Message from the Australian Privacy Commissioner
Welcome to the first issue ofPrivacy Connections, the Office of the Australian Information Commissioner's (OAIC) newsletter for privacy professionals in the private sector.
2013 is going to be a big year as we work together to prepare for the commencement of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 that was passed by Parliament in late 2012. This Act is a significant step forward for privacy law reform in Australia.
There are three major areas of reform:
- the introduction of a new, unified set of Australian Privacy Principles
- new credit reporting laws
- greater enforcement powers for the Australian Information Commissioner (the Commissioner) to resolve complaints, conduct investigations and promote privacy compliance.
As we move closer to the commencement date, there is much work to be done to ensure that Australian businesses are aware of their new responsibilities under the reformed Privacy Act 1988 (Privacy Act). While 12 March 2014 might seem a long way away, we all know how fast time flies, so I encourage you to start thinking now about how you can prepare your business for any necessary changes to systems and procedures that may be required.
We will keep in touch with you over the next 12 months to let you know what’s changed and what guidance and materials you can expect to help you comply with the new requirements.
See the Privacy Commissioner’s video message for business and government agencies.
What the law reform changes mean for your business
The new laws are an important milestone for privacy in Australia, and are the most significant reforms to the Privacy Act in over 20 years. Visit our website for further information on privacy law reform.
Australian Privacy Principles
The Australian Privacy Principles (APPs) will replace the existing Information Privacy Principles (IPPs) that currently apply to the public sector and the National Privacy Principles (NPPs) that currently apply to the private sector.
Under the reforms, there will be 13 new APPs. A number of the APPs are new or significantly different from the existing principles, including APP 7 (direct marketing) and APP 8 (cross-border disclosure). The OAIC is currently developing detailed guidelines for the APPs. In the meantime, please refer to our APP fact sheet which sets out the APPs as they will appear in the reformed Privacy Act.
Enhanced powers for the Commissioner
Another substantial change is the strengthening of the powers of the Commissioner. The Commissioner will be able to conduct a performance assessment of private sector organisations to determine whether they are handling personal information in accordance with new APPs, the new credit reporting provisions and other rules and codes.
For the first time, the Commissioner will be able to access remedies when he has conducted an investigation on his own initiative. He will be able to make a determination, accept written undertakings which will be enforceable through the courts, or apply for civil penalty orders of up to $220,000 for individuals, and up to $1.1 million for companies in the case of serious or repeated breaches of privacy.
The Privacy Commissioner has indicated that while he will continue to work with businesses to achieve better privacy practices, and to resolve most complaints by conciliation, he will not shy away from using these new powers in appropriate cases.
Changes to credit reporting laws
Changes include the introduction of more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years (see Privacy fact sheet 16). The new system will be accompanied by enhanced privacy protections and underpinned by a new industry-agreed code of conduct, to be called the ‘CR code’ and approved by the Commissioner. On 20 December 2012, the Privacy Commissioner asked ARCA to develop this code.
Start preparing now
Early preparation will ensure you and your business are ready to meet the new compliance requirements in March 2014. Here are some things you can do now:
- review and update your privacy policies and collection notices
- review outsourcing arrangements, particularly if these involve the disclosure of personal information outside Australia
- review direct marketing practices, including the availability of ‘opt out’ mechanisms.
Check out our guidance and get involved
Over the next 12 months, the OAIC will be producing a range of guidance and resources in the lead up to the commencement of the reforms. We expect the first lot of guidance to be available in the middle of 2013. This includes guidelines, rules and other statutory instruments. We will have a refreshed Privacy impact assessment (PIA) guide, Data breach notification (DBN) guide, Code development guidelines, an APP quick reference tool and some fact sheets. We will also be holding consultations on some of the materials we are producing and we encourage you to get involved. For further information keep an eye on our privacy reforms web page, or subscribe to the RSS feed on that page.
Have your say about guidance we are producing through our public consultation processes.
Here are some upcoming consultations you might be interested in:
- Indigenous privacy guide consultation. Do you have a project proposal that may have a particular impact on Aboriginal and Torres Strait Islander people or communities? Have your say on our draft guide.
- External dispute resolution scheme consultation. Is your organisation involved in an external dispute resolution scheme? You may be interested in commenting on our draft guidelines.
- Code development guidelines consultation. You may work in an industry that may seek to have a specific Code developed and endorsed by the Commissioner. Have your say on our guidance for how your Code should be developed.
We will let you know when these consultations are open for your participation.
Privacy Awareness Week 2013
The OAIC will celebrate Privacy Awareness Week (PAW) from 28 April to 4 May 2013. This year the focus is on privacy law reform and we will have some great resourcesfor you to share with your staffand clients.
Last year we had over 180 partners registered and we are encouraging you to register as a partner in 2013. This is a non-financial arrangement, we just ask that you promote the importance of privacy awareness to your stakeholders. As a partner, you will have access to a range of resources to help you spread the privacy message. If you are interested in becoming a partner please send an email to email@example.com
To launch PAW 2013, the OAIC will be holding a business breakfast in Sydney. This event will take place on Monday 29 April at 7.30 am, Hilton Hotel, Sydney. This year's event will explore information security requirements under the Privacy Act with an expert panel, and give you the chance to network with other privacy professionals.
When: Monday 29 April, 2013
Where: Hilton Hotel, Pitt Street Sydney
Time: 7.30–9.30 am
RSVP: Event registration details will be released shortly
Last year our data breach notification breakfast was attended by over 170 privacy professionals, so put the date in your diary now and organise a table with your colleagues.
If you want to subscribe to this eNewsletter please send an email to firstname.lastname@example.org with 'subscribe to privacy connections' in the subject line.