Bills Digest no. 20 2012–13
PDF version [811KB]
WARNING: This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.
Mary Anne Neilsen
Law and Bills Digest Section
7 November 2012
This Digest replaces an earlier version dated 18 September 2012 as the original version did not deal with the credit reporting provisions of the Bill. This revised Digest incorporates discussion on all elements of the Bill.
Contents
Purpose
Background
Financial implications
Main issues and key provisions
Concluding comments
Date introduced: 23 May 2012
House: House of Representatives
Portfolio: Attorney-General
Commencement: Various dates as set out in the table in clause 2 of the Bill. The majority of the new provisions have a deferred commencement of nine months from the day after the Bill receives the Royal Assent.[1]
Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation. When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the ComLaw website at http://www.comlaw.gov.au/.
The purpose of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (the Bill) is to amend the Privacy Act 1988 and various other Acts to implement the Government’s first stage response to the 2008 Australian Law Reform Commission report, ‘For Your Information: Australian Privacy Law and Practice’ (ALRC report).
Amongst the numerous amendments, the Bill amends the Privacy Act to:
- create the Australian Privacy Principles (APPs), a single set of privacy principles applying to both Commonwealth agencies and private sector organisations
- re-write the credit reporting provisions and introduce more comprehensive credit reporting
- introduce new provisions on privacy codes and the credit reporting code and
- clarify and strengthen the functions and powers of the Privacy Commissioner.
Privacy law in Australia is a complex and often contradictory mix of Commonwealth, state and territory statutes, as well as judgments, covering areas including telecommunications, medical research and personal health data, national security, journalism and workplace surveillance.
Central to the federal information privacy regime is the Privacy Act 1988 (the Privacy Act).
The Privacy Act regulates the handling of personal information. In its original form in 1988 the Act applied exclusively to the Commonwealth public sector and set down detailed Information Privacy Principles (IPPs). These IPPs are based on the Organisation for Economic Co-operation and Development (OECD) Guidelines of 1980 on the protection of privacy, to which Australia is a signatory. They cover methods used to collect personal information, storage and security of personal information, notice of existence of record systems, access of individuals to their own records, accuracy and completeness of personal information and use of personal information and disclosure to third parties. The Privacy Act was amended shortly after its enactment to deal with government data-matching activities and the activities of credit providers and was also extended to cover the Australian Capital Territory public sector. The inclusion of rules for credit providers and credit reporting agencies was the first occasion on which the Privacy Act extended to the private sector.
In 2000, substantial amendments were made to the Privacy Act which brought much of the private sector within the ambit of the Act. These amendments established a separate set of privacy principles, known as the National Privacy Principles (NPPs) which were to apply to private sector organisations covered by the Act.[2]
The NPPs contain a number of departures from the IPPs. These are most apparent in relation to the treatment of direct marketing uses of information, issues regarding anonymity, the use of common identifiers, transborder data flows and the use of sensitive and health information.
The Privacy Act applies to acts and practices, that is acts done and practices engaged in, by agencies or organisations. The Privacy Act also includes a wide range of exemptions and exceptions for particular acts and practices and they are found throughout the Act, in the definition of some terms, in specific exemption provisions, and in the IPPs and NPPs themselves. Some of these exemptions, such as the small business exemption, the political party exemption, the employee record exemption, exemptions relating to journalists and members of parliament were controversial when introduced in 2000 and have remained so since then.
Privacy law reform in Australia has been a long and protracted process with a plethora of reviews and inquiries being undertaken over the last ten years.[3] The major review and the one providing greatest impetus for this Bill was the 28 month inquiry undertaken by the Australian Law Reform Commission (ALRC) at the request of the then Australian Government on 30 January 2006, culminating in the 2700 page report, For Your Information: Australian Privacy Law and Practice, provided to the Government in May 2008.[4] The terms of reference for this inquiry directed the ALRC to focus on the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia.[5]
The breadth of the subject matter covered in this inquiry required the ALRC to undertake the largest community consultation program in its 33 year history.[6] The ALRC report made 295 recommendations to improve privacy protection in Australia in the following key areas:
- redrafting and reconstructing the Privacy Act and privacy principles to achieve significantly greater consistency, clarity and simplicity
- unification of the privacy principles for the public and the private sector into one single set of principles
- structuring privacy regulation to follow a three-tiered approach: high level principles of general application; regulation and industry codes detailing the handling of personal information in certain specified contexts; and guidance provided by the Privacy Commissioner dealing with operational matters and providing explanations
- adoption of a common approach to privacy in all jurisdictions in order to overcome confusion and uncertainty, including the establishment of an intergovernmental cooperative scheme
- updating of key definitions, including the definitions of 'personal information', 'sensitive information' and 'record’
- improvements to complaint handling
- rationalisation and clarification of exemptions from, and exceptions to, the requirements of the Privacy Act
- restructuring of the Office of the Privacy Commissioner and strengthening of the role of the Privacy Commissioner
- implementation of a data breach notification process
- more comprehensive credit reporting requirements
- promotion of national consistency in relation to health information
- provision of a 'Cross-Border Data Flows' principle to ensure accountability for personal information transferred offshore and
- provision in federal legislation for a statutory cause of action for a serious breach of privacy.[7]
In addition to the recommendations, the ALRC also provided eleven Unified Privacy Principles (UPPs). The ALRC noted that:
These model UPPs are merely indicative of how the privacy principles in the Act may appear if the ALRC's relevant recommendations were to be implemented. The ALRC anticipates that, if its recommendations are accepted, the Australian Government will instruct the Office of Parliamentary Counsel to draft the new privacy principles using the ALRC's recommendations as a template, rather than simply adopting the ALRC's model UPPs in their current form.[8]
When the ALRC report was released in May 2008, the Australian Government committed to responding in two stages. The first stage response addressed 197 of the 295 recommendations[9] with the then Cabinet Secretary and Special Minister of State, Senator Joe Ludwig stating:
The Government will outline a clear and simple framework for privacy rights and obligations and build on its commitment to trust and integrity in government. The Government will:
- create a harmonised set of Privacy Principles which will replace the separate sets of public and private sector principles at the federal level, untangling red tape and marking a significant step on the road to national consistency;
- redraft and update the Privacy Act to make the law clearer and easier to comply with;
- create a comprehensive credit reporting framework which will improve individual credit assessments, complimenting the Government’s reforms to responsible lending practices;
- improve health sector information flows, and give individuals new rights to control their health records, contributing to better health service delivery;
- require the public and private sector to ensure the right to privacy will continue to be protected if personal information is sent overseas; and
- strengthen the Privacy Commissioner’s powers to conduct investigations, resolve complaints and promote compliance, contributing to more effective and stronger protection of the right to privacy.[10]
The Cabinet Secretary also indicated that once the first stage reforms had progressed the remaining 98 recommendations would be considered, although he also acknowledged that these remaining recommendations were the more controversial and difficult:
These recommendations include sensitive and complex questions around the removal of exemptions and data breach notices. To strike the right balance, reforms in these areas will require extensive consultation and input.[11]
The Bill and the relevant exposure drafts that preceded it have been subject to considerable consultation and scrutiny by parliamentary committees.
