Search

The new Australian Privacy Principles: Amendments to the Privacy Act 1988

Focus: Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
Services: Commercial
Industry Focus: Energy, resources & infrastructure, Financial services, Life sciences & healthcare, Property, Insurance
Date: 12 February 2013
Author: John Reen, Partner & Kamini Newton, Associate

For a vast number of entities in Australia, the collection, use and disclosure of personal information simply means ensuring a robust consent is in place.
 
While the recent enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the “Amendment Act”) (which came into force on 12 December 2012 and which amends the Privacy Act 1988 (Cth)) still permits the collection, use and disclosure of personal information with consent, the Amendment Act reinforces the need for other compliance mechanisms.


What are the amendments?


The amendments create a new set of ‘Australian Privacy Principles’(“APPs”) that update and consolidate the privacy principles that previously applied to government agencies (the Information Privacy Principles) and private sector entities (the National Privacy Principles). [1]

Significant amendments are also made to the credit reporting scheme, through new rules that regulate information disclosed to and by credit reporting bodies, credit providers and affected information recipients. [2]
 
The authority of the Australian Information Commissioner (“Commissioner”) has been broadened by the Amendment Act, permitting the Commissioner to conduct assessments regarding APPs and make applications to the Federal Court or Federal Magistrates Court for an order, where there has been a breach of a civil penalty provision. [3]

The majority of the amendments take effect in March 2014, though a handful of provisions apply from the date of royal assent (i.e. 12 December 2012). [4]


What are the APPs?


The APPs comprise five categories of thirteen principles that address transparency, collection, use and disclosure, integrity quality and security and access and correction of personal information. A summary of the categories follows.

Transparency
An entity must have privacy policies and processes in place articulating its collection, use and disclosure of personal information. Individuals must be permitted to provide anonymous information or use pseudonyms if practical. [5]

Collection
An entity must only collect personal information that is reasonably necessary or directly related to the entity’s operations. Consent must be provided for an entity to collect sensitive information. [6]

An entity must deal with unsolicited personal information in the same way as solicited personal information, if it could have solicited and collected the personal information. [7] Individuals must be notified of the process and reasons for the collection and use of personal information. [8]

Use and disclosure
Personal information can only be used for the primary purpose or for secondary purposes where the individual has provided consent and the use and disclosure is related to the primary purpose. Sensitive information can only be used with consent for secondary purposes that are directly related to the primary purpose. [9]
 
Personal information may be used for direct marketing purposes if the individual “reasonably expects” the use for direct marketing, or if the use is not reasonably expected, with consent. Sensitive information may only be used for direct marketing purposes with the individual’s consent. [10]

An entity must take reasonable steps to ensure disclosure of personal information to an overseas recipient is in compliance with the APPs. An entity that discloses personal information to an overseas recipient continues to be liable for the overseas recipient’s non-compliance with the APPs. [11]

Government related identifiers may only be used or disclosed by entities in limited circumstances. [12]

Integrity, quality and security
An entity is responsible for the continuous maintenance of its information to ensure that the personal information is relevant, “accurate, up-to-date and complete”. [13]

An entity must take “reasonable steps” to ensure that the personal information is protected from “misuse, interference and loss, and from unauthorised access, modification or disclosure.” [14]

Access and correction
An individual must have access to, and the right to correct, personal information within 30 days of the request or provide a written explanation of the refusal to provide the information or to correct it. Individuals are no longer required to prove that the information is incorrect. [15]


What are the rules for credit reporting bodies and credit providers?

 
The new rules for credit reporting bodies and credit providers are intended to overhaul the credit reporting scheme in order to balance the protection afforded to the individual and the credit provider’s access to reliable credit information about the individual. [16]

Civil penalties replace the majority of the criminal offences with respect to non-compliance with the new rules, however, criminal offence provisions still apply with respect to false and misleading information. Civil penalties of up to $1.1 million can be sought by the Commissioner for breaches of credit reporting requirements. [17]

Despite a commencement date of 12 March 2014 disclosure of repayment history is permitted in certain instances from the date of assent. The disclosure of this historical data allows the credit reporting system to play a more meaningful role in assessing an individual’s credit worthiness from commencement. [18]


Will there be more?

