As noted in earlier updates, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 ("Amendment Act") significantly increases the obligations on both Federal Government agencies and private businesses that collect or deal with personal information in Australia or from Australian residents from 12 March 2014. These amendments to the Privacy Act include the introduction of the new Australian Privacy Principles ("APPs") which apply to both Government agencies and private businesses: doing away with the separate IPPs for Government agencies and NPPs for business.

The real "change" that we believe has been introduced by the Amendment Act and the APPs is the change in the approach and attitude (together with the increased and new powers) of the Privacy Commissioner to that of a more aggressive regulator keen to exercise the new powers and to police and enforce the provisions of the Privacy Act and the APPs!

THE PRIVACY COMMISSIONER'S INTENTIONS

Soon after the passing of the Amendment Act, in response to questions about the Privacy Commissioner's new and extended powers and the new significant fines for serious or repeated invasions of privacy (both applicable to Government agencies), the Privacy Commissioner (Mr Timothy Pilgrim) flagged his future intentions by stating:

"From the commencement of the new laws, I will be able to accept enforceable undertakings and seek civil penalties ... I will not shy away from using these powers in appropriate cases".

As noted in a number of recent guidance documents issued by the Office of the Australia Information Commissioner ("OAIC"), there are a number of specific areas of compliance concern and focus in the immediate future for the Privacy Commissioner including information security, de-identification/deletion of personal information and the app/mobile environment.

SIGNIFICANT NEW POWERS AND PENALTIES!

The Privacy Commissioner has been given significantly increased powers to, among other things:

  • seek civil penalties (up to $340,000 for individuals and $1.7 million for an agency) in cases where there is a serious or repeated interference with an individual's privacy;
  • audit the handling of personal information by agencies and undertake "own motion"investigations; and
  • make determinations following investigations (even if the investigations is on its "own motion") and apply to the Federal Court to enforce such determinations.

CHANGES OF PARTICULAR "INTEREST" FOR AGENCIES

Most of the APPs are familiar to the business community as they are similar to the existing NPPs. However the new APPs, as compared to the existing IPPs, are a significant leap in the obligations imposed on Government agencies. Below we highlight the key changes from the IPPs which we believe will be of particular interest or concern for agencies:

APP 1 Open and transparent management of personal information: APP 1 introduces new requirements for agencies to have a clearly expressed and to maintain an up-to-date policy (including the required information specified in APPs 1 and 5) detailing the management of personal information by the agency. Agencies must also take reasonable steps to implement practices, procedures and systems that will ensure the agency's compliance with the APPs.

However, agencies no longer need to submit annually to the Privacy Commissioner details of the types of personal information they hold, as they currently do under IPP5.

APP 2 Anonymity and pseudonymity: Where practical and unless otherwise required by law, agencies must now allow individuals to interact with them anonymously or by using a pseudonym.

APP 3 Collection of solicited personal information: Obligations are imposed on agencies for the first time under the APPs in respect of sensitive information. Under APP 3 an agency may not collect sensitive information unless the individual consents to the collection and the information is reasonably necessary for an activity or function of the agency or if the collection is authorised by law (or one of the other limited exceptions applies). In addition, an agency must only collect personal information directly from the individual, unless the individual has consented to collection from another person, the agency is required or authorised by law (or a Court order) to do so or it is unreasonable or impractical to collect it from the individual.

APP 4 Dealing with unsolicited personal information: Under APP 4, for the first time for both agencies and businesses, there are now obligations on the receipt of unsolicited personal information. On receipt of unsolicited personal information an agency must now determine whether it is permitted to collect such information under APP 3 and, if so, APPs 5 to 13 and the agency's privacy policy apply to that information. However, if the agency determines that the unsolicited information could not have been legitimately collected by the agency under APP 3, the information is not contained in a Commonwealth record and provided it is lawful and reasonable to do so, the agency must destroy or de-identify that information as soon as practical.

APP 6 Use and disclosure of personal information: APP 6 imposes limits on an agency's use of any sensitive information collected. In particular, sensitive information is only to be used for the primary purpose of collection unless the secondary purpose is consented to by the individual or is directly related to the primary purpose and the individual would reasonably expect the agency to use or disclose the sensitive information for that secondary purpose.

However, APP 6 also introduces new wider exceptions which permit the use and disclosure of personal information by an agency for secondary purposes.

APP 7 Direct marketing: APP 7 regulates the use and disclosure of personal information for the purpose of direct marketing by agencies where the agency is listed in Division 1 of Part 2 of Schedule 2 to the Freedom of Information Act 1982 in relation to their commercial activities.

APP 8 Cross-border disclosures: APP 8 and the new Section 16C of the Privacy Act introduce a new accountability approach in relation to an agency's cross-border disclosures of personal information. Before disclosing personal information to an overseas recipient (eg a third party processor) the agency must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information. Generally, any act done or practice engaged in by the overseas recipient that would be a breach of the APPs if it was done by the agency will be taken to be a breach of the APPs by that agency. While there are a number of exceptions to and ways to exclude this liability, the most practical way is to obtain the clear consent of the individual to the transfer of the information overseas and to the consequences of such consent.

APP 10 Quality of personal information: APP 10 mirrors the requirements of IPP 3 and, in addition, also requires agencies to take reasonable steps to ensure the information it collects is accurate, up-to-date and complete.

APP 11 Security of personal information: In addition to the existing obligations on an agency to take reasonable steps to protect personal information it holds from misuse, loss and unauthorised access, modification and disclosure, APP 11 includes a new obligation to take reasonable steps to protect the personal information from "interference". APP 11 also imposes a new requirement on agencies to take reasonable steps to destroy or de-identify information if the agency no longer needs the information for any authorised purpose, unless the agency is required by law (or by Court order) to retain that information or it is contained in a Commonwealth record.

APP 12 Access to personal information: The obligations under APP 12 are similar to those of IPP 6 except that an agency must respond to a request for access within 30 days and, if the agency decides not to give an individual access, an agency must now provide written reasons for the refusal to provide access and advise the individual of the mechanisms available to complain about the refusal to provide access.

APP 13 Correction of personal information: APP 13 is in similar terms to the provisions of IPP 7, except that APP 13 imposes an obligation on the agency to respond to a correction request within 30 days, provide written reasons for the refusal to correct and advise of the mechanisms available to complain about the refusal. Also if the agency corrects personal information about an individual that it previously disclosed to another entity then, on request, it is required to take reasonable steps to notify the other entity of that correction.

HOW TO PREPARE FOR THE NEW PRIVACY LAW/APPs

The main steps your agency can take now to prepare for the new Privacy Act provisions introduced by the Amendment Act and the new APPs include examining and determining:

  • what personal and sensitive information your agency currently collects, the purpose(s) for which it collects that information and how it collects such information;
  • whether your privacy policy and the processes for notification of it/obtaining consent to it comply with the APPs. We expect that no agency's existing Privacy Policy and processes will comply with the APPs given the number of significant additional obligations imposed by the new APPs;
  • if the direct marketing provisions will apply to your agency and, if so, what your currentpractices and processes are with respect to direct marketing and if they comply with the APPs;
  • whether your internal practices with respect to handling personal information (including security measures) are complaint with the APPs and the recent OAIC guidances; and
  • whether your existing privacy training for agency personnel is sufficient for the new APPs.

HOW WE CAN HELP

Please do not hesitate to contact a member of our dedicated privacy team if we can assist your agency with the review/audit of your current policies and practices or to assist your agency to comply with the new privacy regime effective from 12 March 2014.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com