30 May 2012
Proposed amendments to the Privacy Act 1988
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, currently before Parliament, proposes a number of significant amendments to the Privacy Act 1988.
This Bill is intended to implement the Government's first stage response to the Australian Law Reform Commission's report number 108, For Your Information: Australian Privacy Law and Practice (the ALRC report). Given the large number of recommendations, the Government announced that it would respond to the ALRC report in two stages.
Main provisions and amendments
The Bill, if enacted, will amend the Privacy Act in areas including the following:
- Schedule 1 to the Bill will repeal the Information Privacy Principles (IPPs) (applying to the public sector) and the National Privacy Principles (NPPs) (applying to the private sector). These will be replaced by the Australian Privacy Principles (APPs) – a single set of privacy principles applying to both Commonwealth agencies and private sector organisations (which are referred to as 'APP entities' in the Bill). Some of the APPs will impose obligations and create exceptions that do not arise under the existing IPPs and NPPs. Schedule 1 inserts a number of new definitions and replaces some current definitions. For example, there is a new definition of 'personal information'.
- Schedule 2 to the Bill will replace the current credit reporting provisions in Pt IIIA of the Privacy Act. The new provisions will allow for additional kinds of credit-related personal information to be collected – for example, limited repayment history information (see new ss 6(1) and 6N). The new credit reporting provisions will provide additional consumer protections in the areas of notification, data quality, access and correction, and complaints.
- Schedule 3 to the Bill will replace the current provisions in the Privacy Act dealing with privacy codes and the Credit Reporting Code of Conduct. New Pt IIIB will deal with codes of practice relating to the APPs (called APP codes) and a code of practice about credit reporting (called the CR Code). The Information Commissioner will be able to request the development of APP codes and the CR Code, or develop such codes if a request to develop a code is not complied with or is complied with but the Commissioner is not satisfied with the result, and then register them (see new ss 26E, 26G, 26P and 26R).
- Schedule 4 to the Bill proposes a number of other amendments to the Privacy Act. The Schedule inserts an objects clause and enhances the functions and powers of the Information Commissioner, giving the Commissioner certain new powers (for example, the power to conduct an assessment of an APP entity's maintenance of personal information – the new powers are set out principally in new Divs 3A and 3B of Pt IV of the Act). Schedule 4 also amends s 5(1) of the Act, extending its extra-territorial operation to agencies and to organisations and small businesses with an 'Australian link'. New s 13G will provide a civil penalty for a serious or repeated interference with the privacy of an individual.
Implications
Agencies should be aware that the APPs will impose certain obligations that do not currently exist under the IPPs or the NPPs – for example:
- New APP 1 will require agencies to put into place policies about their management of personal information.
- New APP 2 will create a general right to anonymity for individuals when dealing with agencies. This right is subject to certain exceptions.
- New APP 5 will require that, where personal information is collected about an individual (including from sources other than the individual concerned), they must be notified of certain matters (for example, the purposes for which the information has been collected).
- New APP 8 will place certain additional obligations on agencies when disclosing personal information to overseas entities. Generally speaking, the agency will be required to take reasonable steps to ensure that the overseas entity will comply with the APPs (other than APP 1) in relation to the information.
In considering the implications and operation of these amendments, agencies should also review the other APPS carefully. While these generally cover the same subject matter as the current IPPs, some different obligations are imposed and different exceptions are prescribed. Agencies will need to accord enhanced privacy protection to 'sensitive information'.
The amendments will commence 9 months after Royal Assent.
The Bill has been referred to the House Standing Committee on Social Policy and Legal Affairs. No reporting date has yet been set.
AGS was closely involved with the Attorney-General's Department and the Office of Parliamentary Counsel in the preparation of this Bill.
Attorney-General's Department Contact:
Richard Glenn
Assistant Secretary
Information Law and Policy Branch
Attorney-General's Department
richard.glenn@ag.gov.au
Important: The material in Express law is provided to clients as an early, interim view for general information only, and further analysis on the matter may be prepared by AGS. The material should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in this message.