Privacy law modernisation: adapting privacy laws to the new information age

On 23 May 2012, the Federal Government introduced a Bill designed to modernise Australia's privacy laws. ^[1] The Bill proposes the biggest change to privacy laws since the private sector privacy legislation was introduced in December 2001.

In preparation for the reforms, organisations may wish to review their internal privacy policies and practices including how they share information with others in their day to day business.

Christina McElwain

---

The proposed key changes

The Bill responds to technological and social changes since 2001 which have impacted on the extent to which personal information is protected.

These changes have led to the now commonplace exchange of personal information through social media pages and other modern business systems.

The Bill responds to these changes by amending the Privacy Act 1988 (Cth) (Privacy Act) to:

• establish a single set of modernised privacy principles which will replace and simplify:
  • the 10 National Privacy Principles (NPPs) which currently apply to the Private Sector; and
  • the 11 Information Privacy Principles (IPPs) which currently apply to Commonwealth agencies.
• simplify and improve the credit reporting provisions in the Privacy Act; and
• strengthen and clarify the powers of the Information Commissioner.

Timing

The Bill passed through the House of Representatives on 17 September 2012 and was introduced into the Senate on 18 September 2012. Following the Bill's introduction to the Senate, the Senate Standing Committee on Legal and Constitutional Affairs (Committee) reviewed the Bill and released a report containing 21 recommendations for change. These are likely to alter the form of the Bill rather than its effect. At the date of publication, the Bill is yet to be passed in the Senate.

Background

In May 2008, the Australian Law Reform Commission (ALRC) published a report titled "For Your Information - Australian Privacy Law and Practice". This report was the result of a 2006 inquiry into the effectiveness of Australian privacy laws. It contained 295 recommendations for change [http://www.alrc.gov.au/publications/report-108].

The Government responded to the ALRC's recommendations in stages as follows:

1. June 2010 - The Government issued an exposure draft containing a new set of Australian Privacy Principles (APPs). These were referred to the Senate Finance and Public Administration Committee which issued its report in June 2011;
2. February 2011 - The Government released a proposal containing new credit reporting provisions. These provisions were referred to the Senate Finance and Public Administration Legislation Committee which issued its report in October 2011; and
3. 23 May 2012 - The Bill was introduced into Parliament. The Bill was referred to the Committee for inquiry which released its final report on 25 September 2012.

The Bill - elements of reform

The Bill is divided into 6 schedules. 5 of these contain the key reforms:

Schedule 1 - Australian Privacy Principles (APPs) (amends the Privacy Act)

The key change is the development of privacy principles will apply to both the private and public sectors. The APPs will impose obligations on Commonwealth agencies and certain private sector organisations, which will collectively be known as "APP entities".

To a large extent the APPs are based on the IPPs and NPPs. However the APPs also recognise that we now live in a world of frequent online information exchange.

For example, APP 8 'Cross border disclosure of personal information' provides that a disclosure will occur when Australian personal information is accessed by an overseas recipient, regardless of whether the information is stored in Australia or elsewhere. Currently there is no equivalent privacy principle. It differs from the existing NPP 9 which restricts the transfer or cross border movement of personal information where it is released by an organisation in Australia to an overseas recipient.

The new principle recognises that with developments such as cloud computing and overseas electronic data storage, it is possible for Australian personal information to be accessed outside Australia by non-Australian entities. Accordingly, the principle prompts Australian organisations to have measures in place to restrict how and when the access occurs.

Schedule 2 - Credit Reporting (amends the Privacy Act)

The Bill increases protection of credit reporting information. This schedule makes changes which:

• assist organisations - by simplifying the complex credit reporting provisions of the Privacy Act, and by clarifying and expanding the categories of credit reporting information that an organisation can hold. The objective is that more credit information may be stored but it must also be more comprehensive and, at least in theory, reliable; and
• assists individuals - by simplifying the complaints resolution process and the process by which individuals can have their credit information corrected.

Schedule 3 - Privacy Codes (amends the Privacy Act)

This schedule will replace the existing laws concerning development of information privacy codes of practice.

