This article is more than 24 months old and is now archived. This article has not been updated to reflect any changes to the law.
On 23 May 2012, the Federal Government introduced a Bill designed to modernise Australia's privacy laws. [1] The Bill proposes the biggest change to privacy laws since the private sector privacy legislation was introduced in December 2001.
In preparation for the reforms, organisations may wish to review their internal privacy policies and practices including how they share information with others in their day to day business.
Christina McElwain
The Bill responds to technological and social changes since 2001 which have impacted on the extent to which personal information is protected.
These changes have led to the now commonplace exchange of personal information through social media pages and other modern business systems.
The Bill responds to these changes by amending the Privacy Act 1988 (Cth) (Privacy Act) to:
The Bill passed through the House of Representatives on 17 September 2012 and was introduced into the Senate on 18 September 2012. Following the Bill's introduction to the Senate, the Senate Standing Committee on Legal and Constitutional Affairs (Committee) reviewed the Bill and released a report containing 21 recommendations for change. These are likely to alter the form of the Bill rather than its effect. At the date of publication, the Bill is yet to be passed in the Senate.
In May 2008, the Australian Law Reform Commission (ALRC) published a report titled "For Your Information - Australian Privacy Law and Practice". This report was the result of a 2006 inquiry into the effectiveness of Australian privacy laws. It contained 295 recommendations for change [http://www.alrc.gov.au/publications/report-108].
The Government responded to the ALRC's recommendations in stages as follows:
The Bill is divided into 6 schedules. 5 of these contain the key reforms:
The key change is the development of privacy principles will apply to both the private and public sectors. The APPs will impose obligations on Commonwealth agencies and certain private sector organisations, which will collectively be known as "APP entities".
To a large extent the APPs are based on the IPPs and NPPs. However the APPs also recognise that we now live in a world of frequent online information exchange.
For example, APP 8 'Cross border disclosure of personal information' provides that a disclosure will occur when Australian personal information is accessed by an overseas recipient, regardless of whether the information is stored in Australia or elsewhere. Currently there is no equivalent privacy principle. It differs from the existing NPP 9 which restricts the transfer or cross border movement of personal information where it is released by an organisation in Australia to an overseas recipient.
The new principle recognises that with developments such as cloud computing and overseas electronic data storage, it is possible for Australian personal information to be accessed outside Australia by non-Australian entities. Accordingly, the principle prompts Australian organisations to have measures in place to restrict how and when the access occurs.
The Bill increases protection of credit reporting information. This schedule makes changes which:
This schedule will replace the existing laws concerning development of information privacy codes of practice.
What are Privacy Codes?
Currently the Privacy Act allows organisations and industries to develop and enforce their own privacy codes which, once they take effect, replace the NPPs and bind those organisations.
Generally speaking, this practice won't change and codes will become binding once they are registered with the Information Commissioner.
Credit Reporting Code
Currently under the Privacy Act, the Credit Reporting Code of Conduct (Part IIIA) governs the maintenance of certain kinds of personal information relating to consumer credit intended to be used primarily for domestic, family or household purposes. [2]
These provisions will be completely replaced by a credit reporting code of practice (CR Code), which will be based on the APPs but also take into account the changes to credit reporting contained in Schedule 2. The CR Code has not yet been developed and the Information Commissioner will oversee its development.
Most notably, the changes in this schedule will allow individuals to claim compensation for breaches of privacy. [3]However, there is a catch. An individual will only be able to claim compensation if:
In her second reading speech, Attorney-General Nicola Roxon stated that a 9 month transition period will apply following commencement of the substantive provisions within which industry and government agencies will have an opportunity to revise and update their privacy policies and practices. [4]
The Committee made 21 recommendations for changes to the Bill, with most requiring implementation before the Bill passes in the Senate.
The Committee made 5 key comments:
Protecting privacy: ensure individuals are fully informed - As the Bill is drafted, if an individual consents to an APP entity sharing information with an overseas entity, then the APP entity is not required to ensure that the overseas entity does not breach the APPs.
The Committee recommends that the APP entity be required to inform the individual of the practical effect of this consent before they provide it, so that the person may make an informed choice (Recommendation 4).
Protecting Privacy: use of de-identified information - The Bill proposes that information that is no longer about an identifiable individual will be labelled 'de-identified'. [5]The Bill also proposes that such information cannot be disclosed by an APP entity except for the specific purpose of research by credit institutions or in certain situations.
The Committee recommends that this 'research' exception be abolished as it is unnecessary and potentially offends individual privacy rights ( Recommendation 15).
Given the Committee has endorsed the Bill subject to its recommendations, organisations should start considering what the likely consequences will be for them when the reforms are implemented.
Specifically, organisations could:
For more information, contact Christina McElwain or Philippa Hore in the Maddocks Commercial Group on (03) 9288 0555.
You can read earlier Clearlaw articles concerning companies here.
Order the Cleardocs Company Registration package here.
[1] Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill).
[2] Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, circulated by authority of the Attorney General, the Honourable Nicola Roxon, page 2.
[3] Senate Standing Committee on Legal and Constitutional Affairs (Committee) Report on the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Chapters 1 and 8.
[4] The Hon. Nicola Roxon MP, House of Representatives Hansard, 23 May 2012, page 5212.
[5] Definition of 'de-identified' proposed to be inserted into subsection 6(1) of the Privacy Act 1988 (Cth).
Qualifications: LLB, University of Sheffield, LLM(CL), University of British Columbia
Georgia is a member of Maddocks Commercial team and assists in a variety of commercial and corporate matters for private, public and not-for-profit clients.
Her expertise includes advising on general commercial law, wills and estates law, charities and not-for-profit law along with corporate law.
The legal information and commentary on this site is general only. Documents ordered through Cleardocs affect the user's legal rights and liabilities. To assess their suitability for the user, legal accounting and financial advice must be obtained.