum penalty amount will be $340,000 for individuals and $1.7 million for entities.
Although the majority of the reforms to the privacy laws will not commence until March 2014, organisations should use this transition period to revise and update their privacy policies. Procedures and contracts of entities handling personal information should also be reviewed promptly to ensure a seamless transition to, and compliance with, the new privacy laws.
Matthew Payne, Partner
Ron Heinrich AM, Senior Consultant - General Counsel