The first tranche of the Government’s stage one response consisted of an exposure draft of Australian Privacy Principles released on 24 June 2010. This draft was referred to the Senate Finance and Public Administration Legislation Committee for inquiry and the report was released in June 2011.[12]
On 2 January 2011, as part of the second tranche of the Government’s stage one privacy reform the Government released an exposure draft of credit reporting provisions. This was referred to the Senate Finance and Public Administration Legislation Committee for inquiry, and on 6 October 2011 the Senate Committee released its report.[13]
After its introduction into Parliament on 23 May 2012, the Bill was referred to the House of Representatives Standing Committee on Social Policy and Legal Affairs (the House Committee) for inquiry. The report was tabled on 17 September 2012.[14] The Committee made three recommendations:
- that the House of Representatives pass the Bill
- that the Attorney-General conducts a review of the operation of certain aspects of the Bill, one year after it commences, and
- that the Attorney-General ensures that ‘comprehensive educational material on the new privacy protections and obligations is available prior to commencement’ of the Bill.[15]
On 19 June 2012 the Senate also referred the Bill for inquiry and report to the Senate Legal and Constitutional Affairs Legislation Committee (the Senate Committee). [16] The report was tabled on 25 September 2012.[17] The Senate Committee made 21 recommendations, with further recommendations set out in the additional comments made by the Coalition Senators and the Australian Greens.[18] In common with the House Committee, the Senate Committee recommended that comprehensive educational materials be available before the legislation commences.[19] Ultimately, the Senate Committee recommended that the Senate pass the Bill, subject to its recommendations. The major recommendations in the Senate Committee’s report are discussed further in the Main issues and key provisions section of the Bills Digest below.
As noted above, the various Parliamentary committee inquiries into the Bill and the previous exposure drafts have provided abundant opportunity for stakeholder analysis and commentary. The following extracts represent a small selection of some of the more general comments made in submissions. More specific comment is provided in the Main issues and key provisions section of the Bills Digest below.
The Australian Privacy Foundation is critical of the Bill, arguing that the Government has ‘cherry picked’ the ALRC’s recommendations and brought forward too many that are unfriendly to privacy, and ignored many of the ALRC’s better recommendations.[20]
It states:
The Government claims there is another privacy reform Bill, the one containing all the hard bits, just over the horizon, but within the lifespan of the current government. After a four year wait for the first Bill, it is hard to take that claim seriously. This is the Parliament’s ‘once in lifetime’ chance to adopt meaningful and overdue privacy reforms, and it should make sure all necessary reforms are included in the Bill.[21]
In relation to the proposed APPs, the Australian Privacy Foundation argues these principles are weaker than the ALRC’s proposed UPPs and the current IPPs and NPPs, and unless significantly improved will lead to an overall reduction in privacy protection. It states:
Regrettably the Government has gone backwards instead of forwards in terms of modernising the principles, and seems to have been unduly influenced by both business and agency interests, to the detriment of the interests of the citizens and consumers that the Privacy Act is intended to protect. In the case of government agencies, a raft of changes have been ‘slipped in’ at the last minute to avoid some agencies having to rigorously apply well-designed existing exceptions.[22]
The OAIC, while supporting the Bill, including the creation of the APPs, as an important step towards achieving the reform objectives, suggests there remains further scope for the simplification, clarification and enhancement of the privacy framework.[23]
In particular, the OAIC notes the importance of having a single set of high-level principles for the public and private sectors which promote national consistency and minimise complexity. It argues that exceptions from the APPs for particular agencies increases the fragmentation of obligations between different sectors and entities and adds complexity to the principles.[24] The OAIC view is that where an exception is required for the specific personal information handling activities of agencies, this is more appropriately addressed in the agencies’ enabling legislation (thereby, bringing the information handling activity within the ‘required or authorised by law’ exception that exists in each of the relevant APPs).[25]
The Victorian Privacy Commissioner states that while much of the Bill is generally welcomed (such as the increased powers given to the OAIC) some of the changes, in conjunction with the complexity of the APPs, may prohibit the workability of the Bill and detract from the Bill’s ultimate aim, which is to enhance the privacy protection of Australians.[26]
The Commissioner states that listing exceptions that relate solely to Commonwealth agencies is problematic when expressly included in the APP itself, as this reduces the simplicity, lucidity and ‘high-level’ nature of the APPs. Furthermore, these agency-specific exceptions will have little, if any, utility if and when the APPs are incorporated into state or territory legislation. A better approach would be to draft high-level, simple, lucid principles, which could equally apply to Commonwealth, state or territory public sector agencies, local councils or private sector organisations.[27]
The Law Council welcomes the updating of the privacy regime and sees this as a good opportunity to address some of the shortcomings of the current legal framework as well as to harmonise provisions. However the Council sees some scope for improvement.[28]
Amongst its recommendations, the Law Council of Australia submits that the simple language and structure contained in the current NPPs has been replaced with a more verbose and complex set of principles. The Committee submits that the structure and drafting of the APPs should be reviewed with the aim of reverting to the simpler drafting style of the NPPs. That structure and language is based on and referable to the Organisation for Economic Cooperation and Development (OECD) Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, which have been used as the basis for relevant provisions at state and territory and international levels. The Law Council considers that the proposed APPs are difficult to interpret and therefore less accessible to privacy practitioners, regulated organisations, consumers and ordinary members of the public.[29]
The Law Council also notes that the Bill retains a distinction between ‘agencies’ and ‘organisations’ in the application of some of its provisions. While the Council understands this is necessary in some contexts, it views some of these distinctions as unnecessary and undesirable.[30]
The Australian Direct Marketing Association (ADMA), while supporting the overall thrust of the Bill has specific concerns. Taking into account the current rapid pace of technological change, ADMA argues that it is essential that any privacy regime adopted in Australia should be technology neutral to ensure longevity and ‘sufficiently balanced so that it achieves the stated objective of enhancing privacy protection whilst avoiding undue restrictions that would hinder Australia’s ability to be a leading digital economy’. ADMA believes this balance is not currently achieved with the drafting in the Bill.[31]
ADMA argues the failings in the Bill are largely due, firstly, to developments in technology since the time when the privacy review commenced, and secondly to the fact that the Bill has attempted to introduce specific rules for certain activities (for example, direct marketing).
The Explanatory Memorandum states that the Bill will have no significant impact on Commonwealth expenditure or revenue.[32]
The Bill has a complex structure and effect, with six Schedules amending substantial parts of the existing Privacy Act and other legislation. While two Schedules deal with separate ‘jurisdictions’ within the Privacy Act (information privacy generally (in Schedule 1) and credit reporting (in Schedule 2))— some of the associated changes in relevant processes and definitions are contained in other Schedules (primarily Schedule 4). Schedule 3 creates a new Part dealing with Codes, moving and revising provisions previously in two separate Parts of the Privacy Act, while Schedule 4 deals also with investigations, enforcement, powers and functions of the Privacy Commissioner.[33]
Schedule 1 of the Bill amends the Privacy Act to include the new Australian Privacy Principles (APPs). The APPs will underpin the privacy protection framework of the Privacy Act and will replace the Information Privacy Principles (IPPs), which currently apply to Commonwealth agencies, and the National Privacy Principles (NPPs), which currently apply to certain private sector organisations. As with these former principles, the APPs will regulate the collection, holding, use and disclosure of personal information. The APPs will be set out in a separate Schedule to the Privacy Act (described below at pages 17 to 30).
