Home > Legal Insights > Newsletters > Previous Newsletters
Search
In this section
- Alerts
- Articles
- Newsletters
- Reports and Guides

Publications Library
To find our publications on a particular topic, you can use our search function in the black bar above or select a timeframe below:


Subscribe
Click here to subscribe to any of our newsletters
Special Edition: Government announces first tranche of privacy reforms
20 October 2009

The Government has just announced the first stage of reforms in response to the ALRC's final recommendations on Privacy Law reform. The reforms include:

  • bringing all federal public and private sector privacy principles under one harmonised set of privacy principals (the Unified Privacy Principles (UPPs))
  • redrafting and updating the Privacy Act so it is clearer and easier to comply with;
  • creating a new credit reporting framework to complement the recent consumer credit law reforms
  • addressing health sector concerns such as research and database issues, and
  • strengthening the Privacy Commissioner's powers to conduct investigations, resolve complaints and promote compliance.

The government's stated approach is to reform the foundations and once these have progressed, it will consider the ALRC's other recommendations such as the removal of exemptions and data breach notices. Not surprisingly, the government has postponed addressing or commenting on the proposed statutory tort of breach of privacy to its second stage consideration of the ARLC's recommendations.

We set out below a brief overview of the proposed reforms and their likely impact on public and private sector organisations:

Making the Privacy Act clearer and easier to comply with

The government has acknowledged that the Privacy Act will need extensive redrafting to achieve the desired consistency and clarity including, most notably, consolidating IPPs and NPPs into the new UPPs and it may also revise the Act's objects clause. The government's response to other important proposed changes to the Privacy Act is to:
  • re-define 'personal information' to include the reference to a reasonably identifiable individual, as proposed by the ALRC
  • amend the definition of 'sensitive information' to include biometric information which requires a higher level of protection, limited to biometric information which is specifically collected to identify and verify an individual through biometric processes
  • streamline the definition of 'record' to ensure it is consistent with other similar legislation and covers information held in an electronic format, and
  • clarify the definition of 'generally available publication' so that a publication is generally available whether or not a fee is charged for access to it.

The ALRC had proposed to amend the Act to cover matters of use and disclosure, access, data quality and data security in relation to the personal information of individuals who have been dead for 30 years or less, where that information is held by an organisation. The current Act only applies to living persons and the ALRC's proposal was rejected.

Because the ARLC is due to provide its report on secrecy provisions in Federal legislation (amongst other things) to the Attorney-General by 31 October 2009 the government declined to respond to recommendations on this subject for now.

The government agrees that the definition of 'law' for the purpose of determining when an act or practice is required or authorised by or under law (see NPP2 for example) should include common law or equitable duties (not just the duty of confidentiality) as well as an order of a court of tribunal, documents given the force of law by an Act (e.g. industrial awards) and commonwealth, state and territory Acts and delegated legislation. Ultimately though, the meaning will best be determined on a case by case basis and the government encourages the Privacy Commissioner to publish appropriate guidance.

The government also agrees that data matching should be given strong privacy protections and that the relevant electoral commissions need to develop and publish the appropriate protocols to establish more consistent privacy protections for the sharing of information for the continuous updating of the electoral roll.

top

Broadening the roles and powers of the Privacy Commissioner

The government proposes to give the Privacy Commissioner additional functions and powers to investigate and resolve complaints, and to promote and enforce compliance, including:

Greater investigative powers so that the Privacy Commissioner may:

  • direct agencies to provide the Privacy Commissioner with a Privacy Impact Assessment in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information, and to report to the ministers responsible for the agency on the agency's failure to comply with such a direction
  • develop and publish Privacy Impact Assessment Guidelines to assist organisations to comply with their responsibilities under the Privacy Act, and
  • conduct 'Privacy Performance Assessments' of the records of personal information maintained by organisations for the purpose of ascertaining whether they are maintained in accordance with privacy laws.

Greater authority to resolve disputes, including the power to:

  • make preliminary inquiries of third parties as well as the respondent when determining whether or not to accept a complaint
  • compel parties to a complaint, and any other relevant person, to attend a compulsory conference
  • collect personal information about an individual (in the context of an investigation) who is not the complainant, and
  • refuse to accept an application for a Public Interest Determination where the Privacy Commissioner is satisfied that the application is frivolous, vexatious or misconceived.

Better enforcement powers, including the power to:

  • issue notices to comply to agencies and organisations following own motion investigations and the power to commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce such notices
  • seek a civil penalty in the Federal Court or Federal Magistrates Court where there is a serious or repeated interference with the privacy of the individual, and
  • accept enforceable undertakings.

