Privacy Act overhaul – Be prepared

There has been significant debate recently regarding the adequacy of the Privacy Act 1988 (Cth) (the Privacy Act), particularly in light of recent high profile Australian and international privacy breaches and the impact of new technologies.

An Australian Law Reform Commission (ALRC) report in 2009 recommended significant changes to the Privacy Act.

These proposed changes will affect most public and private sector organisations.

On 23 May 2012, proposed changes to the Privacy Act were introduced to Parliament as the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill), which responded to many of the reforms proposed in the 2009 ALRC report.

The proposed changes to the Privacy Act in the Bill include:

• a single set of privacy principles for both the private sector and government organisations to comply with, known as the Australian Privacy Principles (APPs), which will replace the current Information Privacy Principles (for government organisations) and the National Privacy Principles (for the private sector);
• new obligations regarding the transfer of information overseas, including where information is stored with a cloud service provider located overseas and that the liability for a privacy breach will primarily lie with the transferring organisation (even if contractual provisions are in place requiring the overseas third party organisation to meet the Australian Privacy Act obligations);
• more restrictive provisions regarding the use and disclosure of personal information for direct marketing purposes;
• significantly revised provisions regarding credit reporting information; and
• greater powers for the Australian Information Commissioner to enforce the Privacy Act, including the power to conduct privacy assessments or investigations on its own accord, to accept enforceable undertakings by organisations, and to seek civil penalty orders for breaches of an individual’s privacy of up to $1.1 million.

These proposed changes will affect most public and private sector organisations. Affected businesses will need to be aware of their changing obligations and amend their existing privacy policies accordingly. In particular, businesses that meet one or more of the following criteria need to review current privacy policies in light of the changes:

• businesses that use offshore data providers;
• businesses that engage in direct marketing; and/or
• businesses that collect and use credit information.

The draft Bill is currently before the House of Representatives, and has been referred to the House Standing Committee on Social Policy and Legal Affairs and the Senate Legal and Constitutional Affairs Legislation Committee.  The Senate Committee is due to report on the draft Bill by 14 August 2012 and the House Committee is due to report back on 21 September 2012.

Hall & Wilcox will monitor the progress of the Bill and provide further updates.