Search

The new Australian Privacy Principles: Amendments to the Privacy Act 1988

Focus: Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
Services: Commercial
Industry Focus: Energy, Resources & Infrastructure, Financial Services, Medical & Pharmaceutical, Property, Insurance
Date: 12 February 2013
Author: John Reen, Partner & Kamini Newton, Associate

For a vast number of entities in Australia, the collection, use and disclosure of personal information simply means ensuring a robust consent is in place.
 
While the recent enactment of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (the “Amendment Act”) (which came into force on 12 December 2012 and which amends the Privacy Act 1988 (Cth)) still permits the collection, use and disclosure of personal information with consent, the Amendment Act reinforces the need for other compliance mechanisms.


What are the amendments?


The amendments create a new set of ‘Australian Privacy Principles’(“APPs”) that update and consolidate the privacy principles that previously applied to government agencies (the Information Privacy Principles) and private sector entities (the National Privacy Principles). [1]

Significant amendments are also made to the credit reporting scheme, through new rules that regulate information disclosed to and by credit reporting bodies, credit providers and affected information recipients. [2]
 
The authority of the Australian Information Commissioner (“Commissioner”) has been broadened by the Amendment Act, permitting the Commissioner to conduct assessments regarding APPs and make applications to the Federal Court or Federal Magistrates Court for an order, where there has been a breach of a civil penalty provision. [3]

The majority of the amendments take effect in March 2014, though a handful of provisions apply from the date of royal assent (i.e. 12 December 2012). [4]


What are the APPs?


The APPs comprise five categories of thirteen principles that address transparency, collection, use and disclosure, integrity quality and security and access and correction of personal information. A summary of the categories follows.

Transparency
An entity must have privacy policies and processes in place articulating its collection, use and disclosure of personal information. Individuals must be permitted to provide anonymous information or use pseudonyms if practical. [5]

Collection
An entity must only collect personal information that is reasonably necessary or directly related to the entity’s operations. Consent must be provided for an entity to collect sensitive information. [6]

An entity must deal with unsolicited personal information in the same way as solicited personal information, if it could have solicited and collected the personal information. [7] Individuals must be notified of the process and reasons for the collection and use of personal information. [8]

Use and disclosure
Personal information can only be used for the primary purpose or for secondary purposes where the individual has provided consent and the use and disclosure is related to the primary purpose. Sensitive information can only be used with consent for secondary purposes that are directly related to the primary purpose. [9]
 
Personal information may be used for direct marketing purposes if the individual “reasonably expects” the use for direct marketing, or if the use is not reasonably expected, with consent. Sensitive information may only be used for direct marketing purposes with the individual’s consent. [10]

An entity must take reasonable steps to ensure disclosure of personal information to an overseas recipient is in compliance with the APPs. An entity that discloses personal information to an overseas recipient continues to be liable for the overseas recipient’s non-compliance with the APPs. [11]

Government related identifiers may only be used or disclosed by entities in limited circumstances. [12]

Integrity, quality and security
An entity is responsible for the continuous maintenance of its information to ensure that the personal information is relevant, “accurate, up-to-date and complete”. [13]

An entity must take “reasonable steps” to ensure that the personal information is protected from “misuse, interference and loss, and from unauthorised access, modification or disclosure.” [14]

Access and correction
An individual must have access to, and the right to correct, personal information within 30 days of the request or provide a written explanation of the refusal to provide the information or to correct it. Individuals are no longer required to prove that the information is incorrect. [15]


What are the rules for credit reporting bodies and credit providers?

 
The new rules for credit reporting bodies and credit providers are intended to overhaul the credit reporting scheme in order to balance the protection afforded to the individual and the credit provider’s access to reliable credit information about the individual. [16]

Civil penalties replace the majority of the criminal offences with respect to non-compliance with the new rules, however, criminal offence provisions still apply with respect to false and misleading information. Civil penalties of up to $1.1 million can be sought by the Commissioner for breaches of credit reporting requirements. [17]

Despite a commencement date of 12 March 2014 disclosure of repayment history is permitted in certain instances from the date of assent. The disclosure of this historical data allows the credit reporting system to play a more meaningful role in assessing an individual’s credit worthiness from commencement. [18]


Will there be more?