Publication of appropriate guidance on various provisions in the Privacy Act, for example:

  • the government agrees that the Privacy Commissioner may develop and publish appropriate guidance on 'consent', such as the factors to take into account when assessing where consent has been obtained, expressed and implied consent in various contexts, and when it is and is not appropriate to 'bundle consent'
  • the Privacy Commissioner should conduct research on privacy matters and provide guidance materials, in conjunction with other agencies with privacy-related functions and new technologies, and publishing guidance for organisations on the privacy implications of data matching, and the status of generally availably publications in electronic format.

The government has made it clear that in establishing the guidelines the Privacy Commissioner should avoid imposing unnecessary regulatory burdens.

The government proposes to create a new Office of the Information Commissioner, bringing together the Privacy Commissioner and the FOI and Information Commissioners; the view being that co-location will strengthen and elevate the role and importance of privacy laws, and encourage development of guidance and policy on interaction of the legislation.

top

The new UPPs

The government accepted one of the ALRC's most significant recommendations, which was the creation of a new set of privacy principles, to be known as the model UPPs, which consolidate the IPP's and NPP's. The UPPs will apply to public sector agencies and private organisations alike where appropriate, they will be technology neutral, expressed as high level principles, impose reasonable obligations, and be simple, clear and easy to understand and apply. The proposal to be able to modify the UPPs in the future by regulations was rejected.

The definition of consent will be amended to clarify that consent may be withdrawn where it is lawful to do so.

Anonymity and pseudonymity

Individuals will have the clear option to interact with organisations and agencies anonymously or using pseudonyms, where it is lawful and practicable to do so.

The government encourages guidance on this issue from the Privacy Commissioner.

Collection

A new principle requiring that personal information only be collected from the individual concerned where reasonable and practicable, although the government acknowledges there will be cases where it is not reasonable and practicable to do so.

Guidance from the Privacy Commissioner will be required on these matters as well as on collection from people under 18 years of age or with a limited decision-making capacity.

If unsolicited personal information is received, the agency or organisation should destroy or de-identify it where lawful and practicable to do so and if it is otherwise retained, the UPPs should be complied with.

Guidance will be needed to explain how this UPP may apply to situations including the receipt of confidential 'tip-offs' and the interaction of other UPPs such as the requirement to notify individuals when their personal information is collected.

This UPP will also provide that personal information must not be collected unless it is necessary for one or more of the agency's or organisation's functions or activities. These functions or activities should be able to be clearly identified and the term 'necessary' should be interpreted objectively and in a practical sense. Personal information should not be collected in the off chance that it may become necessary in the future or it is merely helpful.

Sensitive information

Requirements for the collection of sensitive information will be included in the 'Collection' UPP. This information may not be collected except where permitted by specified exceptions and this principle will also apply to unsolicited sensitive information.

Exceptions will include where the relevant individual has consented, to the investigation of matters contemplated by NPP 2.1 (f) and (h)), for collection by non profit organisations subject to conditions in NPP 10.1(d) or where necessary for a legal or equitable claim. The provisions on sensitive information have been extended so that the information can be collected by agencies or organisations where it is required or authorised by or under law and where it is necessary to lessen or prevent serious threat to the life, health or safety of an individual and it will be unreasonable or impracticable to obtain the individuals consent (the italicised part is new).

The fact that an individual lacks capacity to give consent or cannot communicate consent would go to determining whether it is reasonable or practicable to seek their consent.

Notification

A requirement for individuals to be notified about how their personal information will be handled. There may be circumstances where it is reasonable to take no steps to notify an individual about collection of their personal information. The recommendation expands what is currently required in a collection statement (NPP1.3) to include:

  • when an individual may not be aware that their personal information has been collected, the fact and circumstances of collection
  • the right of correction of personal information
  • the actual or types of agencies, organisations, entities or persons to whom the agency or organisation usually discloses personal information of the kind collected, and
  • the avenues of complaint available as set out in the relevant privacy policy.

Openness

A new UPP which will continue to require agencies and organisations to set out a clearly expressed Privacy Policy document explaining how they collect, hold, use and disclose personal information, including:

  • whether personal information is likely to be transferred outside Australia and the countries to which such information is likely to be transferred
  • any significant information handling practices relevant to a particular agency or organisation, eg if they have a specific retention or destruction obligation
  • updates to the privacy policy if policies and practices change
  • specific detail on how personal information is handled at each stage of the information cycle – collection, storing, using and disclosing
  • a requirement for reasonable steps to be taken to develop and implement internal policies and practices that enable compliance with the UPPs (e.g., training of and communicating to staff about policies and practices, establishing procedures to receive and respond to complaints and enquires, and procedures to identify and manage compliance risks).

The government is keen to ensure that this principle, which it has said should be the first enumerated UPP, should be grounded on the actual internal policies and practices of the agency or organisation.

Privacy policy is expected to contain general information on handling personal information, while internal policies and practices require a higher level of detail. The government wants to give greater recognition to the UPPs and have a general obligation to take reasonable steps to implement policies and practices to comply with the UPPs (qualified by a 'reasonable steps' test and the circumstances of the agency or organisation (which will dictate what appropriate steps they should take)).

