\Australian laws relating to the privacy of information exist in Commonwealth and State and Territory legislation. The main Commonwealth Act governing privacy of information is the Privacy Act 1998 (Cth). Some States also have legislation relating specifically to information privacy; for example, the Privacy and Personal Information Act 1998 (NSW), Information Privacy Act 2000 (VIC), Information Privacy Act 2009 (QLD) and in the ACT, Commonwealth legislation has been adopted.
In addition, there are many acts in States, Territories and the Commonwealth dealing with privacy of information in specific areas such as health, government records, surveillance devices, telecommunications and freedom of information.
Biggest Changes in 20 Years
Recently the Office of Australian Information Commissioner (OAIC) announced what it called “the biggest changes to the Privacy Act in over 20 years”.[1] These changes have been made by the Privacy (Enhancing Privacy Protection Act) 2012 (Cth), which received assent in December, 2012.
Australian Privacy Principles
The main change to the Privacy Act will be to introduce a single set of principles relating to information privacy called the Australian Privacy Principles. These are to replace the current dual system of Information Privacy Principles which apply to government agencies and the National Privacy Principles which apply to organisations.
As well as a change to a “one size fits all” set of principles, there are many changes in substantive concepts and obligations of both agencies and organisations that are affected by the Privacy Act. The amendments are intended to implement some 197 (out of a total of 295) recommendations made in a far-reaching 2,700 page report of the Australian Law Reform Commission in 2006.[2]
Comparison of APPs, IPPs and NPPs
It is difficult to directly compare the Australian Privacy Principles (APPs) with the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). The APPs do not follow the same order as the IPPs and the NPPs, and in some cases change terminology.
The changes in the arrangement of the APPs have been made deliberately to reflect the processes of an agency or an organisation in planning to collect information, collecting the information and then maintaining integrity and altering or destroying information where required and complying with obligations for access etc.
The APPs
There are 13 APPs, set out in five parts, meant to reflect the cycle of events relating to information.
APP1 requires management of personal information “in an open and transparent way” and requires an APP entity to have an up-to-date APP privacy policy.
APP2 requires an APP entity to allow individuals options of anonymity and/or pseudonymity so that an individual is not required, where possible, to be identifiable.
APP3 relates to the collection of sensitive personal information, which cannot be collected unless it is reasonably necessary and, if it is sensitive information, only if the individual consents.
APP4 contains principles relating to unsolicited information requiring an APP entity to determine whether it could have collected the information and to destroy or de-identify the information, or treat it in the same manner as information which it could collect.
APP5 requires the notification of individuals by an APP entity when information is collected about the collection and rights of the individual etc.
APP6 restricts information collected for a primary purpose from being used or disclosed for a secondary purpose.
APP7 contains principles relating to direct marketing. Direct marketing is prohibited unless an organisation complies with the principles.
APP8 has principles relating to transborder data flows. These expand on the concept in the NPPs of “cross border disclosure” of information.
APP9 relates to the use which may be made by an or ganisation of government-related identifiers, such as tax file numbers, driver’s licences, Medicare numbers etc.
APP10 imposes obligations for quality, to ensure personal information that is collected by an APP entity is accurate, up-to-date and complete and, if the information is disclosed, that it is also relevant.
APP11 relates to security of personal information and requires an APP entity to take steps to ensure that information is secure.
APP12 requires access to be given to an individual about how information is held.
APP13 relates to correction of information and requires an APP entity to correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, or to associate with the information a statement from the individual about the information.
No Right to Privacy
The amendments do not introduce a concept of a right to privacy. One of the recommendations of the Australian Law Reform Commission was that Federal legislation should provide for a statutory cause of action for a serious invasion of privacy of an individual for circumstances such as where:
There has been an interference with an individual’s home or family life;
An individual has been subjected to unauthorised surveillance;
An individual’s correspondence or private written, oral or electronic communication has been interfered with, misused or disclosed; or
Sensitive facts relating to an individual’s private life have been disclosed.[3]
This recommendation is not included in amendments to the Privacy Act, although the Government has indicated that it may be included in a further round of amendments. Accordingly, thePrivacy Act will continue for the time being to relate only to the privacy of information, not a general right to privacy.
There is no generally accepted right to privacy at common law in Australia, although some courts have moved to recognise rights of action for invasion of privacy.
