Focus: The new Unified Privacy Principles
18 August 2008
In brief: The Australian Law Reform Commission has released a report into privacy law that recommends key changes to the Privacy Act 1988 (Cth) and other privacy legislation. Partners Catherine Parr and Peter Jones look at what is proposed and how the proposed Unified Privacy Principles differ from the current regime.
- Offshore data transfers – UPP 11
- Openness – UPP 4
- Notification – UPP 3
- Direct marketing – UPP 6
- Collection – UPP 2
- Access and correction – UPP 9
- Guidance from the Privacy Commissioner
How does it affect you?
If the recommended Unified Privacy Principles are adopted, private sector organisations will need to:
- carefully review their arrangements for
transferring personal information offshore and:
- where they currently rely on consent, consider whether they will be able to continue to rely on existing consents and amend their processes for obtaining new consents; and
- where they currently rely on contracts that require offshore recipients of personal information to handle it in a way that offers the same protection as the National Privacy Principles (for example, offshore outsourcing contracts and intra-group global privacy agreements), review and amend the terms of those contracts to ensure the obligations they impose in relation to the handling of personal information reflect the new requirements in the Unified Privacy Principles and that the contracts meet the guidelines the ALRC recommends the Privacy Commissioner should develop on the issues to be addressed in such contracts. They will also need to develop a process for ongoing monitoring of these contracts;
- amend their privacy policies;
- amend their privacy collection statements;
- review their direct marketing activities and adapt their processes to meet the requirements in the new direct marketing principle.This may include tracking the source of personal information used in direct marketing to individuals who are not existing customers or who are under 15 years of age; and
- review their arrangements for updating and correcting their records and, potentially, track all disclosures they make of personal information so that if information subsequently proves to have been incorrect they can pass on the correction to recipients of the information.
The report by the Australian Law Reform Commission (the ALRC), released on 11 August 2008, is entitled For Your Information: Australian Privacy Law and Practice.
Senator John Faulkner has stated that the Government will consider the report in two stages. One of the key initiatives of the first stage is the adoption of privacy principles that cover both the private and public sectors, to be called the Unified Privacy Principles (UPPs). Our Client Update: Privacy - 11 August notes the key reforms proposed in the report, including the introduction of the UPPs discussed below.
Senator Faulkner expects that the Government will be able to legislate on the first stage of the reforms (including the UPPs) within 12 to 18 months. The details of the consultation process to finalise that legislation will be available in due course. One area clients may wish to focus on as they consider their input to that consultation is the key differences between the current National Privacy Principles (NPPs) and the proposed UPPs. Those key differences are as follows.
The key change from NPP 9 is that, unless one of three conditions is satisfied, after a transfer of personal information offshore has taken place acts by the recipient (such as a breach of the UPPs) are taken to be the acts of the transferor for which the transferor is liable.
In this regard, the report notes that the complaint and investigation mechanisms under the Privacy Act 1988 (the Act) will be triggered and the report also recommends that the Privacy Commissioner have the power to seek a civil penalty in the Federal Court or Federal Magistrates Court where there is a serious or repeated interference with the privacy of an individual (which may arise if information transferred overseas is misused).
The three situations in which a transferor will be free of this potential liability are:
- the transferor reasonably believes that the recipient is subject to a law, binding scheme or contract that effectively upholds privacy protections that are substantially similar to the UPPs;
- the individual whose personal information is to be transferred consents to the transfer, after being expressly advised that the consequence of providing consent is that the transferor will no longer be accountable for the individual's personal information once transferred; or
- the transferor is required or authorised by law to transfer the personal information.
The first two conditions broadly correspond with existing exceptions in NPP 9, while the third, which is entirely new, replaces four other existing exceptions in NPP 9.
The first condition continues the most frequently used means of permitting offshore transfers, that of the transferor binding the recipient contractually. However, under UPP 11, freedom from liability for the acts and practices of the offshore recipient will only continue for as long as there is a reasonable belief that there is a binding contract that effectively upholds the relevant privacy protections. This means the transferor has continuing obligations to monitor the contract. On a literal reading, NPP 9(a) was satisfied once and for all when an appropriate contract was entered into.
Still on the first condition, the report also recommends that the Government should develop and publish a list of laws and binding schemes which effectively uphold privacy protections that are substantially similar to the UPPs, but notes that the mere fact that a jurisdiction is on this list may not be sufficient to give rise to the required 'reasonable belief' of the transferor (for example if the transferor is aware there is no effective mechanism for enforcement).
On the second condition, the report notes that any consent to an offshore transfer must be voluntary and informed, hence the addition of the proviso to the consent formulation in NPP 9. The practical problems of relying upon this condition are obvious. Those problems are emphasised by the report suggesting that 'it may be advisable, where practicable, for the [relevant] agency or organisation to seek a written acknowledgement from the individual' in order to be able to demonstrate that informed consent was obtained.
The report makes the point, in relation to the third condition, that agencies and organisations are required or authorised by law in some cases to transfer personal information offshore (examples are given in the report).
- what sort of information the organisation or agency holds;
- the purposes for which the information is held;
- the steps individuals may take to access and correct their personal information;
- the avenues of complaint available to individuals in the event that they have a privacy complaint; and
- whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred.
Under NPP 5 the first two requirements need only be met on request.
Privacy policies are likely to become longer and more complex in order to comply with UPP 4.