Many of the amendments proposed in Schedule 1 of the Bill either replace or modify existing definitions in the Privacy Act or insert additional definitions to deal with new terms. A few of the key definitions are described below. Others are referred to at relevant points throughout this part of the Bills Digest.
Item 6 proposes to insert a definition of ‘APP entity’ into subsection 6(1) of the Privacy Act. An APP entity means an agency or organisation. The existing definitions of agency and organisation will continue to apply.[34]
As already noted, currently under the Privacy Act, the IPPs apply to Commonwealth agencies, while the NPPs apply to certain private sector organisations. Under the amendments in the Bill, both agencies and organisations will be regulated by the APPs. It is therefore necessary to include a definition that includes both types of entities.[35]
Item 21 inserts a definition of ‘entity’ into subsection 6(1) of the Privacy Act. An ‘entity’ means an agency, organisation or small business operator. Note that in contrast to the definition of ‘APP entity’ an ‘entity’ is defined to also include a small business operator. The term ‘entity’ rather than ‘APP entity’ is mainly used in Part IIIA of the Privacy Act. Generally, while the APPs will not apply to small business operators, they may be regulated under provisions related to credit reporting (proposed Part IIIA).
The terms ‘APP entity’, ‘entity’, ‘agency’ and ‘organisation’ underpin much of the Privacy Act and determine its scope.
The Privacy Act regulates the collection, use and disclosure of personal information. Item 36 of Schedule 1 of the Bill will update the definition of ‘personal information’ in subsection 6(1) of the Act to mean ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’. This amendment reflects the Government’s response to ALRC Recommendation 6–1.
The current definition refers to ‘an individual whose identity is apparent, or can reasonably be ascertained’. The new definition will use the terms ‘identified’ and ‘reasonably identifiable’.
In agreeing with the ALRC Recommendation regarding the definition of personal information, the Government has also indicated a need for OAIC guidance about the meaning of these new terms.[36]
The proposed definition is fine-tuning that does not significantly change the scope of what is considered to be personal information.
The Privacy Act distinguishes between ‘personal information’ and ‘sensitive information’, the latter being a subset of the former and requiring more stringent protection. ‘Sensitive information’ was a term introduced in the 2000 amendments and is defined in subsection 6(1) to mean information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health or genetic information.
Item 42 in Schedule 1 of the Bill will amend this definition of ‘sensitive information’ by adding references to biometric information and biometric templates. This is a response to ALRC Recommendation 6-4. The Government agreed with the ALRC that biometric information had similar attributes to other sensitive information and it was therefore desirable to provide it with a higher level of protection.[37]
Item 82 is a central provision in Schedule 1 of the Bill. It repeals Divisions 2 and 3 of Part III of the Privacy Act, the divisions that provide for the application of the IPPs, the NPPs and approved privacy codes. Item 82 also inserts proposed new Division 2 of Part III into the Privacy Act which deals with the Australian Privacy Principles. The new Division consists of proposed sections 14 to 16C.
Proposed section 14 entitled Australian Privacy Principles is a sign-post provision. It refers the reader to Schedule 1 of the Privacy Act where the Australian Privacy Principles (APPs) are to be set out (inserted by item 104 of Schedule 1, which is discussed below).
Proposed section 15 provides the general rule that an APP entity must not do an act, or engage in a practice, that breaches an AAP. Proposed sections 16A and 16B set out the situations which do not breach the APPs and are described below.
Proposed section 16A creates the concept of a ‘permitted general situation’, which effectively creates exceptions to the obligations in relation to the collection, use or disclosure of personal information. The section is set out in tabular form and lists the particular entities, the type of information, and other specified conditions that need to be satisfied to come within the ‘permitted general situation’ concept. For example:
- an APP entity may collect, use or disclose personal information or a government related identifier[38] without breaching the APPs where:
– it is unreasonable or impracticable to obtain the individual’s consent and the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of an individual or to public health and safety or
– there is reason to suspect there is unlawful activity or serious misconduct[39] relating to the entity and the entity reasonably believes that the collection, use or disclosure is necessary in order to take appropriate action in relation to the matter.
- an APP entity may collect, use or disclose personal information without breaching the APPs where:
– the entity reasonably believes it is necessary to assist in locating a person reported missing, providing this is in keeping with any rules made by the Privacy Commissioner on this matter under proposed subsection 16A(2).
- an agency (as opposed to an APP entity) may collect, use or disclose personal information without breaching the APPs where:
– the agency reasonably believes it is necessary for the entity’s diplomatic or consular functions or activities.
- the Defence Force may collect, use or disclose personal information without breaching the APPs where it reasonably believes it is necessary for its overseas operations.
Several submissions commented on proposed section 16A and question why these exceptions have been set apart from the APPs, arguing that this style of drafting detracts from the clarity of the law.[40] To address these concerns, the Senate Committee recommended that notes should be inserted in the APPs to refer to sections 16A and 16B (discussed below) as appropriate.[41]
Another criticism of section 16A relates to the agency specific exceptions. The Victorian Privacy Commissioner argues that the exception relating to an entity’s diplomatic or consular functions or activities is of serious concern, as it will ‘effectively completely exempt the Department of Foreign Affairs and Trade from the APPs’:
Given the existence of several other provisions including proposed APP 6.2(b), which would allow DFAT to use or disclose any personal information where the use or disclosure is required or authorised by or under an Australian law, no compelling case has been made for a further exception of such extraordinary breadth.[42]
The Senate Committee agreed that the phrase ‘diplomatic or consular functions or activities’ needs clarification and recommended that the Explanatory Memorandum be revised to ‘explain the intended scope and application of [that] exception’.[43]
Proposed section 16B creates the concept of a ‘permitted health situation’ and allows the collection, use and disclosure of health information in certain situations despite the APPs. The 2000 reforms to the Privacy Act included specific protections regarding the collection, use and disclosure of health information. These protections will continue but have been re-drafted and consolidated in proposed section 16B and also in APP 6.2 (see below). The protections are essentially the same as the existing ones. For example:
- an organisation may collect health information about an individual if the information is necessary to provide a health service to the individual and either:
– the collection is required by or authorised under Australian law or
– it is collected in accordance with certain rules established by competent health or medical bodies.
The reader is referred to the Explanatory Memorandum for a further description of ‘permitted health situations’.[44]
Proposed section 16C relates to the responsibilities of APP entities regarding the treatment of cross‑border data flows. It is significant in that it aims to make an APP entity more accountable when disclosing personal information to an overseas recipient. Its effect is that an APP entity disclosing personal information to an overseas recipient would in some cases be liable for the acts and practices of an overseas recipient who breaches the APPs.
The section complements APP 8, which imposes a positive requirement on APP entities to take reasonable steps to ensure an overseas recipient will protect personal information consistent with the APPs prior to any cross-border transfer occurring. More information about the operation of APP 8 is included below.
Several submissions expressed concern that this section, which aims to make an APP entity more accountable, in fact places too onerous an obligation on the entity transferring the data with respect to the acts of the data recipient.
