Focus: Senate reports on Australian Privacy Principles
6 July 2011
In brief: The Senate Finance and Public Administration Legislation Committee has released the first part of its report on its inquiry into the legislation giving effect to the new Australian Privacy Principles which, if implemented, may have significant implications for privacy compliance procedures. Partner Dean Carrigan , Special Counsel John Dieckmann , Senior Associate Nathan Shepherd and Lawyer Fiona MacDonald report.
- Clarification of the Australian Privacy Principles
- Definition of personal information
- Collection of personal information
- Cross-border disclosure of personal information
- Security, access and correction of personal information
- A transition period for compliance with the APPs
- What next?
How does it affect you?
- The Committee's report generally endorses the Exposure Draft of the legislation, while highlighting many of the key risk and compliance issues that organisations (including private sector entities and Commonwealth agencies) will need to address under the proposed reforms.
- The recommendations, if properly implemented, should assist many organisations by clarifying the scope and effect of the new privacy legislation, thereby potentially reducing associated compliance costs.
- While the release of the report is unlikely to result in a substantial redrafting of the Australian Privacy Principles (the APPs), the Committee noted that the new privacy regime has the potential to require significant changes to current practices and policies.
- Organisations should begin reviewing their privacy compliance regimes and updating their privacy policies as a matter of priority so that they are prepared when the APPs become law in the near future.
In June 2010, the Federal Government released an Exposure Draft of amending legislation to give effect to the new APPs that are proposed to replace the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs), which apply to private sector entities and Commonwealth agencies respectively (refer to our earlier Focus article on the Exposure Draft). The draft amendments to the Privacy Act 1988 (Cth) are intended to comprise the first stage of a series of privacy reforms.
Following the receipt of submissions and a public hearing on the Exposure Draft, the Senate Committee has released Part 1 of its report on its inquiry into the Exposure Drafts. Some of the key recommendations and findings by the Committee are discussed below.
In response to submissions that the draft APPs are overly complex and lack clarity, the Committee has recommended that further consideration be given to whether the APPs may be simplified through the use of simpler terms, more concise language and the removal of repetitive language. The Committee reiterated that the APPs were intended to be high-level, principle-based provisions that are accessible to all users. Under the regulatory structure recommended by the Australian Law Reform Commission in 2008, it is intended that the APPs be supplemented with guidance on specific issues from the Office of the Australian Information Commissioner (OAIC).
The proposed new definition of 'personal information' in the Exposure Draft refers to an 'identified individual, or an individual who is reasonably identifiable' from the relevant information, whereas the current definition in the Privacy Act refers to 'an individual whose identity is apparent, or can reasonably be ascertained' from the relevant information.
The Committee noted that:
- there was a divergence of views in the submissions it received regarding whether or not the proposed new definition of 'personal information' could increase the scope of information protected under the Privacy Act; and
- a significant change in the scope of the definition of personal information could result in organisations facing increased privacy related compliance costs.
The particular divergence of views appeared to be around the issue of whether, and to what extent, the new definition would have the effect that information about a person could be regarded as 'personal information' on the basis of other information not in the possession of, or reasonably accessible to, the holder. The Committee referred to the Department of the Prime Minister and Cabinet's view that the revised definition 'continues to be based on factors which are relevant to the context and circumstances in which the information is collected and held' and that the definition had not been materially expanded. However, the Committee has recommended that the OAIC develop guidance on the interpretation of the definition of 'personal information', given the divergent views expressed in the submissions it received.
The Committee's recommendations relating to the collection of personal information included that:
- consideration be given to whether the APP 2(2)(a) exception (which permits entities from refraining to provide individuals with the option of transacting anonymously or using a pseudonym in circumstances where the entity is 'required or authorised' by law or court order to deal with identified individuals) could potentially be abused. The Committee noted the potential for this exception to be interpreted broadly and used 'inappropriately' (for example, by relying on the need to identify an individual in a specific instance as a justification for refusing to allow anonymity in other instances), and suggested the exception be reconsidered with a view to avoiding this outcome;
- consideration be given to whether APP 3 weakens existing privacy protection standards by entitling entities to collect personal information that is 'reasonably necessary' (rather than 'necessary', as is currently the case in the NPPs and IPPs) for the entity's functions or activities and permitting private sector organisations (as well as government agencies) to collect personal information that is 'directly related to' the entity's functions or activities. The Committee appeared to favour a rollback of these changes, and a more constrained ability for entities to collect personal information; and
With respect to the cross-border disclosure of personal information, the Committee's recommendations included that:
- the interaction between APP 8 and sections 19 and 20 of the Exposure Draft be respectively reconsidered and clarified in order to clarify the extra-territorial operation of the Privacy Act and the potential liability of entities that disclose personal information to overseas recipients;
- guidance be provided by the Department of the Prime Minister and Cabinet to clarify the meaning and application of the term 'disclosure'; and
- guidance be provided by the OAIC regarding the types of contractual arrangements between Australian organisations and overseas recipients of personal information that would be required in order to comply with APP 8 (ie the requirement to take 'reasonable steps' to ensure overseas recipients of personal information do not breach the APPs).