Some recognition of rights to privacy exist in two Australian jurisdictions in the ACT under Section 12 of the Human Rights Act 2004, and in Victoria in Section 13 of its Charter of Human Rights & Responsibilities Act.
Credit Reporting Information
Even more substantial changes than those relating to personal information privacy are made in relation to credit reporting.
A new Part IIIA of the Privacy Act will completely replace the current Part.
The new regime relating to credit reporting has some similar concepts to the APPs, but excludes the application of APPs in relation to credit reporting, because of the more prescriptive rules which apply. An APP entity that is affected by the credit reporting rules, however, will still be required to comply with the APPs in relation to other information.
“Positive” Credit Reporting
The new credit reporting will introduce a more “positive” credit reporting system which will provide, where permitted, for more extensive credit history in relation to an individual to be collected and disclosed.
CR Code
The Australian Privacy Commissioner has required the Australian Retail Credit Association (ARCA) to develop a new code which will be a registered CR Code.
The draft CR Code of Conduct was released by ARCA on 5 April 2013. The draft Code has been released for public comment, but the time allowed is very short. Submissions are required by 5 May 2013.
It will be necessary for all organisations dealing with credit reporting and information to consider very carefully the new requirements of the Privacy Act and the CR Code.
Date of Operation
Although the amendments in the Privacy Act have been passed, the main amendments will not come into effect until 12 March 2014, to allow entities to prepare for and implement the changes.
Although this lead time may seem substantial, the Information Commissioner and the OAIC recommend that entities start this process now. In its media release of 29 November 2012 announcing the passing of the amending act, the OAIC says:
To ensure compliance, Government agencies and businesses need to start thinking now about what these changes will mean in terms of current privacy policies and business processes and practices.
Powers of the Commissioner
The Australian Privacy Commissioner will have additional and expanded powers, and may be expected to use these powers to enforce the APPs and the Privacy Act.
Some of the additional or expanded powers are:
to conduct investigations and assessments of privacy performance;
to accept enforceable undertakings against an entity;
to seek civil penalties in the case of serious breaches.
The civil penalty orders which may be imposed are for penalties up to $120,000 for individuals and $1.1 million for companies. The Commissioner has said:
“While I will continue to work with the agencies and businesses to achieve best privacy practices and to resolve most complaints via conciliation, I will not shy away from using these new powers in appropriate cases.”[4]
Small Business Exemption
For the time being, a small business will continue to be excluded from the operation of the Privacy Act and the application of the APPs. A small business is one which does not have an annual turnover in excess of $3 million.
The exclusion (in the definition of “organisation”) is for a small business operator, rather than a small business and the definition of “small business operator” in Section 6D has the effect that if an operator carries on any business that is not a small business, the operator
is not a small business operator.
What Should Your Business Do?
All businesses should ascertain whether or not the APPs will apply. If there is any doubt as to whether or not an entity is an APP entity, advice should be obtained.
APP entities should, as a starting point, review the privacy policy of the entity, or if the entity does not have one, establish a privacy policy as soon as possible.
APP Privacy Policy Requirements
APP1.4 lists information that must be contained in an APP privacy policy (without limiting other requirements of the APPs) as follows:
- the kinds of personal information that the entity collects and holds;
- how the entity collects and holds personal information;
- the purposes for which the entity collects, holds, uses and discloses personal information;
- how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
- how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
- whether the entity is likely to disclose personal information to overseas recipients;
- if the entity is likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
Best Practice Approach
An APP privacy policy is only a starting point for an APP entity. Businesses must continually review their practices and develop a “best practice” approach to the implementation of the privacy policy of the entity and compliance with the APPs. This involves, particularly:
appropriate and ongoing information and training for personnel to ensure familiarity with and compliance with the privacy policy of the APP entity and compliance with the APPs;
appropriate security systems and protocols, particularly IT, in relation to personal information.
For many organisations that have current privacy policies and an effective regime for compliance, new changes may not mean substantive alterations in policies or practices. However, there are many additional or altered obligations in the APPs, and the amended legislation, and all organisations should review their current policies and practices in preparation for the commencement of the new regime.
Media release Office of the Australian Information Commissioner, 29 November 2012
For your information: Australian Privacy Law and Practice, Report of the Australian Law Reform Commission, delivered 30 May 2008.
ALRC Report Recommendations 74-1 to 74-7.
Timothy Pilgrim, Australian Privacy Commissioner, Bulletin of the Law Society of South Australia Volume 35, Issue 1 February 2013.