Reporting from Australia, former Australian Privacy Commissioner Malcolm Crompton, Managing Director of Information Integrity Solutions Pty Ltd (“IIS”), writes:
The Australian Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the “Act”) will make significant changes to the Privacy Act 1988. It’s early days for the changes and the impact for organizations will depend on their circumstances. Over the next 15 months we expect to see a range of guidance material from the Office of the Australian Information Commissioner.
Organizations may face some technical challenges adjusting to the new language of the Act. For example, organizations and agencies will be referred to as “APP entities,” there is a revised definition of personal information and the definition of sensitive information now includes biometric information.
IIS suggests that a key area in these early stages will be the new APP 1, which calls for a renewed focus on transparency, governance and compliance. Taking a proactive, customer-focused approach to this task is well worth the effort, especially in light of the new provisions for significant civil penalties. In the current information age, it is the IIS’ view that organizations that put their customers first will have a clear competitive advantage.
Summaries of some of the key changes in the Act are set forth below.
A Single Set of Privacy Principles – the Australian Privacy Principles (“APPs”)
The APPs will replace the current private sector National Privacy Principles and public sector Information Privacy Principles. In addition to the benefits of having a single set of principles for both the public and private sectors, the principles include substantive changes of note, including:
- An overt requirement to demonstrate that steps (such as implementing relevant policies, procedures and training) are being taken to comply with the principles (APP 1).
- Expanded obligations to give individuals information, for example, about the countries to which their personal information might be transferred and about their rights of access and to have a complaint considered (APP 5).
- Limits on direct marketing without consent or opt-out provisions, and additional requirements such as honoring requests for information about where an individual’s personal information was obtained (APP 7).
- In some circumstances, entities may be held responsible for the mishandling of personal information by overseas organizations to which the entity discloses such information (APP 8 and Section 16C).
A More Comprehensive Credit Reporting System
In a significant change to the credit reporting system, five new categories of information can be collected by credit reporting bodies:
- the date a credit account was opened;
- the type of credit account opened;
- the date a credit account was closed;
- the current limit of each open credit account; and
- repayment performance history about a person over the last two years, including the number of repayment cycles that person was in arrears.
The Act increases privacy protection by making it easier for individuals to access and correct their credit information, as well as by simplifying the complaints process.
New APP Codes of Practice and a Credit Reporting Code
APP entities, or the Privacy Commissioner, will be able to develop and register codes of practice to clarify or expand on APP requirements. There is also a provision for a credit reporting code, and new powers for the Privacy Commissioner to develop and register codes that would be binding on specified entities.
Privacy Commissioner’s Powers Strengthened
The Commissioner will have increased ability to resolve complaints, recognize and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.
Civil Penalties for Serious Matters
The Act contemplates significant civil penalties: AUD $220,000 for an individual and AUD $1.1 million for an APP entity involved in serious or repeated interference with the privacy of individuals.