The Law Council’s position is that proposed section 16C should be redrafted to provide that, where an entity has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information in a manner which is inconsistent with the APPs, that entity should not be liable for any acts done, or practices engaged in, by the overseas recipient in relation to that information.[45]
Further comment is provided under APP 8 below.
Item 104 repeals existing Schedules 1 and 3 of the Privacy Act and inserts a new Schedule 1 containing the 13 Australian Privacy Principles (APPs). Most of the APPs are based to some extent on the existing IPPs and NPPs. The following is a summary of the APPs.
APP 1—open and transparent management of personal information
APP 1 sets out general principles that require APP entities to manage personal information in an open and transparent way. Amongst other things, an APP entity must have procedures and systems in place that are reasonable in the circumstances to enable compliance with the APPs. It must also have an up-to-date APP privacy policy that is clearly expressed and readily available (usually on the entity’s website). The privacy policy must contain information about the kinds of information the entity collects, how the information is collected and the purposes for collection. Significantly the entity must also include information as to whether it is likely to disclose personal information to overseas recipients and, if so, the countries in which such recipients are likely to be located, but only if it is practicable to specify those countries.
APP 1 is based on NPP 5. There is no equivalent IPP.
The Australian Privacy Foundation suggests that the qualification ‘only if practicable’ in relation to specifying overseas recipients of personal information is too subjective and is likely to lead to many entities not including this important information.[46] The Australian Privacy Foundation and other submitters to the Senate inquiry make the point that, in the context of APP 8, disclosure of the countries in which recipients will be (or might be) located should always be required. They argue that if an organisation does not know (or is not willing to say) where personal information is going, it should not send it there.[47]
APP 2 requires that where it is lawful and practicable, individuals must have the option of not identifying themselves when dealing with an APP entity in relation to a particular matter. This includes the use of cloaking devices such as pseudonyms which provide ‘pseudonymity’. It is the equivalent of NPP 8. There is no equivalent of APP 2 in the IPPs.
APP 3—collection of solicited personal information
APP 3 sets the standard for collection of personal information by APP entities. The standards are different for agencies and organisations.
An APP entity that is an agency must only collect personal information (other than sensitive information) that is reasonably necessary for or directly related to one or more of its functions or activities (APP 3.1).
An APP entity that is an organisation must only collect personal information (other than sensitive information) that is reasonably necessary for the entity’s functions or activities (APP 3.2).
In relation to ‘sensitive information’ an APP entity must only collect the information if the individual consents to the collection, and
- if the entity is an agency, the information is reasonably necessary for or directly related to one or more of its functions or activities or
- if the entity is an organisation, the information is reasonably necessary for one or more of its functions or activities (APP 3.3).
APP 3.4 provides for additional exceptions to the general rule about collection of sensitive information. For example an APP entity may collect sensitive information without consent where it is required or authorised by, or under, Australian law or a court/tribunal order; in permitted general situations (proposed section 16A); in permitted health situations (proposed section 16B); and in cases where an enforcement body[48] reasonably believes that the collection of the information is reasonably necessary for one or more activities conducted by an enforcement body. In the case of the Immigration Department (to be defined as an enforcement body[49]) the collection must be reasonably necessary for or directly related to its enforcement related activities.
APP 3.5 and 3.6 deal with the method of collection of personal information and provide that an APP entity must collect the information only by lawful and fair means and it must be collected directly from the individual concerned unless certain circumstances apply (for example where it is unreasonable and impractical to do so).
The Law Council and numerous other submitters to the Senate inquiry into the Bill question the reasoning for the two different tests in APP 3 for agencies and organisations and ask why there is a need for the additional words ‘directly related to’ with respect to agencies (APP 3.1–APP 3.3).
The Explanatory Memorandum states that the ‘directly related to’ test reflects the test in the current IPP 1 and is necessary because ‘... there may be agencies that need to collect solicited personal information in order to carry out legitimate and defined functions or activities, but may not be able to meet the ‘reasonably necessary’ test. While the ‘directly related to’ test may [...] be a slightly lower threshold, agencies are subject to a wider range of accountability mechanisms [...]’.[50]
The Law Council does not see how it can be reasonably necessary for one or more of an agency’s functions or activities to collect personal information without that collection also being directly related to that agency’s functions or activities.[51]
The OAIC also considers the different standards that apply to agencies and organisations in relation to the collection of personal information in APP3 are unnecessary. It believes that a requirement that the collection be ‘necessary’ is sufficient for both agencies and organisations.[52]
The OAIC considers that if there are situations where agencies are required to collect personal information that do not meet the ‘reasonably necessary’ test and no exception applies, then other alternatives to authorise the collection, such as the inclusion of provisions in the relevant agency’s enabling legislation or the Commissioner’s power to make a Public Interest Determination are preferable.[53]
Accordingly the OAIC recommends removing the words ‘directly related to’ from APP 3.1, APP 3.3(a)(i) and APP 3.4(d)(i). The OAIC considers that this would reduce complexity and ensure that appropriate and consistent information handling practices apply to both agencies and organisations, while reflecting the ALRC’s recommendation and the Government’s first stage response.[54]
‘enforcement body’
Several submissions to the Senate inquiry, including that of the OAIC, commented on the expansion of the definition of enforcement agency to include the Immigration Department and the impact this has on that Department’s ability to collect sensitive information. The OAIC, while noting that the Immigration Department was not included as an enforcement body in the exposure draft APPs, understands that the Department has been included as an enforcement body to address its concerns about its ability to handle ‘sensitive information’.[55]
As the OAIC argues, the Immigration Department would appear to be of a different character to the other agencies included within the definition of an ‘enforcement body’, in the sense that its usual activities are not of an enforcement related nature. Accordingly, the OAIC believes that the Immigration Department’s concerns are more appropriately addressed in enabling legislation, or alternatively under the Commissioner’s power to make a Public Interest Determination. The OAIC recommends that the Immigration Department be removed from the definition of ‘enforcement body’.[56]
To address concerns surrounding the inclusion of the Immigration Department as an enforcement body, the Senate Committee recommends that the Explanatory Memorandum is revised and reissued:
to clearly explain the enforcement-related functions and activities of the Department of Immigration and Citizenship, as justification for the classification of the 'Immigration Department' as an 'enforcement body'.[57]
APP 4 deals with the treatment of unsolicited personal information that an APP entity receives. There is no current IPP or NPP equivalent to APP 4.
APP 4.1 provides that when unsolicited information is received an AAP entity must, within a reasonable period, determine whether or not it could have collected the information in accordance with the collection rules in APP 3. Where this is the case then the other APPs apply to that personal information in the same way as if it had been solicited.
APP 4.3 provides that if an entity determines it would not have been permitted to collect the personal information under APP 3, and if the information is not contained in a Commonwealth record[58], then the entity must take steps as soon as it is reasonably practicable to either destroy the information or de-identify it so that it is no longer personal information.
APP 5 sets out the obligation for an APP entity to ensure that an individual is aware of certain matters when the entity collects that individual’s personal information.