The government response noted that short form privacy notices can provide a practical way to promote openness and transparency on how personal information may be handled, and that the Privacy Commissioner should provide appropriate guidance.

Use and disclosure

Another new UPP setting out requirements for the use and disclosure of personal information for other than the primary purpose of collection.

This UPP will include a secondary purpose provision similar to that in NPP 2.1 (a). Additional exceptions, found in NPP 2, and those recommended by the ALRC are supported by the government. It also added a new exception, for the purpose of locating a reported missing person. This must be done in accordance with binding rules issued by the Privacy Commissioner in the form of a legislative instrument.

This UPP will include the same provision as NPP 2.1 (e) — a serious threat to life, health and safety — but does not have to be imminent (so less restrictive) but subject to an additional requirement that consent should first be sought where reasonable (realistic or appropriate). This exception will also apply to the collection of sensitive information.

Direct marketing

A separate principle which will impose a different standard on the information of individuals who have an existing relationship with the organisation from those who do not. A relationship can cover a variety of contexts and can be construed in a broad sense. This UPP will not generally extend to agencies other than where the agency is engaging in commercial activities.

Contrary to the ALRC's recommendation there will be no age distinction for direct marketing activities.

Sensitive information including health information cannot be used or disclosed for direct marketing purposes without consent, even if the individual is an existing customer.

Personal information of individuals who are not existing customers should only be used and disclosed for direct marketing purposes with the individual's consent, or in other circumstances similar to NPP2.1 (c). Importantly organisations will be required, where practicable, to disclose the source from which they acquired their personal information if the individual asks.

Data quality

Substantially the same as NPP3 but the obligation is referable to the purpose of the relevant collection, use or disclosure and the additional requirement of ensuring the information is relevant. Guidance from the Privacy Commissioner on what constitutes 'reasonable steps' would be helpful.

Data security

Substantially the same as NPP 4 with the additional requirement for destroying or rendering information non-identifiable if retention is not required or authorised by or under law. The government may consider cross-referencing this UPP with the provisions on data breach notification in its second stage considerations.

Access and correction

A single unified UPP which transfers an enforceable right of a person to access and correct their personal information from the FOI Act to the Privacy Act. This is where the primary avenue for access and correction will be located (to move the focus away from the FOI Act although some rights of access will be retained in the FOI Act). This will be an enforceable right through the complaints process to the Privacy Commissioner.

The review of agency access and correction decisions will need to be aligned in the Privacy Act.

top

Credit reporting provisions

A significant number of the ALRC's recommendations on credit reporting have been accepted. The government intends to simplify the legislative provisions on credit reporting, recognising that the current provisions of Part IIIA of the Privacy Act are overly complicated and too prescriptive. Significantly it is proposing to allow more comprehensive credit reporting, matched by specific rules about the inclusion, maintenance, use and disclosure of credit reporting information.

With the commencement of new obligations in the National Consumer Credit Reform finalising credit reporting legislation is a likely priority for the coming months.

At a structural level the approach taken in Part IIIA will be replaced with a new approach under which the UPPs will form the baseline for compliance in respect of credit information. The legislation will include provisions on credit information only where more specific rules are to be imposed (i.e. beyond those in the UPPs). Contrary to the ALRC's recommendations the government proposes lesser reliance on subordinate regulations for credit, preferring any required specific rules to be included in the principal legislation. However the government has agreed to the development of a new code of conduct by credit reporting agencies and credit providers in conjunction with consumer groups and regulators (and in particular the Office of the Privacy Commissioner). The new code is perceived as binding which would deal with the operational aspects of the new regime and replace the current Credit Reporting Code Of Conduct.

The regime contemplated by the government will apply specifically to small businesses that are credit providers and credit reporting agencies. It will not apply to reporting on foreign credit so foreign credit providers will not be entitled to access credit reporting information. However credit reporting will be included in the lists of areas on which the government will seek to co-ordinate with the New Zealand government given the strong links between the Australian and New Zealand credit industries.

The most significant reforms lie in the matters that will be permitted to be included in credit reporting information. The debate about 'comprehensive' credit reporting has been continuing for some time. With the proposed 'responsible lending conduct' provisions in the National Consumer Protection Bill, credit providers will become subject to an obligation to undertake positive steps to ascertain the financial circumstances of applicants for regulated credit to assess if a credit product is not unsuitable for that applicant. An expanded concept of credit reporting information is seen by many credit providers as a key tool to meet the new responsible lending obligations.

Legislation is likely to continue to contain the list of information that may only be included in credit reporting, expanded to include:

  • the type of each credit account opened (for example, mortgage, personal loan, credit card)
  • the date on which each credit account was opened
  • the current limit of each open credit account, and
  • the date on which each credit account was closed.

