In 2008 the Australian Law Reform Commission released a report recommending changes to the Privacy Act 1988 (Cth) (‘Privacy Act’).
On 12 March 2014 changes made to the Privacy Act by The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (‘Privacy Amendment Act’) came into force.
A main aim of the Privacy Amendment Act and the Privacy Regulation 2013 (‘Regulation’) is to bring the Privacy Act up to date with modern processes and become adaptable to developing technologies of today. This will, in turn, increase consumer protection and benefit the public in many ways.
Development and changes
The changes include the provision of 13 new privacy principles, the Australian Privacy Principles (‘APPs’). The APPs will regulate the handling of personal information by:
(a) Australian and Norfolk Island government agencies;
(b) small businesses’ with a turnover of more than $3m; or those trading in personal information; and
(c) all private health service providers.
The APPs replace the Information Privacy Principles (‘IPPs’) and the National Privacy Principles (‘NPPs’); and combine the regulation of the entities outlined above under the same set of rules.
The aim of the APPs is to set out the standards, rights and obligations for collecting, handling, holding, accessing, using, disclosing and correcting personal information.
Definition of personal information
The definition of personal information has now been expanded to include; information, or an opinion which, when combined with other information (which may not be controlled by the same entity), identifies an individual or makes the individual reasonably identifiable. Whether or not an individual is reasonably identifiable requires consideration of cost, difficulty, practicality and the likelihood that the information will be linked in such a way as to enable that person to be identified.
Enhanced powers for the Office of the Australian Information Commissioner (‘OAIC’)
Under the Privacy Act, the OAIC is given enhanced regulatory powers. These powers include, conducting assessments of privacy compliance, accepting enforceable undertakings and seeking civil penalties in the case of serious or repeated breaches of privacy. The OAIC is also given the power to conduct a privacy performance assessment and accept an enforceable undertaking.
Changes to credit reporting laws
The Privacy Act now includes new credit reporting provisions for consumer credit. The provisions will enable improved privacy protections and the use of more logical and simple language in reports. There is now provision for a more simplified and enhanced correction and complaints process and civil penalties for breaches of certain credit reporting.
External dispute resolution (‘EDR’) schemes
The Privacy Act reforms provide the OAIC with the power to recognise EDR schemes to handle privacy related complaints. Guidelines which accompany the Privacy Act outline the conditions that must be met by EDR schemes to be recognised under the Privacy Act.
Importantly, since 12 March 2014, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.
The Privacy Act also includes new provisions on codes of practice about information privacy (‘APP Codes’) and a code of practice for credit reporting (‘CR Code’), including enabling the OAIC to develop and register binding codes that are in the public interest.
There is now a new exception to the requirement for entities to give access to a request for information. Entities must respond to requests within a reasonable period of time and give written notice of any refusals. However they may now refuse such requests on the grounds that they have reason to suspect serious misconduct or unlawful activities and giving access to the information would prejudice an appropriate course of action.
The Regulation commenced on 12 March 2014, at the same time as the Privacy Amendment Act. The Regulation repealed the Privacy (Private Sector) Regulations 2001 and Privacy Regulation 2006. The Regulation supports the Privacy Amendment Act in several ways including, by clarifying certain credit reporting matters. It also consolidates updates and simplifies privacy regulations into a single instrument.
Key points to highlight
Entities must ensure that their information collection, handling practices and procedures comply with the new privacy requirements. They must:
(a) review and update their privacy policies;
(b) review all current practices for disclosing personal information to third parties located overseas (for example, outsourcing agreements, cloud computing or data arrangements and disclosures to related bodies corporate);
(c) develop procedures for dealing with unsolicited personal information they receive; and
(d) review and amend direct marketing procedures, which might require reconfiguring databases.
If the business participates in the credit reporting system, as a credit provider, then it must ensure there are systems in place, which comply with the new reporting regime.
Impact of the changes
There have been significant changes to privacy laws since its creation, to ensure that the legislation governing the area is continually developing and evolving to meet the requirements of modern technology, contemporary information handling and the business market.
The changes made by the Privacy Amendments Act and the Regulation can be viewed as a further step in this positive and progressive approach.
It is now imperative for businesses to do a full review of how they handle customer information, for example, assessing existing contracts with service and storage providers and considering whether they need amending. Investing in the right technologies and updating security processes is now very important in order to avoid being penalised for not complying with the new legislation.
For further information on the changes to the Privacy Act and how this may affect you and your business, please contact Ramsden Lawyers on (07) 55 921 921.