Focus: Exposure draft of Privacy Principles released
28 June 2010
In brief: The Australian Government has released an Exposure Draft of the Australian Privacy Principles that are proposed to replace the National Privacy Principles and the Information Privacy Principles. Special Counsel Karin Clark and Partner Michael Pattison (view CV) look at the new principles and their impact on privacy compliance programs.
- Timing for Senate Committee Inquiry submissions
- Exposure Draft Australian Privacy Principles
- What next?
How does it affect you?
If the Exposure Draft Australian Privacy Principles become law, then all private sector organisations and Commonwealth agencies subject to the Privacy Act 1988 (Cth) will have to:
- redraft their privacy policies to provide new information, such as about whether they disclose personal information to overseas recipients, and, if practicable, which countries the recipients are in;
- consider whether, and how, they can continue to transfer personal information overseas under new rules that will require greater accountability from Australian transferors or different forms of consents for overseas transfers;
- review their privacy statements to provide new information, such as whether they have collected personal information about a person from a third party and the circumstances of that collection;
- review their direct marketing practices, particularly to determine whether, and how, they can continue to market to individuals if their information has been collected from a third party;
- check if their organisation collects unsolicited information and, if so, whether they can retain that information or must destroy it; and
- consider if there are circumstances in which it will be practicable to allow individuals to deal with them anonymously or using a pseudonym.
The Senate Finance and Public Administration Committee has asked that submissions should be received by 27 July 2010. The committee will report on 1 September 2010. While the Australian Privacy Principles will be the cornerstone of an amended (or replaced) Privacy Act 1988, it is intended that there will be three further releases of draft provisions to amend the Act, as part of this first stage of reforms. They are provisions:
- relating to the privacy of consumer credit information, including more comprehensive credit reporting;
- relating to the protection of health information; and
- strengthening the Privacy Commissioner's powers to conduct investigations and promote compliance with the Privacy Act. The Office of the Privacy Commissioner will be integrated into the newly created Office of the Australian Information Commissioner (which will commence operations on 1 November 2010).
The Government has indicated that stage two of the reforms will be released once its first stage has been progressed. Stage two will consider other recommendations from the 2009 Australian Law Reform Commission report such as reviewing the exemptions for employee records and small businesses, the introduction of a statutory cause of action for a serious invasion of privacy and serious data breach notifications.
The following is a brief summary of some of the more significant changes to the National Privacy Principles (the NPPs, which apply to the private sector) and the Information Privacy Principles (the IPPs, which apply to the Commonwealth public sector) proposed by the Australian Privacy Principles in the Exposure Draft. The new principles apply to entities, which refer to Australian government agencies and private sector organisations bound by the Privacy Act.
Australian Privacy Principle 2 provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an entity, unless this is impracticable.
Australian Privacy Principle 3 applies to the collection of solicited information. It provides that personal information must not be collected unless it is necessary for, or directly related to, an entity's functions or activities. It also provides that an entity must collect information directly from an individual unless it is unreasonable or impracticable to do so. Sensitive information must not be collected except with consent (although there are exceptions to this rule). Sensitive information will generally be defined in the same way that it is currently defined (for example, to include information about health and political and religious beliefs or association), except that it will include biometric information.
Australian Privacy Principle 4 applies to unsolicited information. It provides that when an entity receives unsolicited personal information, it must, within a reasonable period, determine whether it could have collected that information under Australian Privacy Principle 3. If so, it must treat that information in accordance with Australian Privacy Principles 5 to 13. If not, it must destroy or effectively de-identify that information.
Australian Privacy Principle 5 requires that entities provide privacy notification statements at, before, or as soon as practicable after collecting personal information. In addition to providing notice about matters such as the purpose of collection and to whom the information may be disclosed (and other matters that currently must be notified under NPP1), an entity will be required to notify additional matters such as the circumstances of collection if it has not collected that information directly from the individual, whether the entity is likely to disclose personal information to overseas recipients and the countries in which the recipients are located, if it is practicable to specify them.
Australian Privacy Principle 6 provides that the general rule is that personal information can be used or disclosed for the purpose for which it was collected, or a related (or in the case of sensitive information, directly related) purpose that the affected individual would reasonably expect. A number of exceptions to this general rule apply, for example, if the individual has consented to use or disclosure for another purpose, or where the use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or a confidential alternative dispute resolution.
Australian Privacy Principle 7 provides special rules for direct marketing, other than direct marketing that will be governed by the Spam Act 2003 (Cth.) or the Do Not Call Register Act 2006 (Cth.) (that is, this Privacy Principle will not apply to electronic marketing or telemarketing). Sensitive information cannot be used for marketing without the consent of the individual. In general, if the personal information used was collected from the individual, it can be used for marketing if this would be reasonably expected by the individual. If the information was collected from a third party or if the individual would not otherwise reasonably expect the direct marketing then it can be used for marketing only if the individual consents or it is impracticable to get consent. In all cases an opt-out from marketing must be provided.
Australian Privacy Principle 8 will regulate cross-border disclosures of personal information. It provides that generally, before an entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles. If the overseas entity is not bound by the Australian Privacy Principles, any act by the overseas entity that breaches an Australian Privacy Principle will be taken to have been committed by the Australian entity. However there will be a number of exceptions to these general rules. One is where the overseas recipient is subject to a law or binding scheme that provides substantially similar, or higher protection, than the Australian Privacy Principles and the individual has access to mechanisms that enforce those protections. Another exception is where the affected individual consents to the disclosure overseas, after having been expressly informed that the entity will, as a result, not be required to take reasonable steps to ensure that the overseas recipient will comply with the Australian Privacy Principles.
Australian Privacy Principle 9 provides that organisations must not adopt government-related identifiers.
Australian Privacy Principle 10 provides that entities must take reasonable steps to ensure that personal information collected, used or disclosed is accurate, up-to-date and complete and (in the case of disclosure) relevant.
Australian Privacy Principle 11 provides that an entity must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification and disclosure. Personal information must be destroyed or de-identified if no longer needed for the purposes for which it may be used or required to be retained for legal reasons.
Australian Privacy Principle 12 provides for individuals' rights to access their information. Many of the existing exceptions to access rights in NPP6 have been replicated here.
Australian Privacy Principle 13 provides for individuals' rights to correct their information if it is inaccurate, out-of-date, incomplete or irrelevant. If an individual disagrees with an entity about this, it can request that reasonable steps be taken to associate the individual's statement about this with the personal information.
The new Australian Privacy Principles will require every agency and organisation subject to the Privacy Act to review its privacy policies and compliance programs, including how they will be required to manage transfers of personal information outside Australia. Companies that may be adversely affected by the new principles should consider making a submission to the Senate before the due date of 27 July 2010. Allens Arthur Robinson's privacy team can assist you with assessing the likely impact of the new principles and, if necessary, making submissions to the Senate inquiry.
- Michael PattisonPartner,
Ph: +61 3 9613 8839
- Ian McGillPartner,
Ph: +61 2 9230 4893