Key changes to privacy law explained: the impact on business
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amending Act) was passed on 12 December 2012 and takes effect on 12 March 2014. The Amending Act will bring significant changes to the Privacy Act 1988 (Cth) (Privacy Act) including:
- a new and more cohesive set of privacy principles - the Australian Privacy Principles (APPs)
- new credit reporting provisions
The reforms will have a significant impact on private sector businesses and government agencies that handle personal information. It is important for businesses to understand their obligations and rights in the lead up to the introduction of the new laws.
Overview - privacy principles which govern business and government
Currently, there are different sets of privacy principles that apply to businesses and to Australian government agencies. The Amending Act creates a single set of privacy principles by replacing the current National Privacy Principles (NPPs) with the APPs.
The APPs will regulate the handling of personal information by both Australian government agencies and certain private sector organisations, collectively known as 'APP entities'.1 While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to agencies or only to organisations.
The Amending Act also introduces what has been described as a more 'comprehensive'2 credit reporting system, allowing credit reporting bodies to collect a more extensive list of data about individuals.
The changes to the Privacy Act will be supplemented by regulations and a credit reporting privacy code.
There continues to be conditional exemption for small businesses from the APPs
Currently under the Privacy Act, small businesses (defined as businesses with an annual turnover of $3 million or less)3 do not generally need to participate in the NPPs unless they opt in. This exemption will continue under the APPs. However, small businesses which meet this definition and are not exempt include:
- health service providers
- organisations trading in personal information
- organisations related to a larger body corporate (which is not a small business)
- contractors providing services under a Commonwealth contract
- reporting entities for the purposes of the AML Act4
- operators of residential tenancy databases.
Small businesses must also comply with the new credit reporting requirements if they participate in the credit reporting system.
Key messages for businesses
Given that the reforms will soon take effect, businesses must ensure that their information collection and handling practices and procedures comply with the new privacy requirements.
For example, businesses should:
- review and update their privacy policies in accordance with APP 1 (discussed below)
- review all current practices for disclosing personal information to third parties located overseas (for example, outsourcing agreements, cloud computing or data arrangements and disclosures to related bodies corporate)
- develop procedures for dealing with unsolicited personal information they receive
- review and amend direct marketing procedures, which might require reconfiguring databases
- if the business participates in the credit reporting system as a credit provider then it must ensure there are systems in place which comply with the new reporting regime.
Australian Privacy Principles
Most of the APPs are based on the existing NPPs. There are, however some important changes, for example:
- privacy policies– APP entities must have a clearly expressed and up to date policy about managing personal information and APP 1 requires more details to be included in privacy policies than the existing NPPs
- unsolicited personal information– APP 4 introduces a new privacy requirement regarding unsolicited information. If an APP entity receives unsolicited personal information then it must, within a reasonable period, determine whether or not it could have collected the information under APP 3 (collection of solicited personal information). If the entity determines that it could not have collected the information under APP 3 then it must, as soon as practicable, destroy or de-identify the information. De-identifying means stripping down the information so that you cannot reasonably identify the individual it concerns
- direct marketing– APP 7 stipulates that personal information should not be used or disclosed for the purposes of direct marketing unless an exception applies. These exceptions distinguish between individuals who would reasonably expect to receive direct marketing material from the APP entity and those who would not. The exceptions also provide that the APP entity must have a simple way for the individual to opt out of such direct marketing communications
- cross border disclosure of personal information– APP 8.1 introduces a new accountability approach to cross-border disclosure of personal information. If an APP entity discloses personal information about an individual to an overseas recipient, then it must generally (with some exceptions) take reasonable steps to ensure that the overseas recipient does not breach the APPs. Even where reasonable steps have been taken, the entity may still be liable for a breach of the APPs by the overseas recipient.
How is the credit reporting system more comprehensive?
In addition to the APPs, the Amending Act will completely replace the existing Part IIIA of the Privacy Act with a new Part IIIA, which provides for more comprehensive credit reporting. Credit-related personal information will be grouped into new categories. The requirements relating to the new categories are determined by the type of entity that holds the information and the purpose for which the entity uses the information.
The credit regime will continue to regulate the collection, use and disclosure of personal information by credit providers and credit reporting bodies. A mandatory credit reporting privacy code will also apply to the credit reporting system.
New types of information
Currently, credit reporting bodies can only handle personal information that could be adverse to an individual's creditworthiness (such as defaulting on a payment). From March, credit reporting bodies can collect 'positive' data about individuals, namely:
- the date a credit account was opened or closed
- the types of credit account opened (mortgage, credit card, personal loan etc)
- the current limit of each open credit account
- repayment history information (discussed below).
To balance the increased access to information, the Amending Act will also introduce new protections for individuals, including an improved complaint process and increased ability for individuals to correct their credit information.
Repayment history information
Repayment history information (RHI) is probably the most important new type of information available for collection under the credit reforms. It includes information about whether an individual has made a payment on time or has missed a payment.
Under the reforms, access to RHI is limited to credit providers who hold Australian credit licences and who are subject to responsible lending obligations under Chapter 3 of the National Consumer Protection Act 2009 (Cth).
1. The reforms will not apply to Australian Capital Territory government agencies so the existing Information Privacy Principles that currently apply to all Australian Government agencies will continue to apply to those agencies.
2. Australian Government, Privacy Amendment (Amending Privacy Protection) Bill 2012, Explanatory Memorandum.
3. See 6D(1) Privacy Act 1988 (Cth).
4. Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
ACCC updates advertising and selling guide
By Laura Cantillon
The ACCC has updated its guidance to Australian businesses on what is required to ensure compliance with the ACL
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
Franchisors, it’s time to update your disclosure documents
Key considerations when updating the franchising disclosure documents as per the Franchising Code of Conduct (Code).
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.