The Privacy Amendment (Enhancing Privacy Protection) Act (the “Reform Act“) was passed by the Australian Parliament in November 2012. The Reform Act marks the culmination of a lengthy amendment process which began in 2006 with a comprehensive review of the Privacy Act 1988 (the “Privacy Act“) and related laws by the Australian Law Reform Commission (“ALRC“). The ALRC issued a report in 2008 (“ALRC Report“) in which it identified almost 300 areas for reform.
The Reform Act amends the Privacy Act and makes consequential amendments to 55 other pieces of legislation, and addresses some (but not all) of the recommendations made in the ALRC Report. A number of the main areas of reform addressed in the Reform Act are set out below.
Australian Privacy Principles
The Reform Act introduces a unified set of 13 privacy principles which are to apply to both the public and private sectors (the Australian Privacy Principles (“APPs“)) and shall consolidate and replace the current Information Privacy Principles (“IPPs“) (applicable to the public sector) and the National Privacy Principles (“NPPs“) (applicable to the private sector).
Under APP8, organisations that transfer personal data to an entity outside Australia must take reasonable steps to ensure that the recipient does not breach the APPs. A new accountability principle has been introduced for cross-border disclosures of personal data, under which an organisation disclosing personal data to a recipient located overseas will be responsible for a breach of the APPs by the recipient under certain circumstances.
Direct marketing is also regulated under the APPs, with APP7 containing a general prohibition on use of personal data for direct marketing unless one of numerous exceptions applies (e.g. where the individual would reasonably expect his/her personal data to be used for direct marketing purposes, an opt-out facility was provided to the individual, and the individual did not exercise his/her right to opt-out; where consent has been obtained etc.). Organisations are also required to provide a facility enabling individuals to opt-out of receiving direct marketing materials.
A comprehensive credit reporting system has been introduced under the Reform Act to replace the existing credit reporting provisions in the Privacy Act. Credit providers shall be granted the right under the Reform Act to collect negative and positive information relating to an individual’s payment history in connection with a consumer loan, for the purposes of determining the individual’s eligibility to be provided with credit. The process for complaints relating to credit reporting has also been simplified by allowing complaints to be made directly to the Commissioner (i.e. removing the requirement to complain to the organisation first) and introducing alternative dispute resolution to deal with complaints more efficiently. Contraventions of certain credit reporting provisions constitute an offence and contravention of others may give rise to civil penalties. The credit reporting provisions shall be supported by regulations and codes which shall contain more detailed requirements in relation to procedural matters.
Powers of the Commissioner
The Reform Act clarifies and enhances the powers of the Information Commissioner. For example, the Information Commissioner shall have the ability to: (i) accept enforceable undertakings from entities to take or refrain from taking certain actions; (ii) seek civil penalties for serious/repeated breaches of privacy; (iii) conduct privacy compliance assessments; and (iv) commence investigations on his own initiative without the need for a complaint.
Codes of practice
The Information Commissioner is empowered under the Reform Act to develop (or call on organisations to develop) and register codes of practice relating to the APPs or credit reporting provisions, that are binding on specific agencies and organisations.
Where to from here?
The key reforms in the Reform Act (including those relating to the APPs, credit reporting code and other codes of practice) are expected to come into effect in March 2014.
In anticipation of the implementation of the amendments next year, public and private data users may wish to take this time to review their personal data practices and policies (e.g. privacy policies and collection statements, direct marketing practices, practices relating to cross-border transfer of personal data, consents etc.) to ensure that they comply with the new requirements.