THE BIGGEST REFORMS TO PRIVACY LAW IN 20 YEARS ARE ON THE WAY…
On 23 May 2012, the Commonwealth government introduced the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) into Parliament. If the Bill is passed the new law is intended to strengthen the existing Commonwealth Privacy Act 1988 (Cth) (the Act), and as a result impose more stringent obligations on the way organisations, both Government and private, collect, store, use and disclose ‘personal information’.
The proposed changes represent the biggest shake up to privacy law in Australia in over 20 years. Many organisations that currently collect, store, use and disclose ‘personal information’ should already be aware of the existing Act but also need to be aware of the changes that are coming and how they might impact on their operations.
WHAT IS ‘PERSONAL INFORMATION’?
In a nutshell, ‘personal information’ is information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. The information can be in any form.
DOES THE PRIVACY ACT ACTUALLY REGULATE SMALL TO MEDIUM SIZED BUSINESSES?
The current Act commenced operation in Australia in 1990, however, until 2001 the Act only regulated Commonwealth and ACT government agencies, credit providers, credit reporting agencies and organisations that used tax file numbers.
Since December 2001, the Act applies to many (but not all) private companies. The most relevant exemption (worth mentioning here) is the ‘small business operator’ exemption, which applies if a business has a turnover of less than $3,000,000. If your business has the benefit of this exemption then it does not necessarily need to comply with the Act, however, a business will not be a small business operator even if it has an annual turnover of $3,000,000 or less if it:
- provides a health service to another individual and holds any health information except in an employee record; or
- is related to a larger business; or
- discloses personal information about another individual to anyone else for a benefit, service or advantage (e.g. selling mailing lists or other personal information); or
- provides a benefit, service or advantage to collect personal information about another individual from anyone else; or
- is a contracted service provider for a Commonwealth contract (whether or not a party to the contract); or
- is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; or
- operate a residential tenancy database.
It isn’t difficult to think of small businesses that could be regulated by the Act. In the age of the internet / e-commerce, many businesses may find that their activities are regulated by the Act.
WHAT DOES THE ACT REGULATE?
- Activities which occur within Australia which deal with personal information about individuals living in Australia.
- Activities which occur outside Australia but which deal with personal information about individuals living in Australia.
- Activities which occur within Australia but which deal with personal information about non-Australians
Currently, private companies that are regulated by the Act must comply with, in particular, the 10 National Privacy Principles (NPPs). The NPPs set minimum standards for:
- How an organisation collects, use and disclose personal information that could identify an individual.
- Quality, security and storage of that information.
- The treatment of sensitive information, health information and employee records.
WHAT ARE THE PROCEDURES FOR COMPLYING WITH THE ACT?
For those businesses that are regulated by the Act, compliance with the Act means that they need to implement practices and procedures that:
- Make someone responsible for privacy compliance including privacy enquiries and complaints.
- Documents how personal information is handled: collected, used, stored and disclosed.
- Ensures that personal information is, essentially, only used or disclosed for the reason it was collected in the first place.
- When requested, allow customers an opportunity to review and correct any personal information held in regards to them.
Consequences for failing to comply with the Act and the NPPs presently included:
- Customer complaints to the Company as well as the Australian Information Commissioner (the “Commissioner”).
- Investigations into the privacy breaches by the Commissioner.
- Commissioner imposed obligations for companies to take or refrain from taking certain steps or to make compensation payments (for injury to the complainant’s feelings or humiliation suffered by the complainant).
- Adverse publicity for the offending company by the Customer / Commissioner.
While declarations by the Commissioner can be enforced in the Federal Court by either the Commissioner or the complainant, the Act does not give a complainant a right to sue an individual or organisation for breaches of privacy or impose penalties on the offending organisations.
CHANGES TO THE ACT ARE COMING THAT YOU NEED TO KNOW
If the Bill is passed (in its current form), the main changes to the Act that will be brought about include:
(a) The establishment of 13 new privacy principles to be known as the ‘Australian Privacy Principles’ (APPs). This will be a single set of principles that will apply to both Commonwealth government agencies as well as private sector organisations in Australia. Many of the APPs are similar to the existing NPPs, however, some go further:
- Individuals must now have the option of not identifying themselves, or of using a pseudonym when dealing with an organisation unless the organisation is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or it is impracticable for the organisation to deal with individuals who have not identified themselves.
- There are new requirements for organisations that transfer ‘personal information’ overseas. First, they are now responsible to ensure that the overseas recipient does not breach the APPs, and if they do they will be responsible for the privacy breaches of the overseas organisation. Second, at the time of collecting ‘personal information’ an organisation will need to inform the individual whether it is likely to disclose their ‘personal information’ to overseas recipients, and if so, the countries in which such recipients are likely to be located.
- Limit the ability of organisations to use unsolicited personal information – the organisation must, within a reasonable period after receiving the unsolicited personal information, determine whether or not they could have properly collected the information. If it cannot establish that it could have collected the information, then provided it is lawful to do so, it is required to destroy the unsolicited personal information.
- Regulate the use and disclosure of personal information held by an organisation for direct marketing purposes – the current method for addressing this is to include an ‘opt out’ mechanism and only marketing to individuals who have not opted out. However, if the Bill is passed then organisations will, if requested, need to able to explain how they obtained an individual’s personal information. Individuals can also request an organisation not to use or disclose their personal information in order to facilitate direct marketing by third parties.
(b) To extend the Commissioner’s existing powers:
- To investigate potential interference of an individual’s privacy or a breach of the APPs, without receiving any complaint.
- To make an application to the Court for an order that an organisation or individual pay a penalty. One example of a civil penalty is in section 13G of the Bill: a penalty of up to $1,100,000 for corporations and $220,000 for individuals that act, or engage in a practice, that is a serious interference with the privacy of an individual, or a business repeatedly acts, or engages in a practice, that is an interference with the privacy of an individual. Previously, penalties did not apply but they will if the Bill is passed.
- To accept Federal Court or the Federal Magistrates Court enforceable undertakings for organisations.
- In certain circumstances, the Federal Court or Federal Magistrates Court may also order that a business or individual that breaches the privacy of an individual, compensate that individual for loss or damage including injury to the person’s feeling or humiliation suffered by that individual.
(c) Credit providers will have positive obligations to help consumers correct their credit information and will be required to take other measures to protect personal information in the case of suspected identify theft or fraud.
WHAT SHOULD YOU BE DOING ABOUT PRIVACY COMPLIANCE?
With the explosive growth of the internet as well as the businesses that now handle personal information in one form or another, privacy compliance will continue to grow in importance. The fact of the matter is that most individuals have a greater sense of their privacy and the protection of their personal information than in the past – this perspective will only grow.
If you are a business that is currently regulated by the Act, then you should ensure that you continue to comply with the current law. Closer to the time when the law is passed and during the likely transitional phase that will apply, your business should then take the time to review its policies and procedures to ensure that it will continue to comply with the Act as amended.
Even if you have a business that is not regulated by the Act, it makes good sense to be aware of the Act. It might even make good sense to consider what steps can be taken to be in a compliant operating environment. The reality is that privacy protection is only likely to become an increasingly regulated area in the future.
We will provide further updates on this subject.