The collection statement requirements of NPP 1.3 have been moved to a new UPP and modified. For this reason, every organisation (and agency) subject to the Act will need to review, and very likely modify, its collection statements before the proposed reforms take effect.
In addition, a specific reference to notifying individuals, rather than merely making them aware of specified matters as required under NPP 1.3, has been included. This is not intended to require notification in every case, but does mark a subtle change in approach, particularly given the express reference to the fact that, in some circumstances, no steps need to be taken to notify or otherwise ensure individuals are aware of the matters set out in UPP 3.
The noteworthy changes under UPP 3 are that the organisation or agency must include in any notification of collection:
- the fact and circumstances of collection, where the individual may not be aware that their personal information has been collected.
The first of the above changes reflects the change under UPP 4 discussed above.
The second of the above changes is noted by the report as being necessary where personal information is collected by technology (eg cookies, biometrics or RFID tags) or from a third party. However, it is acknowledged there may be circumstances where it may be reasonable for no steps to be taken (for example, where notification would prejudice the purpose of collection).
Organisations (not agencies) now face the prospect of an entirely new privacy principle covering direct marketing, with the provisions formerly in NPP 2 having been moved and expanded. There are effectively two new principles, one for existing customers aged 15 years or over, and another for persons who are either under 15 or not existing customers.
UPP 6 applies irrespective of the purpose for which personal information was collected, although the purpose of collection may be relevant to the 'reasonable expectation' component of the first of these new principles. UPP 6 also applies to disclosure of personal information for direct marketing, as well as to use for that purpose.
For individuals who are both existing customers and at least 15 years of age, organisations need only ensure that:
- the individual would reasonably expect their information to be used or disclosed for direct marketing; and
- they provide a simple and functional way the individual can opt out of further direct marketing.
For individuals who are either under 15 or not existing customers, the new principle is modelled on the current NPP 2.1(c), with a new requirement that, if so requested by an individual, an organisation must, where reasonable and practicable, inform the individual of the source from which they acquired the individual's information. According to the report, this means the direct source from which the organisation obtained the personal information and the information to be stated is 'details of the organisation' that supplied the personal information.
If this means that an organisation must record the source of the information it obtains for direct marketing purposes, so that the organisation can provide this information on request, then it potentially has significant practical implications.
Apart from the requirements for the collection of sensitive information for research, which are beyond the scope of this publication, the main change from NPP 1 to UPP 2 relates to unsolicited personal information. Organisations and agencies will be required, under UPP 2.4, to either:
- destroy it as soon as practicable, without using or disclosing it; or
- comply with the UPPs as if they had actively collected the information.
The key changes from the requirements of NPP 6 relate to the correction of information. There are two main changes. The first is that, in addition to their current rights under NPP 6, individuals should have the right to correct information which is misleading and to correct or have deleted information which is not relevant. Whether information is misleading or not accurate, relevant, complete and up-to-date will be judged 'with reference to a purpose for which [the information] is held'. The ALRC suggests that, if an organisation holds information which is relevant for one of its functions or activities, but not another, the individual should have the right to have the information deleted from those records where it is irrelevant. This could also have significant practical implications.
The second main change is a new obligation, if an individual seeks to have information corrected, to 'notify other entities to whom the personal information has already been disclosed, if requested to do so by the individual and provided such notification would be practicable in the circumstances'.
The key issue with this change is whether it requires an organisation to track and record all disclosures of personal information to be able to comply with a request by an individual to notify recipients. UPP 9 indicates that notification need not occur if it would not be practicable. However, there is no such concession if it is not practicable to track and record all disclosures in case information about an individual subsequently proves to be incorrect and the individual requests notification.
If it is intended that an organisation must put itself in a position where it can comply with a request to notify, and so must track and record all disclosures it makes, then this proposal would create a new obligation that would be particularly onerous and result in significant compliance costs for business.
It will be apparent from the above discussion that many new concepts will be introduced if the proposed reforms pass into law. One technique adopted throughout the report is to recommend that the Privacy Commissioner should develop and publish guidance on a whole range of topics, including:
- the issues that should be addressed as part of a contract with an overseas recipient of personal information;
- what constitutes a 'reasonable belief' for the purpose of UPP 11;
- obtaining consent to offshore data flows;
- examples of 'transfers' of information for UPP 11;
- what constitutes an existing customer for UPP 6;
- the types of direct marketing communications that are likely to be within the reasonable expectations of existing customers;
- the circumstances in which it will be impracticable to seek consent in relation to direct marketing to an individual who is not an existing customer or is under 15;
- when it is reasonable and practicable to advise an individual of the source from which their personal information was acquired;
- when it is reasonable to take no steps to notify an individual about the collection of their personal information; and
- the meaning of 'unsolicited' in UPP 2.4.
It would obviously be very helpful to have this guidance available during the consultation process before finalising the amending legislation, so affected organisations can participate in that consultation with a complete understanding of the impact of the reforms.
We recommend that organisations carefully consider the new UPPs and the changes they will mean for their documentation, processes and systems. If those changes will create significant practical difficulties, it will be important that those practical difficulties are raised during the consultation process.
The new UPPs are only some of the numerous recommended changes to the current privacy laws. We will distribute further publications focusing on other changes shortly.
For more information, or for assistance with assessing the potential impact of the changes on your business, feel free to contact us.
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.