Attorney-General Nicola Roxon has heralded the bill as representing “the most significant developments in privacy reform since Labor introduced the Privacy Act in 1988”, and in her press release, focused on the need to protect individuals’ privacy in an online world where people are sharing their personal information more frequently and widely than ever before. The bill reflects this focus, containing provisions which:
Some of the more significant changes are outlined below.
The bill proposes a specific APP dealing with direct marketing. The obligations placed on an organisation under APP 7 turn on whether or not an individual would reasonably expect the organisation to use and disclose their personal information for the purpose of direct marketing. While there are the familiar requirements of providing individuals with an easy opt out mechanism and only marketing to those who have not previously opted out, greater onus will now be placed on how the organisation came to hold the individual’s personal details. If the bill is enacted, individuals will be able to request that organisations tell them the source of their personal information, therefore requiring organisations to keep records of their sources. Individuals may also request an organisation not to use or disclose their personal information to facilitate direct marketing by other organisations. Organisations who currently disclose their own customer data to, or receive customer data from, other organisations, will need to carefully review their practices to ensure compliance.
Interestingly, APP 7 will not apply to situations currently captured by the Do Not Call Register Act 2006 (Cth) and the Spam Act 2003 (Cth). However, it will clearly apply to communication by post, and thereby continues a third regime to target direct marketing communications.
With the emergence of cloud computing, organisations will be affected by APP8, which deals with the disclosure of personal information to overseas recipients. Many organisations may continue to seek to meet their obligations by placing contractual commitments on overseas recipients not to breach the APPs. The new sting in the bill is that Australian organisations will remain liable for any breach by the overseas recipient. This ongoing responsibility may lead to greater scrutiny and improved data protection procedures being required by Australian entities before sending their data offshore.
A separate Alert will examine more closely the implications of these amendments to cloud computing.
Despite the government’s intention to simplify the credit reporting regime, the bill provides a lengthier set of provisions which have been fundamentally redrafted, and which introduce significant new requirements. Accordingly, credit reporting bodies (CRBs) (previously credit reporting agencies) and credit providers (CPs) will need to review the current legal, commercial, and risk-based decisions they have taken regarding privacy obligations in this area. Core obligations regarding collection, disclosure, and use of credit related information are affected, as well as the scope of information covered by the credit reporting regime. The revised concept of “credit information” now includes positive data sets such as account opening and closing information and credit repayment history.
In addition, the bill provides individuals with enhanced access to, and the ability to correct, credit information. It also contains a requirement to maintain a publicly available policy regarding management of credit information, and a duty to notify an individual if a default payment is to be listed with a CRB.
Finally, the bill seeks to clarify and strengthen the powers of the Information Commissioner. The Office of the Australian Information Commissioner has been more active in the past year (issuing its first determination in 7 years in December 2011, and suggesting that more determinations are likely in the near future). The Office may become increasingly active if its powers are expanded as proposed. The amendments would permit the Commissioner:
The devil may well be in the detail of this 200+ page bill. However, the key message to emerge from the bill is clear – most organisations, including CPs and CRBs, will need to review their privacy policies and practices. We would be happy to assist you in assessing the implications of the APPs and other reforms for your organisation.
Organisations that are currently subject to the Privacy Act 1988 (Cth).
Most organisations will need to: