Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy Update

Presentation by Timothy Pilgrim, Australian Privacy Commissioner to Australian Corporate Lawyers Association South Australian corporate counsel day, Adelaide Convention Centre, Friday 22 March 2013

Introduction

I would like to begin by acknowledging the Kaurna people, the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.

It is a pleasure to be able to talk to you this morning about the privacy law reform process.  I was pleased to read in a recent edition of Lawyers Weekly that privacy reform is a chief concern for corporate counsel in 2013. As I will explain, it is important that lawyers take note of these reforms which are due to commence in less than 12 months.

Privacy in the headlines

Much has changed in the privacy environment in the last few years. In the last 12 months we’ve seen some significant data breaches involving some well-known brands — LinkedIn, Telstra, Dell, Sony, and the hack by Anonymous of the ABC website a few weeks ago.  Community interest in privacy is not going away — just in the last few weeks we have seen privacy feature in the debate around the Government’s media regulation package, with the Government also referring the Statutory Cause of Action to the ALRC for further consideration and the issue of mandatory data breach notification remains on the Government’s agenda.

The continuing level of public interest in privacy confirms the importance of enhancing privacy protection for individuals, and embedding privacy-by-design in ‘business as usual’ processes. Privacy issues continue to make front page news and many high profile organisations have come under public scrutiny.

To give you an idea of just how busy we have been…

In 2011–12, our office received 285 media requests, a 28% increase on the previous year. Over 90% of these enquiries related to privacy.

And in the 2011–12 financial year, the office received:

  • 1357 privacy complaints (an increase of 11% from the previous year)
  • around 9000 telephone enquiries
  • 1541 written enquiries.

Our figures from the current financial year are also showing that we are on track to receive even more complaints this year.

And it is important to note that it’s not just the OAIC that receives privacy-related complaints:

  • the Telecommunications Industry Ombudsman and the Financial Services Ombudsman each get close to 1,000 privacy specific complaints a year
  • some large Australian Government agencies also receive around 500 privacy complaints per year
  • and of course there are privacy regulators at the state and territory level, handling privacy complaints in their jurisdictions.

These figures indicate that people are actively looking to exercise their privacy rights.

Privacy is also increasingly of concern to businesses. Recent high profile data breaches not only demonstrate the importance of privacy protection to individuals, but also to businesses, particularly in terms of customer trust and reputation.

It is therefore no surprise that privacy law reform has become a priority. The passing of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 is further evidence of that, and will introduce the most significant changes in privacy regulation and compliance for over two decades.

In the short time I have with you this morning, I would like to touch on some of the key changes to the Privacy Act, how they may affect your role as a legal practitioner and your role within an organisation that handles personal information.

In particular, I will talk about the significant areas of reform:

  • the new Australian Privacy Principles (or APPs)
  • the move to more comprehensive credit reporting
  • the enhanced powers of the Commissioner

The introduction of the APPs is one of the most important law reform changes that you will need to be aware of as legal practitioners.

Australian Privacy Principles (APPs)

The 13 new privacy principles will apply to both Commonwealth agencies and private sector organisations. Under the APPs, government agencies and businesses are referred to as ‘APP entities’.

These unified principles replace the existing Information Privacy Principles (or IPPs) and National Privacy Principles (or NPPs) that apply to government agencies and businesses respectively. As lawyers you will no doubt welcome the simplicity of working with one set of principles, particularly when advising clients that provide contracted services to government.

The APPs are structured to more closely reflect the information lifecycle — from notification and collection, through use and disclosure, quality and security, to access and correction. They aim to simplify privacy obligations and reduce confusion and duplication.

I would like to discuss some details of a few APPs that will be particularly relevant to you and your clients.

APP 1 — Manage personal information in an open and transparent way

The intention of APP 1 is to promote a ‘privacy by design’ approach — to ensure that privacy compliance is included in the design of information systems and practices from inception. 

Under APP 1 an entity must take ‘such steps as are reasonable in the circumstances’ to ensure compliance with the APPs or a registered APP code that binds the entity.

According to the Explanatory Memorandum, the phrase ‘such steps as are reasonable in the circumstances’ requires an objective assessment of the specific circumstances of each case that must be considered. Policies and practices under APP 1 could include:

  • training staff and communicating to staff information about the agency or organisation’s policies and practices
  • establishing procedures to receive and respond to complaints and inquiries
  • developing information to explain the agency or organisation’s policies and procedures
  • establishing procedures to identify and manage privacy risks and compliance issues.

APP 1 also requires agencies and organisations covered by the Privacy Act to have a clearly expressed and up-to-date privacy policy about the way they handle personal information. The policy must also contain certain information.

This APP is a bedrock principle for all APP entities — by complying with this APP you will be establishing a workplace culture and processes that will assist you in complying with all the other APPs, right from the start.

APP 7 — Direct marketing

The new direct marketing principle (APP 7) will replace the direct marketing provisions currently in NPP 2 on ‘Use and Disclosure’ of personal information. This principle applies to all personal information, regardless of whether it was initially collected for the purpose of direct marketing or for another purpose.

