Friday 14 March 2014

Commonwealth Privacy Reform - time to get APP-y

12 March 2014 sees the commencement of long-awaited changes to the Privacy Act 1988(Cth) (Privacy Act). On 12 March 2013, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 comes into effect. It represents a watershed moment in the Commonwealth privacy law reform process, which commenced some 10 years earlier. 

Victorian agencies remain subject to the Information Privacy Act 2000 (Vic). That hasn't changed. What will change is how the Privacy Act applies to Commonwealth agencies, some businesses and individuals and what the Australian Information Commissioner can now do to enforce the Privacy Act. 

So what's going to change?

From 12 March 2014, there will be three significant changes: 

  1. 13 Australian Privacy Principles will replace the Information Privacy Principles and National Privacy Principles; 
  2. Credit reporting laws will change to allow more credit information to be shared between credit providers; and 
  3. The Australian Information Commissioner's regulatory and enforcement powers will be strengthened. 

1. Australian Privacy Principles

For the first time, a set of 13 harmonised privacy principles, the Australian Privacy Principles (APPs) will apply to Australian government agencies and some private businesses. Up until 12 March 2014, agencies were subject to the Information Privacy Principles (IPPs) and businesses were subject to the National Privacy Principles (NPPs).

The APPs make significant changes to some of the privacy principles that were embodied in the IPPs and NPPs. They are more comprehensive than their predecessors, and more rigorous in what agencies and businesses must do to comply. These new APPs have been designed to respond to changes in information technology and emerging privacy issues and aim to address changes in privacy law.

Under the new APPs, agencies and providers will need to maintain and make available, a comprehensive privacy management policy, an APP Privacy Policy. It must include information such as the kinds of personal information the entity collects or holds, how it collects and holds it and for what purposes, how an individual may access their information, and information of the entity's complaints handling and resolution processes. The APPs also specifically deal with opting-out of direct marketing, dealing with unsolicited information and cross-border data flows.

What will the APPs mean for Victorian agencies?

Victorian agencies should keep these changes in mind when dealing  their Commonwealth counterparts or private entities who are subject to the Privacy Act.  There are some key points for Victorian agencies:

Victorian government Departments or agencies are not required to comply with the APPs, even under any contracts they have with Commonwealth agencies.  This is because State or Territory authorities are not 'organisations' that can be 'contracted service providers' or 'APP entities' under the Privacy Act.

The APPs won't apply directly to organisations who are contracted service providers to Victorian government agencies with respect to what they do for the purposes of meeting their contractual obligations to the agency.  Victorian government contracted service providers are still subject to the IP Act. However, Victorian government agencies should review their contracts with contracted service providers to see whether those providers have referred specifically to NPPs and if so, agencies should vary those contracts to replace these NPPs with the appropriate APP.

There are more circumstances in which APP entities can disclose personal information to Victorian agencies, if the disclosure to the Victorian agency is not related to the primary purpose of collecting that personal information.  APP entities can disclose personal information in 'permitted general situations' specified in the Privacy Act.  These permitted general situations could apply to Victorian agencies working with Commonwealth agencies to assist them in their functions: for example, an APP entity may disclose personal information if the entity has reason to suspect that unlawful activity or misconduct of a serious nature relating to the entity's functions has been, is being, or may be engaged in, and it reasonably believes that the disclosure is necessary for it to take appropriate action in relation to that matter. 

The Office of the Australian Information Commissioner has produced Guidelines to support entities' compliance with the APPs.

2. Credit reporting law changes

Under the new Part IIIA of the Privacy Act, credit reporting arrangements will allow for more information to be included in an individual's credit report. From 12 March, information about an individual's current credit commitments and repayment history over the previous two years will be made available to, and can be transferred between, licensed credit providers. If an adult defaults on a credit repayment of over $150, this information can be shared between providers and considered the next time the adult wishes to obtain a credit card, home loan or other credit facility.

In addition to credit repayment information, licensed providers will be able to collect and disclose information about a person's credit type, credit limit, terms and conditions of the credit facility, and the day on which the credit facility commenced and ceases.

3. Australian Information Commissioner with enhanced powers

The Australian Information Commissioner will have a suite of enhanced regulatory and enforcement powers (which would generally be exercised by the Privacy Commissioner). Under the changes, the Australian Information Commissioner will be able to: 

  • assess agencies' privacy management processes and systems;
  • assess agencies' compliance with the APPs;
  • accept enforceable undertakings from entities to act or to refrain from acting in a particular way; 
  • apply to the courts to compel an entity to comply with an enforceable undertaking; and 
  • apply to the courts for civil penalty orders: in serious cases or for repeated breaches, civil penalties can be sought for up to $1.7 million. 

Commonwealth privacy amendments will certainly receive much public attention this month. Victoria will have its turn later this year when amendments to the Information Privacy Act 2000 (Vic) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic) are introduced. VGSO will be providing guidance and training on these amendments following their introduction into Parliament in coming months. 

Of course, privacy is a matter to which agencies must give their attention throughout each year. If you are in the Victorian Government and would like assistance to ensure your agency's privacy practices comply with the Information Privacy Act 2000 (Vic), or if you would like to discuss changes to the Privacy Act, call:

Joanne Kummrow
Special Counsel
8684 0462

Katie Miller
Managing Principal Solicitor
8684 0460

Steven Brnovic
Senior Solicitor
8684 0453

1 comment:

  1. Great. I'm very happy about these new implementations.