Today, the Gillard government introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 into the Australian Parliament. The long-anticipated legislation follows the Australian Law Reform Commission’s 2008 report For Your Information: Australian Privacy Law and Practice.
Attorney-General Nicola Roxon has heralded the bill as representing “the most significant developments in privacy reform since Labor introduced the Privacy Act in 1988”, and in her press release, focused on the need to protect individuals’ privacy in an online world where people are sharing their personal information more frequently and widely than ever before. The bill reflects this focus, containing provisions which:
- through the introduction of the Australian Privacy Principles (APPs):
- limit the ability of organisations to use unsolicited personal information;
- specifically regulate the use and disclosure of personal information held by an organisation for direct marketing purposes; and
- introduce new responsibilities for organisations transferring data overseas;
- introduce a comprehensive new scheme for credit reporting; and
- enhance the powers of the Information Commissioner.
Whilst many of the principles contained in the APPs are familiar, some new obligations will require most organisations to review and amend their privacy policies. Information that organisations will now be required to include in their privacy policy, and provide to individuals at the time of collecting personal information, includes whether the organisation is likely to disclose individuals’ personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located.
Some of the more significant changes are outlined below.
Direct marketing
The bill proposes a specific APP dealing with direct marketing. The obligations placed on an organisation under APP 7 turn on whether or not an individual would reasonably expect the organisation to use and disclose their personal information for the purpose of direct marketing. While there are the familiar requirements of providing individuals with an easy opt out mechanism and only marketing to those who have not previously opted out, greater onus will now be placed on how the organisation came to hold the individual’s personal details. If the bill is enacted, individuals will be able to request that organisations tell them the source of their personal information, therefore requiring organisations to keep records of their sources. Individuals may also request an organisation not to use or disclose their personal information to facilitate direct marketing by other organisations. Organisations who currently disclose their own customer data to, or receive customer data from, other organisations, will need to carefully review their practices to ensure compliance.
Interestingly, APP 7 will not apply to situations currently captured by the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth). However, it will clearly apply to communication by post, and thereby continues a third regime to target direct marketing communications.
Disclosure of personal information to overseas recipients
With the emergence of cloud computing, organisations will be affected by APP8, which deals with the disclosure of personal information to overseas recipients. Many organisations may continue to seek to meet their obligations by placing contractual commitments on overseas recipients not to breach the APPs. The new sting in the bill is that Australian organisations will remain liable for any breach by the overseas recipient. This ongoing responsibility may lead to greater scrutiny and improved data protection procedures being required by Australian entities before sending their data offshore.
A separate Alert will examine more closely the implications of these amendments to cloud computing.
Credit Reporting
Despite the government’s intention to simplify the credit reporting regime, the bill provides a lengthier set of provisions which have been fundamentally redrafted, and which introduce significant new requirements. Accordingly, credit reporting bodies (CRBs) (previously credit reporting agencies) and credit providers (CPs) will need to review the current legal, commercial, and risk-based decisions they have taken regarding privacy obligations in this area. Core obligations regarding collection, disclosure, and use of credit related information are affected, as well as the scope of information covered by the credit reporting regime. The revised concept of “credit information” now includes positive data sets such as account opening and closing information and credit repayment history.
In addition, the bill provides individuals with enhanced access to, and the ability to correct, credit information. It also contains a requirement to maintain a publicly available policy regarding management of credit information, and a duty to notify an individual if a default payment is to be listed with a CRB.
Powers of the Information Commissioner
Finally, the bill seeks to clarify and strengthen the powers of the Information Commissioner. The Office of the Australian Information Commissioner has been more active in the past year (issuing its first determination in 7 years in December 2011, and suggesting that more determinations are likely in the near future). The Office may become increasingly active if its powers are expanded as proposed. The amendments would permit the Commissioner:
- to investigate potential interferences with an individual’s privacy, or a breach of the APPs, on its own motion;
- to accept court enforceable undertakings from organisations; and
- to apply to the Federal Court or Federal Magistrates’ Court for an order that alleged contraveners pay pecuniary penalties.
The devil may well be in the detail of this 200+ page bill. However, the key message to emerge from the bill is clear – most organisations, including CPs and CRBs, will need to review their privacy policies and practices. We would be happy to assist you in assessing the implications of the APPs and other reforms for your organisation.