APP 5.1 creates the general requirement for an APP entity to take such steps as are reasonable in the circumstances to provide notification of collection. APP 5.2 lists the specific matters which the individual must be notified about. These include contact details of the APP entity; whether information has been collected from a third party or under an Australian law or court/tribunal order (and details about that collection); the purpose of the collection; complaint-handling and access/correction information in the APP entity’s privacy policy; disclosure information, including to overseas recipients; and the consequences of not collecting the information. The matters set out at APP 5.2 are generally matters currently listed in IPP 2 and NPP 1.APP 6—use or disclosure of personal information
APP 6.1 sets out the circumstances in which entities may use or disclose personal information that has been collected or received. This APP is based on IPPs 10 and 11, and NPPs 2 and 10.
If an APP entity holds personal information about an individual that was collected for a particular purpose (a primary purpose), the entity must not use or disclose it for another purpose (a secondary purpose) unless:
- the individual has consented to the use or disclosure or
- the use or disclosure of the information falls within the exceptions in APP 6.2 or APP 6.3.
These exceptions include:
- where the secondary purpose is related to the primary purpose and the individual would reasonably expect it to be used for that secondary purpose (note: in the case of sensitive information the secondary purpose must be ‘directly related’ to the primary purpose, although the difference between ‘related’ and ‘directly related’ is not defined in either the Bill or the Explanatory Memorandum)
- where required or authorised by, or under, Australian law or a court/tribunal order
- in permitted general situations as set out in proposed section 16A
- in the case of organisations, in permitted health situations as set out in proposed section 16B and
- where an ‘APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’.
APP 6.3 provides that an agency will be allowed to disclose biometric information or templates if the recipient is an enforcement body and the disclosure is conducted in accordance with the guidelines made by the Commissioner.
APP 6.4 provides that, if an APP entity collects health information about an individual for certain research purposes under subsection 16B(2), that entity must take such steps as are reasonable in the circumstances to de-identify that information before it uses or discloses the information under APP 6.1 or 6.2.
APP 7 provides a separate principle dealing specifically with direct marketing. Currently there are obligations regarding direct marketing in NPP 2 but no obligations in the IPPs.
APP 7 continues the current arrangement of applying to the private sector. Agencies are not covered except in cases where they are engaging in commercial activities.[59]
APP 7.1 will prohibit direct marketing by organisations, subject to specific exceptions set out in APP 7.2-7.5. These exceptions to the prohibitions include the following:
- an organisation may use or disclose personal information (other than sensitive information) for direct marketing if:
– the organisation collected the information from the individual, and the individual would reasonably expect the organisation to use the information for direct marketing, and the organisation has provided a simple means by which the individual can request not to receive direct marketing; and the individual has not made such a request (APP 7.2)
- where the individual would not reasonably expect his or her personal information to be used for direct marketing or where the information has been collected from a third party, the exception to the rule against direct marketing will be narrower. In these cases an organisation may use or disclose that information for direct marketing only if:
– the individual has consented, or it is impracticable to obtain consent
– the organisation has provided a simple means to opt out and the individual has not opted out
– in each direct marketing communication, the organisation includes a statement or draws the individual’s attention in some other way to the fact that he or she may request to no longer receive direct marketing and
– the individual has not made such a request (APP 7.3)
- where an individual has provided sensitive information to an organisation:
– it will be necessary for the organisation to obtain the individual’s consent before using that information for direct marketing purposes (APP 7.4).
APP 7.6 and APP 7.7 apply to organisations that either use or disclose personal information for the purposes of direct marketing, or for the purpose of facilitating direct marketing by other organisations. APP 7.6 provides that individuals may ask organisations who hold their personal information to stop sending direct marketing or to not disclose their personal information to other organisations for the purposes of direct marketing. They may also ask organisations to disclose the source of the information. Organisations must comply with such requests free of charge within a reasonable period. They need not comply with requests to disclose the source of information if it is impracticable or unreasonable to do so.[60]
APP 7.8 provides that the direct marketing rules in APP 7 will be displaced where another Act (such as the Do Not Call Register Act 2006 or the Spam Act 2003) specifically provides for a particular type of direct marketing or direct marketing by a particular technology.
Several submissions to the Senate inquiry, including those from the Australian Privacy Foundation and the Victorian Privacy Commissioner, argue that this principle should apply to both agencies and organisations on the grounds that the boundaries between private and public sectors are increasingly blurred, and government agencies are now commonly undertaking direct marketing activities.[61]
Other submissions, including those from the Law Council and several direct marketing bodies, including the Australian Direct Marketing Association (ADMA) are concerned that the drafting of
APP 7 in relation to the prohibition on the use or disclosure of personal information by organisations for direct marketing purposes may result in confusion.
The submissions note that the structure of APP 7 is a blanket prohibition on direct marketing, followed by a list of exceptions under which direct marketing is permitted. In contrast, the structure of APP 6 is to prohibit use and disclosure of personal information unless certain circumstances apply. In other words APP 6 is more permissive, whereas the structure in APP 7 is more prohibitive.[62]
The Law Council states that direct marketing is a legitimate and economically valuable
activity—much the same as use and disclosure of personal information for certain purposes other than the purpose for which it was collected—when conducted in a properly regulated way. The Law Council believes that such an approach to the subject matter would be better reflected if the drafting structure of APP 7 follows that used in APP 6.[63]
ADMA states that the inclusion of a ‘prohibition’ on direct marketing is confusing for both businesses and the consumer as it is not, in effect, a prohibition. It notes also that the move to a prohibition has only occurred in the Bill and at no other time during the six-year consultation period has such a ‘prohibition’ been suggested.[64] Acknowledging the potential for confusion arising from the use of the term ‘prohibition’ in the subheading to APP 7.1, the Senate Committee recommends that that term be removed from the subheading.[65]
Both the Law Council and ADMA question the need for a separate direct marketing principle, preferring the existing regime where direct marketing is regulated within the wider collection principle, NPP 2.
ADMA and others are also critical of APP 7.3 for the requirement to include an opt-out statement in each direct marketing communication. ADMA argues that this is not possible with regard to all marketing and advertising channels due to space constraints, particularly, for example, in new communication channels such as social media, Twitter or online advertising. Furthermore, ADMA states that this is likely to become a more significant constraint to business innovation in future years as technology develops.[66] The Senate Committee was persuaded by the assurance given by the Attorney‑General’s Department that APP 7:
will not cover forms of direct marketing that are received by individuals that do not involve the use or disclosure of their personal information, such as where they are randomly targeted for generic advertising through a banner advertisement.[67]
However, the Coalition members of the Committee ‘are not convinced... that the operational scope of APP 7, as drafted and explained in the Explanatory Memorandum, would be limited in this way’ and accordingly consider that APP 7 or the Explanatory Memorandum ‘should provide further clarification on this point to provide greater certainty for relevant private sector organisations’.[68]
The Australian Privacy Foundation felt that the opt-out provisions in APP 7.2 and APP 7.6 should be strengthened by including notification requirements in line with those set out at APP 7.3 (that is, requiring the organisation, in each direct marketing communication, to include a statement or draw attention in some other way to the fact that the recipient may request to no longer receive direct marketing).[69] The Senate Committee agreed, and has recommended that APP 7.2 and APP 7.6 are amended accordingly.[70]
APP 8 deals with cross-border disclosure of personal information and should be read together with proposed section 16C.[71] APP 8 is the equivalent of NPP 9. There is no equivalent IPP.