 
The APPs contemplate that the Office of the Australian Information Commissioner will develop guidelines to clarify the interpretation of a number of definitions used in the new APPs. For example, regulations are expected to identify organisations that are permitted to use and disclose government related identifiers.
 

How do you prepare?


In preparation for the commencement of the amendments, an entity should:
  1. review and update its privacy policies and internal procedures regarding its handling of personal information and sensitive information
  2. review and update its policies and internal procedures regarding its management of credit reporting information
  3. review (and amend where necessary) third party contracts that permit the disclosure of personal information, sensitive information or credit reporting information, with a strong emphasis on disclosures to overseas recipients
  4. engage employees, through training, to ensure understanding of and compliance with the amendments.
For more information, please contact:
 

John Reen | Partner

T +61 2 8233 9572

F +61 2 8233 9555

 
Footnotes
  1. Privacy Act 1988 (Cth) sch1, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  2. Privacy Act 1988 (Cth) pt IIIA divs1-2, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 2 item 72.
  3. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 194-195.
  4. Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) s 2.
  5. Privacy Act 1988 (Cth) sch1 APP 1-2, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  6. Privacy Act 1988 (Cth) sch1 APP 3, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  7. Privacy Act 1988 (Cth) sch1 APP 4, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  8. Privacy Act 1988 (Cth) sch1 APP 5, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  9. Privacy Act 1988 (Cth) sch1 APP 6, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  10. Privacy Act 1988 (Cth) sch1 APP 7, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  11. Privacy Act 1988 (Cth) sch1 APP 8, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  12. Privacy Act 1988 (Cth) sch1 APP 9, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  13. Privacy Act 1988 (Cth) sch1 APP 10, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  14. Privacy Act 1988 (Cth) sch1 APP 11, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  15. Privacy Act 1988 (Cth) sch1 APP 12-13, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 1 item 104.
  16. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 90.
  17. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 99.
  18. Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) sch 6.
The information in this document, broadcast or communication is provided for general guidance only. It is not legal advice, and should not be used as a substitute for consultation with professional legal or other advisors. No warranty is given to the correctness of the information contained in this document, broadcast or communication or its suitability for use by you. To the fullest extent permitted by law, no liability is accepted by DibbsBarker for any statement or opinion, or for an error or omission or for any loss or damage suffered as a result of reliance on or use by any person of any material in the document, broadcast or communication.
 
This publication is copyright. Apart from any use as permitted under the Copyright Act 1968, it may only be reproduced for internal business purposes, and may not otherwise be copied, adapted, amended, published, communicated or otherwise made available to third parties, in whole or in part, in any form or by any means, without the prior written consent of DibbsBarker.
 
 
You may also be interested in:
02 Sep 2014
Jane Wild, Partner, & Shirley Cheng, Graduate, have developed a guide to the Australian electricity law regime for alternative energy sellers, outlining the regulatory framework in each state and territory, who to talk to, and the licencing arrangements that are required.
27 Aug 2014
A number of terms and phrases are commonly used in commercial and retail leases. Often, both the landlord and tenant accept such terms without giving much thought to the full scope of their meaning or their practical application. This article is the first in a series which will explore the meaning behind some standard lease terminology often used in the industry. This month we look at 'base building condition'.
18 Aug 2014
In its recent report on ASIC’s performance, the Senate Economic References Committee recommends that government review the law to consider reform which will encourage and facilitate corporate turnaround. It suggests that features of Chapter 11 (a reorganisation regime in the USA) be considered. The Financial Systems Inquiry also addresses this topic in its Interim Report. In this article, restructuring partner, Macaire Bromley, outlines a proposal for key legal reform to encourage and facilitate a business rescue culture in Australia.
11 Aug 2014
A recent Queensland Supreme Court decision in Queensland Building and Construction Commission v Ward & Anor highlights potential personal exposure which directors of building companies face.
11 Aug 2014
We have written in the past about the difficulties faced by creditors who persist in mailing Creditors’ Statutory Demands issued under the Corporations Act 2001. A recent decision by Justice Bergin (Chief Justice in Equity) in the NSW Supreme Court has highlighted the difficulty with even “leaving it at the registered office” of a debtor company.
Privacy Disclaimer Contact Us Site Map CLIENT & STAFF LogIN © DIBBSBARKER 2010 - 2014