Privacy update aims to provide information on privacy legislation and compliance.

To email any of our lawyers please use firstname.lastname@minterellison.com


> Special Edition: Release of Exposure Draft and Companion Guide for the new 'Australian Privacy Principles'

As foreshadowed in our Privacy Update of 20 October 2009, the Australian Government has now released an Exposure Draft and Companion Guide for the new 'Australian Privacy Principles' (the APPs). The APPs are the first part of the Government's reform of the Privacy Act 1988 (Cth) (the Act) and are designed to replace the existing Information Privacy Principles (the IPPs) and National Privacy Principles (the NPPs).

The exposure draft has been submitted to the Senate Finance and Public Administration Legislation Committee. Submissions have been invited and should be received by 27 July 2010, with the reporting date set for 21 September 2010. The Senate Committee is due to respond to the proposals by 1 July 2011. We will notify you when other components of the new Act have been released for public comment.

The new APPs are:

  • APP 1—open and transparent management of personal information
  • APP 2—anonymity and pseudonymity
  • APP 3—collection of solicited personal information
  • APP 4—receiving unsolicited personal information
  • APP 5—notification of the collection of personal information
  • APP 6—use or disclosure of personal information
  • APP 7—direct marketing
  • APP 8—cross-border disclosure of personal information
  • APP 9—adoption, use or disclosure of government related identifiers
  • APP 10—quality of personal information
  • APP 11—security of personal information
  • APP 12—access to personal information
  • APP 13—correction of personal information

We will provide you a more detailed summary of the proposed amendment at a later time, but for now we set out a brief overview of the key changes.

Definition of 'personal information'

As foreshadowed in the Government First Stage Response (the Government Response) to the Australian Law Reform Commission Report 108 For Your Information: Australian Privacy Law and Practice (the ALRC Report), the Government indicated the definition of personal information would be changed. 'Personal information' now means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not, and
(b) whether the information or opinion is recorded in a material form or not.

The Exposure Draft changes the concept of 'identity' to 'identification', in order to adapt to changes in the way information that identifies an individual is collected and handled. The Companion Guide notes the new test requires 'consideration of all the means that are reasonably open for an information holder to identify an individual'.

Definition of 'Australian law'

Where collection, use or disclosure of personal information is required or authorised by law, the definition of 'Australian law' has been clarified to include a rule of common law or equity, along with any Act, regulation or any other instrument made under an Act of the Commonwealth, States or Territories.

Definition of 'misconduct'

The definition of 'misconduct' encompasses fraud, negligence, default, breach of trust, breach of duty, breach of discipline or any other misconduct in the course of duty. This is important for employers to note, as their collection, use or disclosure of personal information may be authorised where it has reason to suspect that misconduct of a serious nature that relates to its functions or activities has been, is being, or may be engaged in.

Definition of 'entity'

This concept unites the NPPs and IPPs, and refers to both agencies and organisations.

APP 1 – open and transparent management of personal information

APP 1 emphasises that entities should manage personal information in an open and transparent way. Under the NPPs, entities are required to take steps to ensure the individual is aware of certain aspects of the collection of personal information, usually achieved through the implementation of a privacy policy. APP 1 requires entities to have a privacy policy, which must contain specific information, including:

  • how an individual may complain about an interference with their privacy and how the entity will deal with such a complaint
  • whether the entity is likely to disclose personal information to overseas recipients, and
  • if the entity is likely to disclose personal information to overseas recipients, the countries in which these recipients are likely to be located.

APP 2 – anonymity and pseudonymity

As was recommended in the ALRC Report and the Government Response, APP 2 states that individuals may be given the option to interact anonymously or use a pseudonym when dealing with an entity. This right is limited to where it is lawful or practicable in the circumstances.

APP 3 – collection of solicited personal information

The collection of personal information is more flexible under APP 3 when compared with the existing regime. APP 3 permits an entity to collect personal information (other than sensitive information) if the collection of that information meets what is described in the Companion Guide as the 'functions test' – ie where the information is 'reasonably necessary for, or directly related to' one or more of the entity's functions or activities. Sensitive information should only be collected where the individual has consented and that collection also satisfies the functions test. APP 3 also applies to the collection of personal information that is solicited by an entity.

The limited circumstances which exist under NPP 10.1 permitting collection of sensitive information without consent have been expanded to include collection of information for other public interest reasons, including in assisting the location of missing persons; for diplomatic or consular processes; and for war or warlike operations, peacekeeping or peace enforcement, civil aid, humanitarian assistance, medical or civil emergency or disaster relief by the Defence Force outside Australia.

APP 4 – receiving unsolicited personal information

As suggested by the ALRC Report and Government Response, the APPs include provisions relating to the collection of unsolicited personal information to ensure personal information is protected, even where the entity has done nothing to solicit the information.