APP 8 is significant in several respects:
- it applies to agencies as well as organisations— currently agencies do not have responsibilities under the Privacy Act in relation to international data transfer
- it focuses on the ‘disclosure’ of personal information, whereas NPP 9 uses the term ‘transfer’ of data. Disclosure is broader than transfer and can mean, for instance that a data recipient such as a cloud service provider comes within the reach of APP 8 as it can technically access personal information housed on its servers[72]
- together with proposed section 16C, it moves from what is called an ‘adequacy approach’ in favour of a more ‘accountable approach’[73] and
- in contrast to NPP 9, which prohibits cross-border disclosure, subject to some exceptions, APP 8 aims to permit cross-border disclosure of personal information and ensure that any personal information disclosed is still treated in accordance with the Privacy Act.
APP 8.1 provides that before an APP entity discloses personal information to an overseas recipient, the entity must take such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach the APPs (other than APP 1) in relation to that information. The Explanatory Memorandum states that in practice, the concept of taking ‘such steps as are reasonable in the circumstances’, will normally require an entity to enter into a contractual relationship with the overseas recipient.[74]
This obligation on an APP entity to ensure compliance will be qualified by a number of exceptions as specified in AAP 8.2. The obligation does not apply where:
- the APP entity reasonably believes that the recipient of the information is subject to a law or scheme substantially similar to the way the APPs protect the information and include mechanisms for redress and enforcement (APP 8.2(a))
- the APP entity expressly informs the individual that if he/she consents to the disclosure of the information then APP 8.1 will not apply and after being so informed the individual consents to the disclosure (APP 8.2(b))
- the disclosure is required or authorised by Australian law (APP 8.2(c))
- certain permitted general situations in proposed section 16A apply (APP 8.2(d))
- in the case of an agency, the disclosure is required or authorised by or under an international agreement relating to information sharing (to which Australia is a party) (APP 8.2(e)) and
- in the case of an agency, where the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, and the overseas recipient is an equivalent type of body (APP 8.2(f)).
Privacy advocates, such as the Australian Privacy Foundation have concerns with APP 8, arguing that any enhanced privacy protection in the new accountability regime for the treatment of cross-border data flows is considerably undermined by the wording of some of the exceptions set out in APP 8.2.
In particular they are critical of the ‘reasonably believes’ test (APP 8.2(a)) that provides an exception where the entity reasonably believes that the recipient of the information is subject to a substantially similar law or scheme. The Victorian Privacy Commissioner and others suggest that whether such a law or binding scheme exists should be determined by the Privacy Commissioner and not be based on an entity’s reasonable belief. In addition to removing the ‘reasonably believes’ test, they recommend that the Privacy Commissioner should also issue a list of laws that are substantially similar to the APPs.[75]
Another concern relates to APP 8.2(b) which as currently drafted gives the ability to individuals to consent to forgo any redress where their personal information is mishandled by an overseas entity. Some submitters argue that there should be a requirement that such consent be free, express and fully informed in order to remove any chance that this provision could be abused. The Victorian Privacy Commissioner recommends that the consent exception is either removed, or, if retained, that there be ‘strict guidelines around its use so express consent is required. Individuals must not have consent implied or inferred by the initial or continued interaction with an entity, or where notice of the intended transfer outside Australia is bundled into a lengthy privacy statement’.[76]
The Senate Committee recommended the amendment of APP 8.2(b) to require an individual to be informed of ‘the practical effect and potential consequences’ of consenting to the disclosure of information to an overseas recipient.[77] The Senate Committee also recommended that the Explanatory Memorandum be revised to clarify and draw attention to this new requirement.[78]
Other submitters, including the Law Council and the ADMA, argue that APP 8 is too restrictive.[79] The Law Council notes that APP 8 seeks to balance the public interest in the convenient flow of personal information outside of Australia and the public interest in compliance with the APPs outside of Australia. It believes:
APP 8 errs too much on the side of cross-border compliance at the cost of the convenient flow of information.
For example, in striking this balance, the Committee submits that APP 8 may deter the growing use of cloud computing. The Committee submits that this may impede access for Australian businesses and other entities to the economic and other benefits that cloud computing has to offer, putting Australian businesses and other entities at a competitive disadvantage with their international counterparts.[80]
The Law Council recommends that APP 8.1 be redrafted to impose less onerous but still effective requirements, so that an APP entity must take reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information in a manner which is inconsistent with the APPs.[81]
The Queensland Law Society also sees problems for lawyers advising on the application of this principle in the cloud environment. It recommends a similar amendment to APP 8.1.[82]
The Australian Information Industry Association (AIIA), because of its interest in cloud computing focuses its comments on the implications of APP 8. While supporting the intent of APP 8 to ensure organisations are held accountable for the information they share across borders, AIIA argues the effect of APP 8.1 in combination with proposed section 16C is that the entity disclosing information about an individual will be liable for privacy breaches even though they may have taken reasonable steps to ensure the overseas recipient complies with the APP. AIIA argues that this strict standard will undoubtedly impact the adoption of cloud services that are hosted overseas, and recommends that proposed section 16C is brought into alignment with the APEC accountability principle, which removes absolute obligation on the data transferor with respect to the acts of the data recipient.[83]
APP 9 places obligations on private sector organisations (but not public sector agencies) in relation to government related identifiers.[84]
There are two essential obligations:
- an organisation must not adopt a government related identifier as the identifier of an individual in its own system unless required or authorised by law and
- an organisation may not use or disclose a government related identifier of an individual unless one of the specific exceptions in APP 9.2 apply. These exceptions include, for example:
– where it is reasonably necessary to verify the identity of an individual for an organisation’s activities or functions
– where an organisation reasonably believes it is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body or
– where it is allowed under the regulations.
APP 9 is based on NPP 7.
Several privacy groups, including the Victorian Privacy Commissioner and the Australian Privacy Foundation expressed concern that agencies are excluded from the requirements of this APP. The Victorian Privacy Commissioner noted that the Victorian privacy principles afford such protection and argued:
Sharing of unique identifiers by public sector agencies facilitates data matching and is a very significant privacy risk, given the large amount of data that public sector agencies hold.
[...]
The APPs should represent the highest practicable level of privacy protection. Excluding agencies from the requirements of this APP does not reflect that basic concept.[85]
APP 10 sets out the obligation for an APP entity to protect the quality of the personal information it collects, uses and discloses. It is divided into two sections:
- APP 10.1 requires that APP entities take such steps (if any) as are reasonable in the circumstances to ensure that personal information collected is ‘accurate, up-to-date and complete’ and
- APP 10.2 requires that APP entities take such steps (if any) as are reasonable in the circumstances to ensure that personal information used or disclosed is ‘accurate, up-to-date, complete and relevant’ (emphasis added).
The equivalent data quality principle is NPP 3 and while there is no equivalent IPP specifically covering data quality, aspects of IPP 3 and IPP 8 are related to this topic.
APP 11 sets out an APP entity’s obligations relating to the protection and destruction of personal information it holds. There are two parts to the principle.
APP 11.1 provides the more general obligation that an APP entity must take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
APP 11.2 provides that if an APP entity no longer needs personal information for any purpose for which it may be used or disclosed under the APPs, and if the information is not contained in a Commonwealth record[86] or legally required to be retained by the entity, the entity must take steps ‘reasonable in the circumstance’ to either destroy or de-identify the information.