Information of this type will need to be deleted two years after the date on which the relevant account was closed.

The government supports the introduction of effective privacy protections to ensure that such new data will be handled appropriately by credit providers and credit reporting agencies, suggesting that the binding industry code will be very important.

A potentially controversial inclusion in the government's reform agenda is expanding permissible credit reporting information to include information on an individual's repayment performance history indicating:

  • whether, over the prior two years, the individual was meeting his or her repayment obligations at each point of the relevant repayment cycle for a credit account; and, if not,
  • the number of repayment cycles the individual was in arrears.

These proposed expansion of current credit reporting parameters will depend on the development of effective privacy protections (some of which will be reflected in special regulations to govern procedures relating to information kept about repayment history) and on the commencement of the responsible lending conduct obligations which underlie the argument for more comprehensive credit reporting.

The government has indicated that payment history information from the period commencing six months after the issue of its report last week could be included in credit reporting information.

The government has also flagged its intention to:

  • continue the policy for defaults below a certain value to not be listed with a credit reporting agency ($100 is the likely threshold)
  • oblige credit providers to take reasonable steps to contact individuals before a serious credit default is notified to a credit reporting agency (also reflected in the new notice requirements in the National Consumer Credit Reform Bill)
  • remove dishonoured cheques as a basis for listing a credit default
  • include certain information from the National Personal Insolvency Index administered under bankruptcy law in credit information files (coupled with an obligation on credit reporting agencies to ensure that the information is accurately updated from time to time)
  • prohibit the inclusion of 'sensitive information' in credit information files
  • prohibit the maintenance of credit reporting information on persons under the age of 18, and
  • enable individuals to prohibit, for a specified period, the disclosure by a credit reporting agency of credit information about that person without their express authorisation (designed to assist victims of fraud and identity theft).

The government's response suggests the tight controls on the disclosure and use of credit reporting information will continue and there may be separate regulations to deal with the permitted secondary uses of credit reporting information which will generally exclude direct marketing.

On balance, the government considers the use and disclosure of credit reporting information for the purposes of 'pre-screening' should be expressly permitted but only for the purposes of excluding adverse credit risks from marketing lists and has identified specific requirements for persons undertaking pre-screening activities.

The government will allow credit reporting information to be used to help credit providers verify customer information under the Anti-Money Laundering and Counter Terrorism Finance Act 2006.

The amended credit reporting provisions are likely to be subject to further review, five years from the date that new legislation is passed.

top

Health services and research

In line with its responses in relation to structural reform of privacy principles and to ensure that parliament has an express role in determining whether changes are made to fundamental privacy protections, the government indicated that substantive rights and obligations on the handling of health and other personal information should be set out in the primary legislation (the Privacy Act) rather than in regulations as was recommended by the ALRC.

The government will "work with other jurisdictions and health ministers to progress national consistency in the public and private health sectors".

The government accepted ALRC recommendations aimed at clarifying definitions and addressing health privacy issues, including:
  • new rights enabling individuals to: 
    • have their health records transferred between health service providers, and 
    • be told what will happen to their health records if their provider closes down or changes hands
  • allowing providers to share health information that is necessary for health care and is within the individual’s reasonable expectations, to promote appropriate information flows in the sector, and
  • strengthening options for access to health information through an ‘intermediary’, with a tailored option if direct access seriously threatens life, health or safety.

The government agreed in principle that privacy protections are necessary for any national Unique Healthcare Identifiers (UHIs) or national Shared Electronic Health Records scheme that arises out of public consultation announced by the Australian Health Ministers' Conference (AHMC) and that matters to be addressed in legislation should be the subject of future consultation.

The government agreed with the ALRC that the definitions of 'health information' and 'health service' should be amended. These definitions should be clarified so that 'health information' includes information about physical, mental and psychological health and the definition of 'health service' expressly excludes activities performed for reasons other than care or treatment — such as life, health or other forms of insurance.

The government also supported two key proposals to facilitate research in the public interest. First, there should be one set of rules under the research exceptions to the 'Collection' and the 'Use and Disclosure' principles to replace the Guidelines under Section 95 of the Privacy Act 1988 and the Guidelines Approved under Section 95A of the Privacy Act 1988, these should be made by the National Health and Medical Research Council rather than the Privacy Commissioner. Secondly, the new provisions should apply to any research in the public interest, not just for health and medical research.

top

Next steps

The government has indicated that it will now begin preparing exposure draft legislation to implement the proposed amendments. The exposure draft is expected to be released for consultation in early 2010.

Issues in relation to consistency with state and territory privacy laws will be addressed in the government's second stage response and due to their complexity and sensitivity, the government will also consult further with the private and public sectors prior to responding to the ALRC's numerous outstanding recommendations.

© Minter Ellison 2010