 
The APPs contemplate that the Office of the Australian Information Commissioner will develop guidelines to clarify the interpretation of a number of definitions used in the new APPs. For example, regulations are expected to identify organisations that are permitted to use and disclose government related identifiers.
 

How do you prepare?


In preparation for the commencement of the amendments, an entity should:
  1. review and update its privacy policies and internal procedures regarding its handling of personal information and sensitive information
  2. review and update its policies and internal procedures regarding its management of credit reporting information
  3. review (and amend where necessary) third party contracts that permit the disclosure of personal information, sensitive information or credit reporting information, with a strong emphasis on disclosures to overseas recipients
  4. engage employees, through training, to ensure understanding of and compliance with the amendments.
For more information, please contact:
 

John Reen | Partner

T +61 2 8233 9572

F +61 2 8233 9555

 
Footnotes
  1. Privacy Act 1988 (Cth) sch1, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  2. Privacy Act 1988 (Cth) pt IIIA divs1-2, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 2 item 72.
  3. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 194-195.
  4. Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) s 2.
  5. Privacy Act 1988 (Cth) sch1 APP 1-2, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  6. Privacy Act 1988 (Cth) sch1 APP 3, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  7. Privacy Act 1988 (Cth) sch1 APP 4, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  8. Privacy Act 1988 (Cth) sch1 APP 5, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  9. Privacy Act 1988 (Cth) sch1 APP 6, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  10. Privacy Act 1988 (Cth) sch1 APP 7, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  11. Privacy Act 1988 (Cth) sch1 APP 8, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  12. Privacy Act 1988 (Cth) sch1 APP 9, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  13. Privacy Act 1988 (Cth) sch1 APP 10, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  14. Privacy Act 1988 (Cth) sch1 APP 11, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  15. Privacy Act 1988 (Cth) sch1 APP 12-13, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  16. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 90.
  17. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 99.
  18. Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 6.
The information in this document, broadcast or communication is provided for general guidance only. It is not legal advice, and should not be used as a substitute for consultation with professional legal or other advisors. No warranty is given to the correctness of the information contained in this document, broadcast or communication or its suitability for use by you. To the fullest extent permitted by law, no liability is accepted by DibbsBarker for any statement or opinion, or for an error or omission or for any loss or damage suffered as a result of reliance on or use by any person of any material in the document, broadcast or communication.
 
This publication is copyright. Apart from any use as permitted under the Copyright Act 1968, it may only be reproduced for internal business purposes, and may not otherwise be copied, adapted, amended, published, communicated or otherwise made available to third parties, in whole or in part, in any form or by any means, without the prior written consent of DibbsBarker.
 
 
You may also be interested in:
31 Oct 2014
During a lease negotiation, have you ever been unable to agree on the terms for delivery of a crucial measure that is intended to get the landlord-tenant relationship off to a positive start (such as obtaining development consent for the proposed use)?
08 Oct 2014
A recent decision of the NSW land and Environment Court in Parfett v Roads and Maritime Services [2014] NSWLEC 1182 highlights the complexity of claiming compensation for the compulsory acquisition of income producing land, particularly rural land, under the Land Acquisition (Just Terms Compensation) Act 1991 (NSW).
02 Oct 2014
In April, we published an article on the decision in Donnelly (Trustee) v Windovel Pty Limited, which confirmed that the term "creditors" under section 121(1) of the Bankruptcy Act 1966 (Cth) encompasses "impending creditors". This decision was appealed to the Full Court of the Federal Court. This article provides a short summary of the Full Court's decision.
01 Oct 2014
In proceedings brought by the ACCC, the Federal Court has declared by consent that an egg supplier contravened the Australian Consumer Law in relation to the supply and promotion of eggs represented to be "free range".
30 Sep 2014
What standard should be met to obtain an extension of time to file evidence in patent opposition proceedings? Since the introduction of the Intellectual Property Legislation Amendment (Raising the Bar) Regulation 2013 (No.1), what constitutes ‘reasonable, prompt and diligent’ action has required clarification. The recent decision of Mineral Technologies Pty Ltd v Orekinetics Investments Pty Ltd [2014] APO 63 (the Orekinetics decision) provides insight into what constitutes an adequate explanation for obtaining an extension to file evidence in answer.
Privacy Disclaimer Contact Us Site Map CLIENT & STAFF LogIN © DIBBSBARKER 2010 - 2014