Direct marketing continues to be an area of increasing community concern, particularly in the online environment where behavioural advertising targets users according to their online activity.

In privacy research conducted by the University of Queensland last year, more than half of respondents — 56 per cent — disapproved of having advertising targeted to them based on their personal information. There is also evidence to suggest that with the growing prevalence of tracking and aggregation, some consumers are choosing not to use services due to privacy concerns.

APP 7 prohibits the use or disclosure of personal information for a direct marketing purpose, except under specific conditions. For example, if the organisation collected information from an individual and that individual would reasonably expect the organisation to use or disclose that information for direct marketing purposes then the exception applies.

However, where the individual wouldn’t reasonably expect the organisation to use or disclose the information for that purpose, or it collected the information from a third party, then the organisation would need to get the consent of the individual, unless that wasn’t practicable.

In each of these scenarios the organisation will be required to provide a ‘simple means’ for the individual to opt-out of receiving any marketing. The organisation must also generally include a ‘prominent statement’ informing the individual of the option to make such a request.

APP 7 also prohibits direct marketing using sensitive information, unless the individual has consented.

Importantly, the principle provides that individuals may ask organisations holding their personal information to stop sending direct marketing, or to stop the use and disclosure of their personal information that would allow other organisations to direct market. Individuals may also ask organisations to disclose the source of their information, free of charge and within a reasonable period.

A welcome reform for legal practitioners is the clarification in APP 7’s application. For example, the Spam Act 2003, which contains specific provisions regarding direct marketing, will displace the more general provisions under APP 7. In other words, APP 7 will be displaced where another Act specifically provides for a particular type of direct marketing or direct marketing by a particular technology.  But, APP 7 will still apply to organisations involved in direct marketing relating to electronic messages and other acts and practices not covered by such instruments.

APP 8 — Cross-border disclosure of personal information

APP 8 is an important new principle on the cross-border disclosure of personal information to an overseas recipient.

APP 8 requires an entity to take reasonable steps to ensure that the overseas recipient complies with the APPs, subject to limited exceptions. When looking at APP 8, s 16C of the Act should also be noted. These provisions create a framework for the cross-border disclosure of personal information where the disclosing entity remains accountable for the subsequent handling of that personal information by the overseas recipient. In some circumstances, the disclosing entity will be liable if the overseas recipient handles the information in a way that would breach the APPs.

This liability can occur even if an APP entity takes reasonable steps to ensure that the overseas recipient complies with the APPs. As I mentioned, this is subject to exceptions such as the organisation reasonably believe that the overseas organisation is subject to a law or binding scheme substantially similar to the APPs and there is a mechanism that allows an individual to seek redress.

This new accountability approach does not seek to prevent the cross-border disclosure of personal information. Rather the approach facilitates cross-border disclosure in a manner that ensures appropriate privacy protections are in place and that individuals will be able to seek redress if their information is mishandled. 

APP 11 — Security of personal information

APP 11 relates to an entity’s obligation to protect the personal information it holds. You will be happy to know that the obligations remain largely the same as under IPP and NPP 4. However, there are some differences to note.

Under APP 11, an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The inclusion of ‘interference’ is new and recognises that attacks on personal information may not be limited to misuse or loss and may include interference that doesn’t amount to modification of the content or information.

According to the Explanatory Memorandum, this new element may require additional measures to be taken to protect against computer attacks and other interferences of this nature, but the requirement is conditional on steps being ‘reasonable in the circumstances’.

APP 11 also provides that an entity is required to destroy or de-identify personal information where it no longer needs the information for any purpose for which it may be used or disclosed under the APPs. This is subject to the information not being contained in a Commonwealth record, or legal requirements for the information to be retained by the entity.

To assist organisations understand their information security requirements we will be releasing a new guide that will help clarify what ‘reasonable steps’ should be taken under the Privacy Act. The guide won’t be binding but it will send a clear message about my expectations in this area, so naturally we intend to refer to the guide when assessing compliance with the data security obligations in the Privacy Act. We are expecting to release this during Privacy Awareness Week in late April.

Credit reforms

Let me turn now to changes to credit reporting, I won’t go into a lot of detail here other than to say that the amendments will allow for more comprehensive credit reporting.  It is designed to provide consumer credit providers with sufficient information to allow them to adequately assess credit risk while ensuring the protection of personal information to the greatest extent possible, and to encourage responsible lending.

The new system will give credit providers access to five new categories of personal information. These are:

  • the date the credit account was opened
  • the type of credit account opened
  • the date the credit account was closed
  • the current limit of each open credit account
  • repayment performance history about the individual over the previous two years

The system will be underpinned by a new industry-agreed Credit Reporting Code (called the CR Code) to be approved by the Commissioner. I have already asked the Australasian Retail Credit Association (ARCA) to do this and they are working on this now.

Commissioner’s new powers

Let’s turn now to look at the Commissioner’s new powers.