APP 4 states that where an entity receives unsolicited personal information about an individual, they must determine whether or not it could have collected that information under APP 3. If the entity could have, then other APPs will apply to that information as if it had been solicited. If not, the entity must either destroy that information or ensure it is no longer personal information by, for instance, redacting the information.

APP 5 – notification of the collection of personal information

The requirement of notification of the collection of personal information under APP 5 differs to the current NPP 1.3 in so far as it provides a greater amount of matters to be disclosed to the relevant individual at the time of collection. While this could be construed as more onerous than existing laws, the requirement to 'take such steps (if any) as are reasonable in the circumstances' to notify the individual of those matters suggests APP 5 provides greater flexibility on a case-by-case basis.

APP 6 – use or disclosure of personal information

This provision governs the use and disclosure of personal information by entities. APP 6 is based on NPP 2.1, but includes new exceptions to address matters arising by virtue of the application of this provision to both government agencies and organisations. The principle does not apply to personal information used or disclosed for direct marketing (APP 7) or where the personal information is a government related identifier (APP 9).

APP 7 – direct marketing

APP 7 places extra limitations on the ability of organisations to use or disclose personal information when undertaking direct marketing activities. Under the provision, organisations may not use personal information for the purpose of direct marketing unless:

  • the information is collected by a Commonwealth service provider and the use or disclosure of that information is necessary to meet an obligation under the contract, and it was collected for that purpose
  • in cases of sensitive information, the individual consents to its use for the purpose of direct marketing
  • in the case of non-sensitive information and the information is collected in circumstances where the individual would reasonably expect the organisation to use or disclose it for direct marketing purposes, its use will be allowed if the organisation provides the individual with a simple means to easily request not to receive direct marketing, or
  • in the case of non-sensitive information and the information is collected in circumstances where the individual would not reasonably expect it to be used or disclosed for direct marketing, then the organisation must obtain consent. If it is not practicable to do so, the organisation must include a prominent statement in each direct marketing communication that the individual may request to no longer receive such communication. A similar statement must also be given to individuals where that information is collected from a third party.

An individual can request:

  • not to receive direct marketing from an organisation
  • that the organisation not use or disclose their personal information to facilitate another organisation's direct marketing activities, and
  • to be provided with the organisation's source of information.

The organisation must give effect to such requests without charge and within a reasonable period.

The notification provisions in APP 5 apply to these direct marketing provisions, meaning that it would appear that entities will need to notify individuals where they collect personal information about that individual and use or disclose that information for the purpose of direct marketing. This is subject to the reasonableness test as described above at APP 5.

APP 8 – cross-border disclosure of personal information

The provision expands the trans-border data flow provisions currently in NPP 9, to ensure agencies and organisations alike with 'Australian links' (as defined in the existing Act) are held accountable for any disclosure of personal information to an overseas recipient outside Australia, unless an exception applies.

APP 8 relates to a disclosure of personal information, whereas NPP 9 refers to a 'transfer'. The Companion Guide suggests a 'transfer' of information implies a cross-border movement of personal information. Accordingly, the wording has been altered to indicate a cross-border disclosure may occur when information is accessed by an overseas recipient, regardless of where that information is stored.

An Australian entity may only disclose information to an overseas recipient where they have taken reasonable steps to ensure the overseas recipient does not breach the APPs (other than APP 1). This may mean suitable arrangements, such as contractual agreements, should be made between the overseas recipient and the Australian entity.

As was suggested in the Government Response, under section 20 of the new Act an Australian entity will be accountable for the overseas recipient's acts and practices, and held liable in the event of a breach of the APPs by that overseas recipient. Exceptions to this rule include where:

  • the overseas recipient is subject to a law or binding scheme which requires them to protect the personal information in, at least, a substantially similar degree to the APPs and the individual has access to an enforcement mechanism
  • the entity seeks and receives the consent of the individual, or
  • specific exceptions to ensure that current information sharing activities of agencies are permitted (for instance, where there is information sharing under international agreements, for diplomatic or consular purposes, disclosure by the Defence Force for a number of defence purposes, or other law enforcement information sharing).

Depending on the nature of their relationship, where an Australian entity is held liable for any breach, that entity may pursue the overseas recipient.

It is important to note that an Australian entity will not be held accountable for disclosure to an overseas recipient where the entity reasonably believes the disclosure is necessary for the entity to take appropriate action where there is a suspected serious misconduct.

NPP 9 currently allows for the trans-border transfer of personal information where that transfer is necessary for the performance of a contract between the individual and that organisation. APP 8 does not incorporate this exception and, accordingly, it may now be necessary to include a provision in contracts allowing the entity to obtain consent from the individual to disclose their personal information to overseas recipients.

