Marsh & Maher Richmond Bennison Lawyers


Recent changes to the Privacy Act



Recent changes to the Privacy Act

Amendments to the Privacy Act 1988 (Cth) (“Act“) came into effect in March 2014.

The changes to the Act have been much talked about, but generally, they are unlikely to have too great an impact on the way most organisations go about their business, as many of the changes are of form more than substance.

Essentially, if an organisation was complying with their obligations under the Act before the amendments took affect, only a few steps will likely be required to ensure continued compliance.

What hasn’t changed?

What the Act protects

There has been some minor tweaking to the definitions, but the Act is still primarily designed to protect “personal information“, meaning information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

Specific protections apply to “sensitive information” which means:

  1. information or an opinion about an individual’s:
    1. racial or ethnic origin; or
    2. political opinions; or
    3. membership of a political association; or
    4. religious beliefs or affiliations; or
    5. philosophical beliefs; or
    6. membership of a professional or trade association; or
    7. membership of a trade union; or
    8. sexual orientation or practices; or
    9. criminal record; that is also personal information; or
  1. health information about an individual; or
  2. genetic information about an individual that is not otherwise health information; or
  3. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
  4. biometric templates.

A subset of sensitive information is “health information” which is defined as:

  1. information or an opinion about:
    1. the health or a disability (at any time) of an individual; or
    2. an individual’s expressed wishes about the future provision of health services to him or her; or
    3. a health service provided, or to be provided, to an individual; that is also personal information; or
  1. other personal information collected to provide, or in providing, a health service; or
  2. other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
  3. genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

Who the Act applies to

The Act continues to apply to both Commonwealth “agencies” (meaning a public figure, such as a Minister or other public servant, or a public body such as a Department, tribunal, court or the police), and to “organisations” (meaning private bodies, such as an individual, a company or other body corporate, a partnership, any other unincorporated association, or a trust).

Exemptions from compliance with the Act continue to apply for “small business operators“, that is, a person that caries on a business with an annual turnover for the previous financial year of less than $3,000,000, provided they don’t trade in personal information or collect health information.

The Act continues to not apply to state government agencies, who are instead covered by similar obligations under state-based legislation such as the Information Privacy Act 2000 (Vic). In addition, the Health Records Act 2001 (Vic) applies to agencies and organisation that hold information about the health of individuals in Victoria.

What has changed?

Australian Privacy Principles

The main amendment to the Privacy Act is the introduction of thirteen Australian Privacy Principles (“APPs“) that agencies and organisations must follow when dealing with personal information.

However, the APPs aren’t particularly new, as they are largely based on the ten “National Privacy Principles” that previously applied to organisations and the eleven “Information Privacy Principles” that previously applied to agencies.

In brief summary, the APPs provide as follows with respect to organisations (with the more significant differences from the previous NPPs noted):

  • APP 1:   An organisation must manage personal information in an open and transparent way, including by having a privacy policy.

Previously, the requirements for a privacy policy were quite vague – they now detail the following matters to be included in a privacy policy:

  1. the kinds of personal information that the entity collects and holds;
  2. how the entity collects and holds personal information;
  3. the purposes for which the entity collects, holds, uses and discloses personal information;
  4. how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  5. how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
  6. whether the entity is likely to disclose personal information to overseas recipients;
  7. if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries

Most organisations will need to update their privacy policy to ensure all of the requirements are covered, although generally only minor changes should be required.

  • APP 2:   Individuals must be allowed the option of not identifying themselves or using a pseudonym (unless this is impractical or contrary to law).
  • APP 3:   An organisation must only collect personal information where it is reasonably necessary for its functions or activities, and only collect “sensitive information” (including health information as well as information about race, beliefs, sexual orientation, criminal records) with the consent of the relevant individual (or in certain other circumstances).
  • APP 4: If they receive unsolicited personal information (that is, personal information is obtained without taking active steps to obtain it), an organisation must determine whether the information would have been able to have been collected under APP 3, and if not, destroy or de-identify the information.

The provisions relating to unsolicited personal information are new.

  • APP 5:  Around the time of collecting personal information, an organisation must notify the relevant individual of matters such as their contact details, the purpose of the collection and their Privacy Policy.

These notice requirements have been increased, meaning organisations may need to amend privacy notices they give to individuals. However, many organisations can simply rely on their privacy policy being published on their website and bring this to individuals’ attention at the time of collection.

  • APP 6:   An organisation must only use personal information for the purpose for which it is collected (or for secondary purposes in certain other circumstances set out in section 16A and 16B of the Act, such as where the use or disclosure is required by law or necessary for public health and safety).

These provisions have generally not changed, but some additional secondary purposes have been added, such as to help find a missing person, to establish, exercise or defend a legal or equitable claim and or the purposes of a confidential alternative dispute resolution.

  • APP 7:  An organisation must comply with certain requirements if using personal information for direct marketing (part of which ensure that individuals can easily request not to receive direct marketing communications).

Other relevant federal legislation continues to apply, such as the Spam Act 2003 (Cth) which prohibits sending unsolicited SMS and email direct marketing communications, and the Do Not Call Register Act 2006 (Cth) which allows individuals to opt out of receiving  direct marketing phone calls and faxed communications.

  • APP 8:   An organisation must not disclose personal information to a person outside Australia without taking reasonable steps to ensure the overseas recipient will not breach the APPs (not applicable if the overseas recipient is subject to law which is similar to the APPs, such as New Zealand).

In addition, section 16C of the Act provides that if an overseas recipient does an act which would breach an APP, the organisation who disclosed the information to the overseas recipient may be taken to have done that act and breached that APP. This won’t be the case if the overseas recipient is subject to the APPs (ie. because it has a link to Australia), or if it is located in a jurisdiction which has laws which impose similar obligations as the APPs.

These requirements are new and have some significant consequences under the Act. Organisations that shares personal information with overseas recipients (including to related bodies, and including overseas hosting of servers) should consider putting additional protections in place to reduce the risk of the overseas recipient causing them to fall foul of the APPs (such as by entering a deed of indemnity).

  • APP 9:   An organisation must not use government related identifiers, except in certain circumstances.
  • APP 10: An organisation must take reasonable steps to ensure the personal information it collects, uses and discloses is accurate, up-to-date and complete.
  • APP 11: An organisation must take reasonable steps to ensure the personal information is holds is protected from misuse, interference, loss and unauthorised access.
  • APP 12: An organisation must allow individuals to access the personal information held about them, except in certain circumstances.
  • APP 13: An organisation must take reasonable steps to correct or update personal information when requested by the individual to which the information relates, or advise the individual of their reasons for refusing to do so.

Credit reporting

Organisations involved in credit reporting will now be regulated by a more comprehensive regime.

One of the major changes is that credit reporting bodies can collect and share personal information which is positive about individuals, rather than only being permitted to collect adverse information.

Individuals will have better access to a complaint process and have increased abilities to correct credit information.

Enforcement and penalties

While the Act has not greatly changed in substance, an important change to note is the enhanced powers given to a new Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance.

The Commissioner will have the power to apply to a court for fines of up to $340,000 for an individual or $1.7 million for organisations to be imposed for breaches of privacy.

Presumably, fines of this magnitude would be reserved for serious breaches of the APPs, however organisations that have taken a fairly relaxed attitude to the privacy obligations in the past may wish to consider putting greater effort into ensuring future compliance.