APP 11 is the equivalent of NPP 4.
APP 12 provides that if an APP entity holds personal information about an individual, the entity must provide the individual with access to that information subject to specific exceptions. These exceptions differ with respect to agencies and to organisations.
Exceptions for agencies are in cases where the agency is required or authorised to refuse to give access under the Freedom of Information Act 1982 or under some other statute.
In the case of an organisation, the exceptions include if:
- the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or safety
- providing access would have an unreasonable impact upon the privacy of other individuals
- the request for access is frivolous or vexatious
- providing access would reveal the intention of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations
- providing access would be unlawful
- denying access is required or authorised by or under law and
- providing access would be likely to prejudice an investigation and subsequent action regarding a possible unlawful activity or misconduct in relation to the entity.
APP 12.4 to 12.10 set out the procedural details regarding requests for access, such as time-frames, means of access, access charges and procedures for refusal to grant access.[87]
APP 12 is based on IPP 6 and NPP 6.
APP 13 sets out the obligation on APP entities regarding correction of personal information. It provides that an APP entity must take reasonable steps to correct personal information it holds about an individual if:
- the entity is satisfied the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, with regard to the purpose for which it is held or
- the individual requests that the entity correct the information.
The Explanatory Memorandum states that the principle is not intended to create a broad obligation on entities to maintain the correctness of personal information it holds at all times.[88] Rather it will operate together with APP 10 so that when the quality of personal information is assessed at the time of use or disclosure, an entity may need to correct the information before use or disclosure if the entity is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.[89]
APP 13 is based on IPP 7 and NPP 6.
Schedule 2 of the Bill introduces more comprehensive credit reporting with strengthened privacy protections. It also rewrites some of the credit reporting provisions, purportedly for ‘greater logical consistency, simplicity and clarity’.[90]
Providers of credit to consumers are able to obtain credit reports from credit reporting agencies to assist in the assessment of applications for credit. The information in credit reports helps credit providers to make an assessment of the credit-worthiness of individuals. Credit reporting agencies source information from publically available information and from information provided by credit providers.
The credit reporting system addresses the problem of ‘information asymmetry’ between borrowers and credit providers; that potential borrowers know much more about their own financial affairs—and credit risk—than credit providers.
In 1991, Part IIIA was inserted into the Privacy Act to extend its operation to consumer credit reporting. Consumer credit is credit used mainly for domestic, family and household purposes. Part IIIA regulates the kinds of information that can be used in the consumer credit reporting system and the way in which that information is handled and maintained. The rules regulate credit providers (lenders) and credit reporting agencies (organisations that collect, process and report information, typically to lenders).
The intent of the credit reporting provisions is to balance the interests of lenders in making informed decisions about the risks of lending to applicants for credit with the prospective borrower’s interest in the protection of their personal information, the prompt and just resolution of disputes and gaining fair and responsible access to credit. The credit reporting rules are more prescriptive than the privacy principles.
At the moment, the credit reporting rules permit only “negative credit reporting”. According to the Explanatory Memorandum to the Bill:
Negative reporting limits the collection of personal information to that which relates to an individual’s credit delinquency, such as defaults on payments or dishonoured cheques, and inquiries on the credit record. Positive credit reporting permits the collection of personal information which demonstrates an individual’s credit account activity, such as the timeliness of payments, account type, the credit limit and the amounts of credit liabilities. However, the term positive reporting and negative reporting are not clearly defined and can be confusing.[91]
Because of the potential for confusion in the use of the terms positive and negative credit reporting, the ALRC preferred the term ‘comprehensive credit reporting’ to describe the inclusion of the kind of information that would be found in a positive credit reporting system.
The current rules permit only certain kinds of information to be dealt with by credit providers and credit reporting agencies. The information that is permitted at the moment is information about:
- a credit provider having sought a credit report about a person who has applied for credit and the amount of credit sought
- a person’s current credit providers
- certain credit defaults
- a court judgment or bankruptcy order made against the individual and
- the opinion of a credit provider that a person has committed a ‘serious credit infringement’.[92]
The impetus for expanding the kinds of information permitted in the credit reporting system comes from the credit industry, which says that the limited amount of information allowed in the system makes credit providers susceptible to assessing credit risks incorrectly. The industry says that this can lead to the granting of credit to those who cannot afford it and to the denial of credit to those who can. The ALRC agreed that more kinds of personal information should be allowed in the system and recommended a move to ‘more comprehensive credit reporting’.[93]
As set out above, the Bill implements the Government’s response to 197 of the ALRC’s 295 recommendations. Of the 46 recommendations concerning credit reporting, only four were not accepted. Of the others, 29 were accepted in full, seven were accepted in principle, four accepted with amendment and two accepted in part.[94]
Of the four rejected, one dealt with the drafting treatment of the Bill rather than substantive matters (Recommendation 54-1) and the other three can be characterised as recommending the expansion of credit provider rights: one dealt with the extension of the rules to allow personal credit information to be given to foreign credit providers in limited circumstances (recommendation 54-7); one recommended that personal information about credit should be able to be disclosed for secondary purposes other than the assessment of an application for credit (recommendation 57-2); and one recommended that limits on the disclosure by credit providers of personal information that is not connected to the credit reporting system, should be exclusively addressed in the APPs, rather than the credit provisions (recommendation 57.6).
In implementing the Government’s response to the ALRC recommendations, broadly, the Bill does three things:
- expands the kinds of information that are permitted in the credit reporting system subject to improved privacy protections
- makes provision for an industry-developed credit reporting code of conduct and
- redrafts the provisions to make them, according to the Explanatory Memorandum, simpler, clearer and more logical. This includes bringing greater clarity to the way the credit reporting rules interact with the more general privacy principles.
The Bill implements most of the recommendations of the ALRC including the expansion of the kinds of information that are permitted in the credit reporting system. These are:
- the date the credit account was opened
- the type of credit account opened
- the date the credit account was closed
- the current limit of each open credit account and
- repayment performance history about a person over the last two years and the number of repayment cycles that person was in arrears.
The ALRC recommended (in Recommendations 55-2 and 55-3) the inclusion of the last item only if legislated responsible lending obligations were in place. The obligations were subsequently imposed by the National Consumer Credit Protection Act 2009.[95]
The intention in allowing the five new kinds of information into the system is to improve the ability of credit providers to assess a person’s credit worthiness. This benefits both credit providers and borrowers through, for instance, lower credit default rates and reduced opportunities for irresponsible or inappropriate lending.
To balance the enlargement of the set of personal information that is permitted in the credit reporting system, the Bill introduces additional privacy protections including obligations and processes dealing with data quality, notification, access to data and complaints.
The prefatory comments of the Australian Privacy Foundation in its submission to the Senate Legal and Constitutional Affairs Committee bear repeating to give context to the move to a more comprehensive credit reporting system as proposed in this Bill:
It is important to understand that the credit reporting system (both now and under these amendments) is a statutorily authorised intrusion into individuals’ privacy, and in effect a ‘licenced’ exception to the normal operation of the default private sector Privacy Principles in the Privacy Act (now the NPPs, and proposed APPs).