The Committee's commentary and recommendations on cross-border disclosure confirms that the new APP 8 is arguably one of the most significant amendments to the Privacy Act. It has the capacity to significantly alter the current liability regime applying to the transfer of personal information to recipients outside of Australia. The interaction between APP 8 and sections 19 and 20 of the Exposure Draft means that, in certain circumstances, Australian organisations that disclose personal information to an overseas recipient will be deemed to be liable for any subsequent breaches of the Privacy Act committed by the overseas recipient, even if the Australian organisation has taken reasonable steps to ensure that the overseas entity does not breach the APPs. The Committee noted that section 20 of the Exposure Draft is intended to rectify the current position under the Privacy Act where organisations transferring personal information to overseas recipients may avoid liability for any subsequent breaches of the Privacy Act by overseas recipients.
The reference in APP 8 to 'disclosure' rather than transfer may mean that information could be disclosed to an overseas recipient by merely allowing an overseas recipient access to personal information stored in Australia. Conversely, the Government has previously indicated (in the Companion Guide to the Exposure Draft) that APP 8 is not intended to apply to situations where information is securely routed through servers outside of Australia. The Committee also noted the view of the Office of the Privacy Commissioner (which was integrated into the OAIC on 1 November 2010) on this point, being that disclosure should not be taken to have occurred in such circumstances unless in the course of transmission a third party gains access to the data, and that an emphasis should be placed on risk management. APP 8 may therefore have the effect of decreasing the importance of the physical location at which personal information is stored and increasing the importance of ensuring that appropriate security measures are implemented when storing and transferring personal information. The various issues raised highlight the complexity of the 'disclosure' issue, particularly in the context of an ever-increasing reliance on the immediate exchange of information through global telecommunications networks.
The Committee appeared to brush aside concerns in submissions it received regarding the potential impact of APP 8 on Australian organisations. It stated that any increased liability would be managed through contractual relationships with overseas recipients and, as a consequence, it did not consider the obligations to be overly onerous. The Committee's comments seem at odds with the large number of recommendations made by the Committee in respect of amendments to the cross-border disclosure regime (almost one quarter of the total recommendations made by the Committee relate to cross-border disclosure) and the views expressed in a number of the submissions it received.
It is likely that the introduction of new APP 8 will be directly relevant to many organisations, given the increasing use of technology related services that have the potential to disclose and/or transfer personal information to overseas recipients (such as outsourcing, off-shoring and cloud computing). Given this, and the significant nature of the liability potentially imposed under APP 8, the implementation of the Committee's recommendation will hopefully provide much needed clarity to the precise operation of APP 8, but may have significant ramifications for security and data handling practices and contracting policies.
With respect to the security, access and correction of personal information, the Committee recommended that:
- under APP 11 (which provides that entities must take reasonable steps to protect personal information from, among other things, 'interference') clarification be provided regarding the meaning of an 'interference' with personal information. The Committee noted that the term 'interference' is not used in the Privacy Act and could have a range of meanings, from attacks on computers (eg denial-of-service attacks) to the unlawful interception of communications by third parties. While the security obligation in APP 11 only requires organisations to take such steps as are 'reasonable in the circumstances' to prevent interference with personal information, the current lack of clarity makes it difficult to identify the potential risk to organisations under APP 11 and the nature of any necessary compliance measures that should be implemented; and
- the OAIC provide further guidance regarding the meaning of the 'destruction' of personal information when such information is no longer required by the organisation. The Committee noted concerns raised in the submissions that this was an important issue that was often misunderstood and referred the matter to the OAIC without expressing any further opinion.
Issues relating to the security of personal information are likely to be the subject of greater focus in the future given the increasing number of high-profile incidents involving data security breaches. As mentioned above, there may also be a greater emphasis on security measures as a consequence of the operation of the cross-border disclosure obligations in APP 8. Organisations will need to review their data security and retention policies carefully in light of any further guidance issued by the OAIC.
The Committee noted that the new regime has the potential to require significant changes to current practices and policies, and that submissions had called for a transitional period to allow organisations time to fully comply with the amended provisions of the Privacy Act (with periods of 12 to 18 months being referred to in the report). Without expressing a view on what an appropriate transitional period might be, the Committee recommended that the Government (in consultation with the OAIC) consider allowing for an appropriate transitional period.
The Committee report is another step in the process of reforming the Privacy Act. Organisations will need to monitor the proposed amendments (and the outcome of the Committee recommendations) carefully to understand the key implications for their businesses. The recommendations and commentary in the Committee report highlights many of the key risk and compliance issues that organisations will need to consider when assessing the impact of the new legislation on their current and future practices and policies regarding the collection, use and disclosure of personal information. Allens Arthur Robinson's Privacy team can assist you with assessing the likely impact of the new privacy principles on your organisation and provide you with advice regarding any amendments that may be required to your organisation's policies or agreements.
- Gavin SmithPartner,
Ph: +61 2 9230 4891
- Niranjan ArasaratnamPartner, Sector Leader - Technology, Media & Telecommunications,
Ph: +61 3 9613 8324