Draft Australian Privacy Principles released for comment

On Saturday, the Federal Government released its exposure draft of the new Australian Privacy Principles¹ (APPs), which will be part of a new Privacy Act (Act). The APPs are the latest step towards implementing the recommendations made in 2008’s Australian Law Reform Commission (ALRC) report, ‘For Your Information: Australian Privacy Law and Practice’.² We have previously reported on the ALRC’s recommendations and the Federal Government’s response made last year.³

The Australian Privacy Principles

Thirteen APPs will replace both the Information Privacy Principles (IPPs) (for the Commonwealth public sector) and the National Privacy Principles (NPPs) (for the private sector), although there are some areas where public and private sector obligations will differ. The collective term ‘entities’ has been introduced to cover both ‘agencies’ and ‘organisations’. The APPs appear to have more of a basis in the NPPs than the IPPs, with the effect that the changes will be more extensive for the public sector.

The APPs do not include a number of health-related provisions which may have been expected from their inclusion in the IPPs and NPPs. This is because the government is separately reviewing health privacy (and other areas referred to below) for later release. It is possible that consequential changes may be made to the APPs to reflect those other reviews.

As well as the APPs, the exposure draft includes some definitions and provisions relevant to the interpretation of the APPs.

The Australian Information Commissioner—a new position which will oversee the Privacy Commissioner from 1 November 2010—will be expected to issue issue guidance materials to assist entities to comply with the APPs.

Offshore data transfers and activities

Currently the Act extends to the offshore activities of private sector organisations in relation to Australian citizens and permanent residents. The exposure draft will extend this to apply to public sector agencies as well, and to protect all individuals, not just Australians.

APP 8 will regulate ‘cross-border disclosure’, where NPP 9 regulates ‘transborder data flows’. The government has sought to make it clear that:

• there will be a cross-border disclosure where a third party offshore has access to personal information that remains in Australia, and
• there will not be a cross-border disclosure where personal information is merely routed through servers outside Australia.

The new cross-border disclosure regime will mean that Australian entities that disclose personal information to third parties overseas will generally be liable for privacy breaches committed by those third parties—although the Australian entities may have recourse through their contracts. Some exceptions will apply—a number of which are consistent with those which currently apply under NPP 9. Notably, the exception relating to foreign laws and binding schemes will only require substantial similarity to the APPs ‘overall’. This relaxation of the requirement may go some way to opening up that exception for greater use by entities transferring personal information to other countries with robust privacy regimes.

Privacy policies and notices

The requirements for privacy policies and notices will be expanded to require additional details about matters including the following:

Direct marketing

The new principle on direct marketing applies to private sector organisations only, and is subject to the Spam Act and the Do Not Call Register Act.

Use or disclosure of sensitive information (such as health information) in connection with direct marketing will generally require consent. Where other personal information is involved, organisations will need to provide a simple and effective opt-out.

Where an organisation has collected personal information from an individual, the organisation may use and disclose that information for direct marketing where the individual would reasonably expect it. Where the individual would not reasonably expect it, or the information was collected from a third party, the organisation would need consent (unless impracticable) and would need to prominently draw attention to the opt-out.

Individuals will also have the ability to contact an organisation to:

• opt out of third party marketing facilitated by the organisation, or
• request the source of their personal information.

Other changes

Other notable changes from the current Act include:

• specifically requiring entities to implement privacy compliance, for example through appropriate procedures and systems
• allowing individuals to identify themselves by pseudonym where appropriate
• allowing collection of sensitive information without consent by the Defence Force in connection with war, aid and certain other offshore operations
• allowing some collection, use and disclosure of personal information (including sensitive information) in connection with missing persons or diplomatic processes
• allowing entities to destroy or de-identify unsolicited personal information as an alternative to complying with the APPs
• extending the exception for use and disclosure in connection with suspected unlawful activity to cover serious misconduct
• allowing some use or disclosure of personal information in connection with alternative dispute resolution
• extending the definition of ‘sensitive information’ to extend to certain biometric information, and
• removing the requirement for government agencies to submit annual Personal Information Digests to the Privacy Commissioner each year.

Submissions invited

The APPs and their Companion Guide have been referred to a Senate Committee (Committee) for review. Submissions have been invited and should be received by 27 July 2010.⁴

The Committee’s report is due on 1 July 2011 and is also expected to consider the following components which the government plans to release in the interim:

• consumer credit reporting reforms
• health privacy reforms, and
• reforms to the powers of the Australian Information Commissioner.

Some issues deferred

As previously reported, the government is deferring consideration of a number of other issues in the ALRC’s report until the ‘second stage’ of privacy reform. These issues include:

• exemptions for small business, employee records and the media
• privacy decision making by young people and authorised representatives
• the Telecommunications Act privacy regime
• the creation of a privacy right for individuals, and 
• obligations to notify serious data breaches.

Online privacy inquiry

In a related development, a separate Senate Committee has been briefed to conduct an inquiry into the privacy of Australians online, looking at issues including public and private sector data collection activities, and social networking websites.

The online privacy report is due on 20 October 2010. Submissions are invited but a closing date has not yet been set.⁵

This article was written by Kaman Tsoi, Senior Associate, Melbourne.

Endnotes

1. Senate Finance and Public Administration Committee – privacy reform page.
2. ALRC Privacy Inquiry page.
3. Freehills overview of the ALRC report (general); Freehills overview of the ALRC report (credit reporting); Freehills overview of the government’s response.
4. Senate Finance and Public Administration Committee – information about the privacy inquiry.
5. Senate Standing Committee on Environment, Communications and the Arts – information about the online privacy inquiry.

More information

For information regarding possible implications for your business, contact