What are Privacy Codes?

Currently the Privacy Act allows organisations and industries to develop and enforce their own privacy codes which, once they take effect, replace the NPPs and bind those organisations.

Generally speaking, this practice won't change and codes will become binding once they are registered with the Information Commissioner.

Credit Reporting Code

Currently under the Privacy Act, the Credit Reporting Code of Conduct (Part IIIA) governs the maintenance of certain kinds of personal information relating to consumer credit intended to be used primarily for domestic, family or household purposes. ^[2]

These provisions will be completely replaced by a credit reporting code of practice (CR Code), which will be based on the APPs but also take into account the changes to credit reporting contained in Schedule 2. The CR Code has not yet been developed and the Information Commissioner will oversee its development.

Schedule 4 - Other amendments to the Privacy Act, including the functions and powers of the Australian Information Commissioner (amends the Privacy Act)

Most notably, the changes in this schedule will allow individuals to claim compensation for breaches of privacy. ^[3]However, there is a catch. An individual will only be able to claim compensation if:

• the Information Commissioner has applied to the court for a civil penalty order against the relevant organisation; and
• the organisation is found by the Court to have committed a breach.

Schedule 6 - Application, transitional and savings provisions (sets out provisions relating to both the Privacy Act and the 55 other Commonwealth Acts)

In her second reading speech, Attorney-General Nicola Roxon stated that a 9 month transition period will apply following commencement of the substantive provisions within which industry and government agencies will have an opportunity to revise and update their privacy policies and practices. ^[4]

5 Key Recommendations of the Committee

The Committee made 21 recommendations for changes to the Bill, with most requiring implementation before the Bill passes in the Senate.

The Committee made 5 key comments:

• Support for the Bill - Most importantly, the Committee supports the Bill and recommends its passage subject to its recommendations.

• Protecting privacy: ensure individuals are fully informed - As the Bill is drafted, if an individual consents to an APP entity sharing information with an overseas entity, then the APP entity is not required to ensure that the overseas entity does not breach the APPs.

  The Committee recommends that the APP entity be required to inform the individual of the practical effect of this consent before they provide it, so that the person may make an informed choice (Recommendation 4).

• Protecting Privacy: use of de-identified information - The Bill proposes that information that is no longer about an identifiable individual will be labelled 'de-identified'. ^[5]The Bill also proposes that such information cannot be disclosed by an APP entity except for the specific purpose of research by credit institutions or in certain situations.

  The Committee recommends that this 'research' exception be abolished as it is unnecessary and potentially offends individual privacy rights ( Recommendation 15).

• Credit Information: correction of incorrect credit details - The Committee recommends that, where an individual makes a request to an APP entity to correct information on their credit file, the progress of this request should be noted on the file. This recommendation means that persons using or relying on incorrect information may have notice that the information is being reviewed. This allows the person using the information to make a decision about the extent to which it relies on the information (Recommendation 17).
• Consumer Education: publication of material to inform consumers of key changes to privacy laws - The Committee recommends that, before the Bill commences, the Office of Australian Information Commissioner develop and publish informative material for consumers. Such publications will advise consumers of the key changes to privacy legislation that may affect their individual rights and obligations (Recommendation 20).

Key Messages for Businesses

Given the Committee has endorsed the Bill subject to its recommendations, organisations should start considering what the likely consequences will be for them when the reforms are implemented.

Specifically, organisations could:

• review and update their privacy policies so they comply with all existing laws but also, to the extent practical, with the Bill's new APP provisions;
• strengthen document and information security processes, especially where personal information is stored or accessed overseas;
• if dealing with overseas parties, review contractual rights and obligations to assess the extent to which the organisation and its contracting parties will be able to comply with the new APPs; and
• establish, review or upgrade systems for dealing with requests individuals in relation to privacy information.

More Information from Maddocks

For more information, contact Christina McElwain or Philippa Hore in the Maddocks Commercial Group on (03) 9288 0555.

More Cleardocs information on related topics

You can read earlier Clearlaw articles concerning companies here.

Order Cleardocs company packages

Order the Cleardocs Company Registration package here.