Privacy Awareness Week 2012
Presentation by Timothy Pilgrim, Privacy Commissioner, at Exploring the Changing Privacy Landscape and Impending Regulations iappANZ breakfast event, Sydney (4 May 2012)
Good morning everyone
I would like to begin by acknowledging the Gadigal peoples of the Eora Nation, the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.
It’s great to be here on the last day of Privacy Awareness Week (or PAW), a joint initiative of the Asia Pacific Privacy Authorities forum.
Before I say a few words about the week, I’ll cut to the chase and give you an update on the most recent privacy law reform announcement made by the Attorney-General this week.
As many here today would know, the Attorney has just announced some major legislative reforms to the Privacy Act that will be achieved through amendments scheduled to be introduced into the Parliament in the Winter sitting period.
These include many of the changes we have been anticipating since the ALRC released its 2008 report into Australia’s privacy laws, For your Information: Australian Privacy Law and Practice.
Turning first to the expected consumer benefits identified by the Attorney as a result of these reforms, there will be:
- clearer and tighter regulation of the use of personal information for direct marketing
- privacy protections extended to unsolicited information
- easier access for consumers to correct information held about them and
- tighter rules on sending personal information outside Australia.
Overall there will be more powers for the Privacy Commissioner to resolve complaints, conduct investigations and promote privacy compliance.
Direct marketing changes
I know that some of you here today will be interested to know what’s in store for direct marketing.
Under the reforms, the use and disclosure of personal information by private sector organisation for the purposes of direct marketing will be addressed in its own principle – APP7.
Currently some specific limitations apply to private sector organisations’ use and disclosure of personal information for direct marketing under National Privacy Principle (NPP) 2, ‘Use and Disclosure’.
The new direct marketing principle (APP 7) applies to personal information regardless of whether it was initially collected for the purpose of direct marketing or for another purpose.
This is in contrast to the current restrictions in NPP 2, which only apply if direct marketing is a secondary use of personal information. It does not cover information gathered for the primary purpose of marketing.
I think it’s fair to say that direct marketing is an area of community concern.
Our office supported the creation of a direct marketing principle in its 2007 submissions to the ALRC’s privacy review, so we welcome the greater protection and clarity that this new principle brings.
Some of the more important requirements in APP 7 include:
- APP 7 requires that organisations provide a simple means by which individuals may easily request not to receive direct marketing communications. Additionally, organisations must include in all marketing communications a prominent statement that the individual may opt out of receiving those communications, or otherwise draw the individual’s attention to this fact.
This enhances the current requirement in NPP2, by requiring organisations to provide a simple means of opting.
- APP 7 also requires that if an individual requests not to receive marketing communications, the organisation must not charge the individual for making the request and must give effect to the request within a reasonable period of time.
Currently under NPP 2, organisations are not allowed to charge individuals to opt out of receiving marketing materials. However, the requirement that requests be fulfilled in a timely way is new and reflects the importance of implementing the individual’s request quickly.
- APP 7 enables individuals to ask organisations not to pass on their details for marketing purposes and requires organisations to tell individuals where they got their details if asked.
This requirement will enable people to find out how a marketing company got their details. It will also enhance transparency and help people to control how their personal information is handled.
It’s worth mentioning that APP 7 does not replace or overrule Acts such as the Do Not Call Register Act 2006 or the Spam Act 2003. So if individuals have opted into the Do Not Call Register, they will continue to be on that register.
Turning now to the credit reporting arrangements, changes include a clearer obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings.
On the consumer side, there will easier access for individuals to correct credit reporting information.
There will also be a prohibition against the collection of credit reporting information about children.
In terms of the move to more comprehensive credit reporting, this is a big change, and somewhat controversial.
Generally consumer advocates lobbied against this move during the ALRC’s consultation period. There were concerns that financial institutions would use this information inappropriately to the disadvantage of vulnerable consumers.
For these reasons I’m sure there will be ongoing debate on the merits of this particular change.
Increased powers for the Privacy Commissioner
I’ll now give you some details about the extent of the increased powers for the Privacy Commissioner.
A significant change is that I will now have the power to conduct privacy assessments of both private sector organisations and government agencies to determine whether they are handling personal information in accordance with the new Australian Privacy Principles (APPs) or a registered privacy code.
This power also extends to certain entities’ handling of credit information, tax file number information and health information in some circumstances.
This effectively means that our office can assess the handling of all personal information by the private sector for the first time.
It’s interesting to note too that the Attorney has chosen to move from the term ‘privacy audit’ to the term ‘privacy assessment’, reflecting the educational nature of this process.
This emphasises the OAIC’s role in helping all entities to achieve good privacy practices.
Other significant changes include:
- I will now be able to accept a written undertaking from an entity that the entity will take or refrain from taking a specified action in order to comply with the Privacy Act
- In situations where I consider that an entity has breached an undertaking, I can apply to the Federal Court or Federal Magistrates Court for an order to direct the entity to comply.