APP 9 – adoption, use or disclosure of government related identifiers

APP 9 prohibits organisations (not agencies) from referring to individuals within their own systems according to identifiers issued by government agencies (including, for instance Medicare numbers and driver's licence numbers) unless where authorised by law or an exception applies. APP 9 extends the current NPP 7 to regulate identifiers issued by State and Territory government agencies, although most States and Territories had this in their own statutes.

The Companion Guide states the object of this provision is to 'restrict general use of identifiers issued by government agencies and prevent such identifiers from becoming de facto national identity numbers'. It also aims to prevent data-matching by organisations which can be possible through use and disclosure of such identifiers. The Companion Guide notes the provision is not intended, however, to limit the capacity of organisations to use or disclose a government-issued identifier for the sole purpose of verifying an individual’s identity.

APP 10 – quality of personal information

APP 10 merges NPP 3 and IPP 8, requiring an entity to take steps that are reasonable in the circumstances to ensure that the personal information they collect and disclose is accurate, up-to-date and complete.

APP 11 – security of personal information

Where an entity holds personal information about an individual which it no longer needs and the entity is not required under law to retain the information, then under APP 11, the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is no longer personal information. This principle amalgamates existing provisions in NPP 4 and IPP 6.

APP 12 – access to personal information

APPs 12 and 13 together replace the existing IPPs 6 and 7 and NPP 6. This approach differs from the Government Response, which recommended that there be one principle dealing with both access and correction.

Under APP 12, if an entity holds personal information about an individual, the entity must on request give that individual access to the information, unless it is required or authorised to refuse access under law, or another exception applies.

For instance, employers should note that they may not be required to give an individual access to personal information where an entity has reason to suspect that unlawful activity or misconduct of a serious nature that relates to the entity's functions or activities has been, is being, or may be engaged in and giving access would likely prejudice the taking of appropriate actions in relation to the matter.

The tension between APPs 12 and 13 and the Freedom of Information Act (Cth) 1982 (the FOI Act) in relation to agencies has not yet been fully resolved. As noted in the Government Response, it is anticipated that the new Act will provide an enforceable right to obtain access to and correct an individual's own personal information, rather than maintaining such a right through the FOI Act. The Companion Guide notes that the current interface between the Act and FOI Act mean that APPs 12 and 13 have not created this right yet. It is anticipated that such rights will be prescribed through future provisions of the new Act.

APP 13 – correction of personal information 

As discussed above, this principle replaces existing IPP 7 and NPP 6. The provision provides individuals with control over their personal information by imposing an obligation on entities to correct personal information if it is inaccurate, out-of-date, incomplete or irrelevant where the individual requests the entity to correct the information.

 

For further information please contact:

Charles Alexander, Partner
T: +61 2 9921 4826
charles.alexander@minterellison.com

Elisabeth Koster, Lawyer
T: +61 2 9921 4234
elisabeth.koster@minterellison.com


> Updates affecting the privacy sector
The following newsletter contains legislative updates, significant case developments and other important issues affecting the privacy sector.

Further information
Adelaide:
Kent Grey
Partner
T:+61 8 8233 5402
F:+61 8 8233 5556
Brisbane:
Gillian Brown
Partner
T:+61 7 3119 6253
F:+61 7 3119 1253
Canberra:
Alice McCormick
Partner
T:+61 2 6225 3013
F:+61 2 6225 1013
Darwin:
Cris Cureton
Partner
T:+61 8 8901 5900
F:+61 8 8901 5901
Gold Coast:
Ken Petty
Partner
T:+61 7 5553 9524
F:+61 7 5575 9911
John Witheriff
Managing Partner
T:+61 7 5553 9521
F:+61 7 5575 9911
Hong Kong:
Sam Farrands
Partner
T:+852 2841 6810
F:+852 2810 0235
London:
Michael Whalley
Partner
T:+44 20 7448 4801
F:+44 20 7448 4848
Melbourne:
Peter Bartlett
Partner
T:+61 3 8608 2677
F:+61 3 8608 1088
Perth:
John Poulsen
Managing Partner
T:+61 8 9429 7444
F:+61 8 9429 7666
Shanghai:
Yi Yi Wu
Partner and Chief Representative
T:+86 21 6288 2171
F:+86 21 6288 2172
Sydney:
Charles Alexander
Partner
T:+61 2 9921 4826
F:+61 2 9921 8014
Stuart Johnson
Partner
T:+61 2 9921 4907
F:+61 2 9921 8241
Daniel Marks
Partner
T:+61 2 9921 4093
F:+61 2 9921 4691



   

top

© Minter Ellison 2010
About Us |  People |  Expertise |  Legal Insights |  Careers |  Community |  Languages |  eLibrary |  Minter Ellison China |  
Contact Us  |  Sitemap  |  Terms of Use  |  Privacy  |  Disclaimer PRC  |