Search 
Mallesons Stephen Jaques
Who does this affect?

All private sector organisations carrying on business in Australia and all Commonwealth government agencies.

What do you need to do?

Review the First Stage Response and its impact on your business, organisation or agency. Prepare to make submissions on the Exposure Draft due in early 2010. Start thinking about what your organisations and agencies will need to do to comply with the new Privacy framework, having regard to the proposed increased compliance and enforcement powers of the Privacy Commissioner.

Authors
Cheng Lim  
Partner

Lisa Huett  
Partner
Lisa Huett  
Partner
T +61 3 9643 4163
Cheng Lim  
Partner
T +61 3 9643 4193

Sydney
Patrick Gunning  

Melbourne
Katherine Forrest  
Lisa Huett  
Cheng Lim  

Perth
Nicholas Creed  

Brisbane
Nicole Heller  

Canberra
Adam Bartlett  

Government announces first stage of privacy reforms- 14 October 2009

The Government has today announced its First Stage Response to the Privacy Reforms proposed by the ALRC in August 2008. It has accepted the majority of the recommendations proposed by the ALRC in relation to:

  • the unification of the information privacy principles and the national privacy principles;
  • more comprehensive credit reporting;
  • increasing the Privacy Commissioner’s powers, particularly in relation to compliance and enforcement; and
  • cross border data flows.

However, the Government has deferred its response on the other significant reforms proposed by the ALRC. There is still the opportunity to make submissions and consult on these matters.

The First Stage of Reforms

Of the 197 recommendations addressed in this response (out of a total of 295 recommendations made by the ALRC in its Report):

  • 141 were accepted in full or in principle;
  • 34 were accepted with qualification;
  • 20 were not accepted; and
  • 2 were noted.

Key initiatives to emerge from the Response include the following:

Unified Privacy Principles

The Government has accepted the ALRC recommendation to consolidate the current information privacy principles and national privacy principles, covering personal information held by public sector agencies and private sector organisations. The key aspects of these unified privacy principles will include:

  • openness (privacy policies and practices);
  • options for anonymity and pseudonymity;
  • collection;
  • notification;
  • use and disclosure;
  • data quality and security; and
  • access to and correction of personal information.

Direct Marketing Principle

The Government has accepted the majority of the ALRC’s recommendations on a new direct marketing principle. There will be specific requirements relating to the use and disclosure of information for direct marketing.

Different standards will apply to individuals who are pre-existing customers and those who are not, and individuals will be able to opt-out of receiving further direct marketing communications. However, the Government has not accepted the age-based direct marketing principles proposed by the ALRC.

Cross Border Data Flow

The Unified Privacy Principles will contain provisions to provide greater accountability where personal information is transferred offshore by an agency or organisation. However, the Government has stated that an agency or organisation will not be accountable where:

  • the offshore recipient is subject to obligations to uphold privacy principles that are substantially similar to the Australian unified privacy principles and where individuals have access to mechanisms that will allow for the enforcement of those privacy protections;
  • where the individual consents to the transfer; or
  • where the organisation or agency is legally required or authorised to transfer the information.

The Government has also agreed with the recommendation that agencies and organisations should notify individuals when and where personal information is reasonably likely to be transferred overseas.

Office of the Privacy Commissioner

Reforms to the powers of the Office of the Privacy Commissioner will largely reflect the recommendations of the ALRC. These include:

  • allowing the Privacy Commissioner to conduct Privacy Performance Assessments (PPA) of organisations to review compliance with the Privacy Act (albeit only for ‘educational’ purposes);
  • giving the Privacy Commissioner the power to require agencies to undertake Privacy Impact Statements;
  • giving the Privacy Commissioner the power to prescribe compliance steps for an agency or organisation to take in order to comply with the Privacy Act, including following an ‘own motion’ investigation by the Privacy Commissioner; and
  • giving the Privacy Commissioner greater enforcement powers, particularly by issuing compliance notices (and enforceable in court), and the ability to seek civic penalties for serious or repeated breaches.

Credit Reporting Provisions

While the Government has not agreed with the ALRC’s recommendation that Part IIIA of the Privacy Act be repealed and credit reporting regulated under the ALRC’s 3 tier regulatory model, it has recognised the need for Part IIIA to be redrafted to provide more user-friendly regulation of credit reporting. Notably:

  • The Government has stated that it supports the introduction of comprehensive credit reporting and has supported the introduction of the following five ‘positive’ data sets proposed by the ALRC.

 
  • the type of each credit account opened (for example, mortgage, personal loan, credit card);
 
  • the date on which each credit account was opened;
 
  • the current limit of each open credit account;
 
  • the date on which each credit account was closed; and
 
  • the individual’s repayment performance history over the last two years.

 

Access to the last data set will be implemented only where the Government is satisfied that there is a suitable framework of responsible lending in place. As such, the Government proposes to only make this information available to those who hold a licence or are subject to the obligations of a licensee under the National Consumer Credit Protection Bill.

  • The Government supports credit reporting information being used and disclosed by credit reporting agencies for the purposes of identity verification under the AML/CTF Act. The Government has not put forward how this would be achieved but notes that a consultation is underway to determine how to best implement this recommendation.
  • The Government supports redrafting the use and disclosure provisions of Part IIIA (credit reporting). Drafting changes will be made in the Privacy Act itself and not by way of regulations.
  • The Government has agreed to a general restriction on the use or disclosure of credit reporting information for direct marketing purposes. However the Government considers the use of credit reporting information for pre-screening of marketing lists should be expressly permitted, but only for the purpose of excluding adverse credit risks from these lists.
  • The Government has not supported the ALRC proposal to delete section 18N (which deals with the disclosure of credit related information), but to revise it to only apply to the disclosure of information that is “similar” to information maintained by a credit reporting agency or other information that is about an individual’s credit account.
  • Industry will be required to develop a mandatory and binding credit reporting code, with detailed standards for consistent compliance. The Government intends to implement a greater emphasis on industry-led complaint resolution through external dispute resolution and greater responsibility on credit providers and credit reporting agencies.

Health Information Regulations

The Government has accepted the ALRC’s recommendation that federal privacy law should apply to the handling of health information by private sector organisations to the exclusion of state health privacy laws.

The Government says it is premature for the first stage of amendments to the Privacy Act to address issues specific to shared electronic health records or unique health identifiers, as the details of any e-health initiatives are still under consideration by COAG and the Australian Health Ministers Council. However, privacy is recognised as an important element of any e-health initiative.

In relation to medical research, the Government has proposed a primary role for the National Health and Medical Research Centre (NHMRC), with an approval from the Privacy Commissioner to be obtained prior to NHMRC rules taking effect. There are numerous areas of detail concerning the application of privacy laws to medical research where the Government has only partly accepted the ALRC’s recommendations.

Second Stage Response

The Government’s response did not deal with some of the very significant reforms suggested by the ALRC Report, notably:

  • proposals to clarify or remove certain exemptions from the Privacy Act, including those for small business, employee information and political parties;
  • introducing a statutory cause of action for serious invasion of privacy (beyond ‘personal information’);
  • mandatory data breach notifications;
  • privacy and decision making issues for children and authorised representatives; and
  • handling of personal information under the Telecommunications Act 1997.

These will be addressed in the Second Stage of the Government’s Response to the ALRC Report, which will occur after further consultation with the private and public sectors.

Exposure Draft

The Government has stated that an Exposure Draft will be released in early 2010 for further consultation.

This publication is only a general outline. It is not legal advice. You should seek professional advice before taking any action based on its contents.