- I will also be able to make a determination following an investigation conducted on the Commissioner’s own initiative
This will be a huge change to the way things stand currently.
For example, at the moment I can only make enforceable determinations in response to complaints. When conducting own motion investigations (or OMIs), the Privacy Act only allows me to make recommendations.
As a result of the reforms, I will now have the ability to make an enforceable determination following an investigation conducted on my own initiative.
And regardless of whether I have made this determination as a result of a complaint or through an OMI, I can now include a declaration that an entity must take specified steps — within a specified period — to ensure that certain conduct is not repeated or continued.
In addition, I will be able to seek civil penalties in the case of serious or repeated interferences with privacy, and in the case of a breach of certain credit reporting provisions.
In summary, these new powers increase the range of ways in which the Privacy Commissioner can address privacy breaches, even in the absence of a complaint from an individual.
Overall my colleagues and I at the OAIC welcome the Attorney’s announcement about these reforms that we have been expecting for some time. In our view it represents a significant step forward in privacy law reform.
In particular, the new powers will allow me to resolve major privacy investigations more effectively and ensure that privacy continues to be valued as an important human right in Australia.
They will assist me to address serious and systemic privacy violations as well as specific acts or practices of entities that breach the Privacy Act. Additionally, the power to conduct assessments will enable our office to work closely with government agencies and the private sector to achieve good privacy practices.
The strengthening of the Privacy Commissioner’s powers also sends a strong message to the community that significant consequences can arise for entities that do not give personal information an appropriate level of protection.
Privacy Awareness Week
So to wrap up, I’ll now give you a brief update on what we have been doing to mark Privacy Awareness Week or PAW. This annual campaign by the Asia Pacific Privacy Authority concludes today, and I must say, it has been a huge success.
This year the OAIC has been joined by 145 partners across a range of industry sectors, including Telstra; Optus; Coles; National Australia Bank; Clayton Utz Lawyers; the Department of Human Services, ATO; social networking sites and search engines like Facebook, Yahoo!, Google Australia and New Zealand; and not-for-profits such as Diabetes Australia, as well as creative events like the Sydney Writers Festival.
Our partners have increased substantially, up from 80 last year and more than three times that of the year before. This highlights the growing importance of our work in privacy.
From publishing newsletter content, to playing our animation in foyers, and displaying our posters, all partners have committed to become involved in their own way to raise privacy awareness.
EBay, Microsoft, Google, and Yahoo7 among others are featuring our banners or buttons on their websites. Facebook has been highlighting a privacy tip of the day over the week. Bendigo & Adelaide Bank have transformed staff desktops and intranet, including by publishing daily stories and quizzes. And Microsoft hosted a ‘brown bag lunch’ where staff were invited to bring their lunch to a privacy training session.
Many government agencies have also hosted events to promote privacy.
In addition to our growing partnerships, we are also increasingly more involved in social media. Our Twitter bank is up and running with regular updates. We now have more than 700 followers and we’re using Facebook to promote the campaign.
This year, we’ve been again reminding business and government agencies that they have responsibilities under the Privacy Act to protect the personal information that they collect and handle. We’ve also been encouraging individuals to exercise their privacy rights and take steps to make sure their personal information is handled appropriately.
Some of you here this morning may have been among the 180 guests from legal, IT, banking and retail sectors at the OAIC’s business breakfast last Monday where a panel addressed the question “what do you do when faced with a privacy breach?” We also launched our updated data breach guide.
I’m pleased to report that we had a full house so there is obviously strong interest in this topic.
All panellists agreed that retaining consumer trust is a key issue for business: the importance of trust and its significance to protecting a brand’s integrity was a recurring theme.
One panellist affirmed that no business imperative is so important that it would override the need to protect customers’ personal information. Another argued that proper handling of a security breach builds trust, and that notifying customers about a breach and what you are doing to fix it is an important part of this.
All panellists agreed that leadership from the highest level is critical to promote a strong privacy culture in any organisation.
My colleague the Australian Information Commissioner Professor John McMillan used the occasion of this gathering to launch the 2012 edition of Data breach notification: A guide to handling personal information security breaches.
This guide was first issued in 2008 and seeks to encourage organisations holding personal information to voluntarily put in place reasonable measures to deal with data breaches — including notification of affected individuals and the OAIC.
It outlines 4 steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.
I urge you to visit the OAIC’s website to get a copy of the new guide.
And, if you have not yet done so, please visit the Privacy Awareness Week campaign website at www.privacyawarenessweek.org. There you will find many educational resources that we encourage you to use, as well as all kinds of suggestions about how you can protect the personal information of others, as well as your own.
And on that note, I’d like to congratulate iappANZ for another successful PAW event. Thank you for inviting me to be part of it and thanks for all of your ongoing efforts to promote good privacy practice.