The reforms introduce enhanced powers for the Commissioner, including more power to resolve complaints, conduct investigations and promote privacy compliance. These changes will also strengthen my enforcement powers.

From the date of commencement, I will be able to conduct Performance Assessments of private sector organisations, which will consolidate the existing discretion to conduct audits of Australian Government Agencies, tax file number recipients, credit reporting agencies, credit providers and extend it to include organisations.

These assessments may be conducted at any time — an added incentive for organisations to ensure they are handling personal information in accordance with the Privacy Act at all times. I also have enhanced code making powers under the reformed Act. The code making powers allow me to approve and register enforceable codes, those developed by entities on their own initiative, on request from the Commissioner, or developed by the Commissioner directly.

APP entities are able to develop written codes of practice for the handling of personal information, called APP codes, that set out how one or more of the APPs are to be applied or complied with, and the APP entities that are bound by the code.

The Act also requires the development of a code of practice about credit reporting, called the CR code. This code will set out how the Privacy Act’s credit reporting provisions are to be applied or complied with by credit reporting bodies and providers. I have asked the Australasian Retail Credit Association (ARCA) to develop this.

With regards to the privacy compliance model, the privacy reforms will provide me with additional enforcement powers for  investigations that I have commenced on my own initiative — which we refer to as own motion investigations.

I will be able to make a determination, as I currently do with individual complaints lodged, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders for up to $340,000 for individuals, and $1.7 million for companies. These powers extend to certain entities’ handling of credit information, tax file number information and health information.

As I have been telling businesses and government since I became Privacy Commissioner in mid-2010, my focus will always be on resolving the majority of complaints via conciliation. 

Having said that, let’s remember that the public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, so these concepts are not new. Fundamentally the principles remain the same. If we take the security principle IPP 4/NPP 4 or what will be the new APP 11 as an example, organisations are required to take reasonable steps to protect the personal information they hold. This is not a new requirement and in my view it should already be happening.

So my message to business is that while I will always seek to resolve matters via conciliation, I will not shy away from using new and existing powers where it is appropriate to do so.

Before we wrap up, I’d like to take a moment to talk you through some resources that our office is working on for you to use in your work, and the advice that we are providing.

OAIC guidance and resources

Our Office has a role to educate all organisations and agencies, as well as the community more generally, about the changes that are coming. We are doing this on a very limited budget, having received no additional funding from Government, so it is encouraging to see that a number of law firms are already producing and disseminating helpful guidance on these important changes.

We have already commenced developing guidance to assist agencies and businesses. The upcoming resources will include:

  • a comparison guide between the IPPs/NPPs and APPs
  • Guidelines on the APPs
  • revised Privacy Impact Assessment and Data Breach Notification guides.

We will be conducting targeted public consultation processes to assist us in developing this guidance. I would encourage you to contribute, so that we can arrive at guidance that is practical and meets the needs of business. One of our current consultations is on the Privacy Code Development Guidelines. The closing date for comment is Friday 12 April 2013. We welcome comments by all interested parties so I invite you to take a look on our website if you wish to contribute to the conversation.

We’ll be using our various existing communication channels to get the word out and if you haven’t already, I encourage you to sign up with the Privacy Connections Network, our network for private sector privacy professionals.

Reference to our resources will be essential when advising clients on what the new law require, and what changes clients need to make to their personal information handling policies and practices.

To ensure compliance, businesses and government agencies need to start thinking now about what these changes mean.

Some key issues that lawyers should be raising with clients include:

  • the review and updating of privacy policies and notices
  • outsourcing arrangements, particularly if these involve the disclosure of personal information outside Australia
  • the circumstances where personal information can be used for direct marketing, sent overseas, or for credit reporting purposes.
  • direct marketing practices, including the availability of ‘opt out’ mechanisms.

Privacy Awareness Week 2013

On a final note — every year, we celebrate Privacy Awareness Week (or PAW) as part of the Asia Pacific Privacy Authorities forum initiative to promote the importance of protecting personal information and data security in the information age. In 2013 PAW will be held from 28 April to 4 May. With such a large number of changes imminent, this is also a great time for you to get involved.

During the week, the federal Attorney–General will launch our new Guide to Information Security at a business breakfast in Sydney.

We also invite you to become a PAW partner. Last year we had over 140 partners, almost double the number of partners we had in the previous year. This is a non-financial arrangement and it’s a great way to show your stakeholders the commitment your firm places on good privacy practice. More information about getting involved is available on our website.

Conclusion

I will conclude by saying that it is an exciting time to be working in the privacy field — the large scale of these reforms present interesting challenges and opportunities for all of us as privacy laws are brought up to date with technology and contemporary international approaches to privacy regulation. It also means that it is more important than ever for organisations to be vigilant when handling personal information.

I’m certain that this will be a busy year for all of us. It’s been a pleasure speaking to you all this morning and I hope that you will join us in getting the message out about the challenges and opportunities that the privacy reforms present. Thank you.