Alert | Bill tabled for first tranche of reviews to the Privacy Act

23 May 2012

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) (the Bill) amends the Privacy Act 1988 (Cth) (the Act) to implement the first tranche of responses to the Australian Law Reform Commission's (ALRC) report called 'For Your Information: Australian Privacy Law and Practice' (the ALRC report).

The Bill:

  • introduces new Australian Privacy Principles
  • introduces more comprehensive credit reporting
  • introduces new provisions on privacy codes and the credit reporting code
  • clarifies the functions and powers of the Privacy Commissioner
  • improves the Commissioner's ability to conduct investigations and resolve complaints.

At first glance, it would appear that there are no changes which differ significantly from the proposals which have been foreshadowed for some time.

Australian Privacy Principles

The Bill introduces a single set of 13 Australian Privacy Principles (APPs) that will replace current the Information Privacy Principles (IPPs) (which apply to government agencies) and the National Privacy Principles (NPPs) (which apply to organisations).

The new APPs will:

  • require entities to deal with personal information in an open and transparent way;
  • govern the collection, use and disclosure of personal information;
  • deal with government related identifiers;
  • deal with integrity, quality and security of information; and
  • deal with requests for access to and correction of personal information.

The key differences from the current principles are that:

  1. if an entity has received unsolicited personal information, this personal information will still be afforded privacy protections (APP 4) (which clarifies the current position);

  2. direct marketing by organisations will be prohibited except where the organisation collected the information from the individual, the individual would reasonably expect their information to be used for direct marketing and the individual has been given the ability to opt-out and has not; consent is obtained and the individual can opt-out (APP 7) (government agencies will generally be exempt from the prohibition);

  3. entities disclosing personal information to overseas recipients must take reasonable steps to ensure that the overseas recipient does not breach the APPs (APP 8). Where the overseas recipient handles personal information in a manner that breaches the NPPs, the Australian discloser can be held to have itself breached the APPs; and

  4. an entity is required to take reasonable steps to correct the personal information it holds about an individual (APP 13). Unlike under NPP 6.5, the individual will not need to 'establish' that personal information is incorrect before correction is required.

Other relevant changes are that the definition of 'government related identifier' is expanded to include State and Territory authorities as well as Commonwealth agencies, so driver's licence numbers will also be included and sensitive information now includes biometric information.

Powers of Privacy Commissioner

The Bill clarifies the functions and powers of the Privacy Commissioner and advances the Commissioner's ability to conduct investigations and resolve complaints.

The Bill gives the Commissioner functions conferred on him by the Privacy Act, guidance related functions, monitoring related functions, and advice related functions. The 'monitoring related functions' of the Commissioner are to monitor the security and accuracy of information held by an entity, examine the records of entities to ensure that they are not using information for unauthorised purposes and prevent the unlawful disclosure of such information.

The Commissioner may conduct an assessment on whether the personal information held by an APP entity is being maintained and handled in accordance with the APPs or relevant Code or legislation.

The Commissioner may accept enforceable undertakings and may recognise external dispute resolution schemes. The Commissioner may conduct investigations based on a complaint, or may conduct 'own motion' investigations. The Commissioner will be able to make a determination based on the 'own motion' investigation.

The Commissioner may apply to the Federal Court or Federal Magistrates Court for an order that an entity alleged to have contravened a civil penalty provision pay the Commonwealth a pecuniary penalty. Civil penalty provisions include collecting credit reporting information about an individual, if credit reporting information is used or disclosed for the purpose of direct marketing, if the entity does an act that is a serious interference with the privacy of an individual, or repeatedly does an act that is an interference with the privacy of one or more individuals.

Changes to Credit Reporting and the CR code

The revisions are intended to action the ALRC’s recommendation to move to a ‘more comprehensive’ credit reporting system. In this regard, five new types of personal information (referred to generally as ‘data sets’) will be permitted for collection and use in credit reporting:

  • the date a credit account was opened;
  • the type of credit account opened;
  • the date a credit account was closed;
  • the current limit of each open credit account; and
  • repayment performance history about the individual.

Repayment performance history information will only be available to credit providers licensed under Chapter 3 of the National Consumer Credit Protection Act (and subject to responsible lending obligations under that Act). Repayment history information may also be available to mortgage insurers for the purposes of mortgage insurance.

The Explanatory Memorandum to the Bill provides that the additional categories of personal information 'will allow credit providers to make a more robust assessment of credit risk and assist credit providers to meet their responsible lending obligations'.

The other main reforms to in the credit reporting system include:

  • new obligations relating to the retention of personal information;
  • the introduction of rules to deal with the pre-screening of credit offers; and
  • the regulation of credit reporting to reflect the general obligations contained in the APPs and information flows within the credit reporting system.

Specific rules to deal with the freezing of access to an individual’s personal information in cases of suspected identity theft or fraud will also be introduced.

Finally, the revised provisions include general measures which place greater responsibility on credit reporting bodies and credit providers to enable individuals to access, correct and resolve complaints about their personal information.

The CR code

The credit reporting reforms will be supported by the regulations, as well as the introduction of the registered credit reporting code (CR code).

The Commissioner may request 'code developers' (defined generally as organisations to which Part IIIA (Credit Reporting) of the Act applies) to develop the CR code, and if the code developers fail to do so, the Commissioner can develop the CR code personally.

Once registered, the CR code will bind all credit reporting bodies. It will also bind any named credit providers or other entities (for example, mortgage insurers and trade insurers) within that Code, however can be varied in certain circumstances.

The registered CR code will set out how the credit reporting provisions of the Act are to be applied and adhered to, and may also impose additional requirements on the entities bound.

A breach of the registered CR code will be considered an interference with privacy under section 13 of the Act that is subject to investigation by the Commissioner under Part 5 of the Act.

Civil penalties and offences

The credit reporting offences ('criminal offences') will generally be removed and replaced with civil penalty provisions under the reforms.

However some forms of conduct will still be considered an 'offence', for example:

  • in relation to the use and disclosure of false and misleading information; or
  • the unauthorised collection of information from a credit reporting body or credit provider.

Notably, civil penalty provisions have been included in relation to the same conduct. The dual system is intended to allow an appropriate remedy to be applied depending on the particular circumstances.

It is intended that the revised credit reporting provisions will achieve greater logical consistency with the APPs, and ensure simplicity and clarity throughout the Act. 

We will provide you with a full overview of the Privacy Act reforms in due course.

Author(s) Charles Alexander, Kate Vaughan, Kate Ballis