There has never been anything to stop lenders asking applicants for loans about their existing commitments, and making evidence of such commitments (for example, bank references) a condition of a loan. Lenders do not of course want to do this – it would be costly and ‘annoy’ many applicants. The Government decided, in 1989, to insert Part IIIA into the Privacy Act to allow, and regulate, a system of ‘no choice’ exchange of credit reporting information. This was justified on the basis that the public interest in the efficiency of the consumer credit market outweighed the inherent loss of personal privacy involved in a system of centralised credit reporting.
It is important to understand this context because the proposed amendments involve the ‘licensing’ of a significant further intrusion into individuals’ privacy, with no choice (other than not to apply for credit at all, including telephone or electricity accounts – which is unrealistic in the modern economy). Any suggestion that lenders and utility companies have a ‘right’ to centrally held credit reporting information should therefore be dismissed – the credit reporting system is a privilege, and it is incumbent on industry to justify any extension, and appropriate for the system to be very tightly regulated.[96]
Several specific criticisms have been made of the five new data sets that are proposed to be included in the credit reporting system.
The Consumer Credit Legal Service of Western Australia (CCLSWA) criticises the move to more comprehensive or ‘positive’ credit reporting and, in particular, the addition of repayment history information. The CCLSWA describes the inclusion of an individual’s repayment history as ‘unjustified and extreme’ and ‘invasive and beyond what is reasonably necessary for credit providers to make an assessment of individual’s credit worthiness’.[97]
The CCLSWA
rejects the argument that comprehensive reporting benefits consumers by decreasing over‑indebtedness and opening up competition, or that it improves the efficiency of the credit reporting regime…. Nor is there necessarily a correlation between positive reporting and responsible lending practices. For instance, it is common knowledge that the comprehensive reporting systems existing in the US and the UK did not prevent the ‘sub-prime loans’ crisis when lenders abandoned good risk management and responsible lending practices despite their access to potential debtors’ comprehensive credit information”.[98]
The Australian Privacy Foundation makes a similar point. It says:
These additional data sets represent a major increase in the level of statutorily authorised intrusion into the financial affairs of most Australians. The APF has consistently argued that this move towards more comprehensive reporting is unnecessary and undesirable, especially in the context of recent history of irresponsible lending, contributing to the global financial crisis of 2008-09.[99]
Telstra points out that the date on which a credit account is opened is not obvious in the case of credit that is extended for the provision of telecommunications services. It says that ‘the day on which a customer is actually connected’ is more appropriate for those services.[100] Similarly, the day of disconnection would be more appropriate than the date on which each credit account is closed, as the Bill currently proposes. Telstra suggests a simple drafting solution to address each of these issues.
Optus similarly comments upon the difficulty of applying, to telecommunications suppliers, concepts that are geared towards more traditional credit providers like banks.[101]
Optus goes on to make the point that the mandatory inclusion of the fifth data set — repayment history information—would necessitate new systems design and material compliance costs and that a more practical solution would be to provide telecommunications suppliers and utilities with an option to opt in.[102]
The definition of ‘serious credit infringement’ is amended by item 63 of Schedule 2 of the Bill. The expression is an important one in the credit reporting scheme because, as noted earlier, the rules currently allow the opinion of a credit provider that a person has committed a ‘serious credit infringement’ to be recorded in the credit reporting system.[103]
The current definition is:
serious credit infringement means an act done by a person:
(a) that involves fraudulently obtaining credit, or attempting fraudulently to obtain credit; or
(b) that involves fraudulently evading the person’s obligations in relation to credit, or attempting fraudulently to evade those obligations; or
(c) that a reasonable person would consider indicates an intention, on the part of the first‑mentioned person, no longer to comply with the first‑mentioned person’s obligations in relation to credit.[104]
The provision — particularly paragraph (c) — has been criticised because of the ease with which a credit provider could list a serious credit infringement on a person’s record. The Consumer Action Law Centre (CALC), for instance, observes that:
it is difficult to understate the significance of a credit provider listing an SCI on a consumer’s credit report. An SCI is the most serious type of listing that can be made apart from bankruptcy, and yet it is the only listing that can be made based purely on the opinion of a credit provider at a particular point in time.[105]
The CALC further points out that:
The current regulation around SCIs— which allows such a significant listing to be made on a credit report with little or no direct evidence of misconduct — is…disproportionate and grossly unfair.[106]
And that:
once made, an SCI will ordinarily remain on a credit report for seven years. They can be very difficult to remove earlier—even if the consumer can demonstrate that, had the credit provider known all the circumstances, they would not have made the listing.[107]
The CALC argues that SCIs are commonly listed under existing paragraph (c) merely because of an ‘error, misunderstanding or breakdown in communications’, rather than fraud.[108] The CALC gives the example of a resident in a share house who enters a telephone contract but forgets to remove their name from the account when they move out and who then has an SCI listed when the remaining residents move out without paying the final bill.
It is apparently to address the kind of situation where a SCI is listed due to the credit provider’s inability to contact a debtor that the Bill amends the SCI definition.
The Bill amends the definition by adding two further requirements to a paragraph (c) above.
serious credit infringement means:
(a) …
(b) …; or
(c) an act done by an individual if:
(i) a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual’s obligations in relation to consumer credit provided by a credit provider; and
(ii) the provider has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act; and
(iii) at least 6 months have passed since the provider last had contact with the individual.
While this amendment is consistent with the ALRC’s recommendation 56-6, it has attracted criticism.
The CALC considers that the six month waiting period does not achieve the Government’s apparent aim that credit providers attempt, for at least that period, to contact the borrower and so avoid listing a serious credit infringement inappropriately.[109] CALC suggests that the new provision requires only that the credit provider ‘wait six months to list a serious credit infringement’.[110] However the provision itself has cumulative requirements and at paragraph (c)(ii) would require the credit provider to ‘take such steps [to contact the individual] as are reasonable in the circumstances’. The CALC also criticises the absence of a requirement for a credit provider to review the appropriateness of a serious credit infringement listing after six months.
The CALC points to an alternative drafting treatment proposed jointly by several consumer advocates and Veda, the largest credit reporting agency which claims it has 96 per cent of the market share.[111] The proposal is claimed to better address the problem of SCI listings that arise from a lack of contact between the lender and borrower, which the CALC says is the cause of most SCI listings.
The alternative proposal would create two new listing categories: an ‘uncontactable default’ which would arise where the debtor cannot be contacted or does not respond to contact and a ‘never paid flag’ which could only be used by telecommunications or utility credit providers after 60 days if the credit provider has received no payment on the account and has reasonable grounds to believe that the debtor did not have an intention to make a payment on the account.[112]
The proposal has merit as it treats differently cases that involve fraud from cases where fraud is inferred —possibly incorrectly — from lack of contact with the debtor. It does not seem necessary to completely abandon the definition of SCI as the CALC seems to propose, however. Rather, a better solution may be to retain the first two limbs of the definition of SCI (those involving fraud) and to create other categories of conduct of the kinds contemplated in the previous paragraph, for those cases where contact with the debtor has been lost.
The submissions made by the CALC are endorsed in full by the Australian Privacy Foundation.[113]
The Australasian Retail Credit Association also agrees that there should be a different approach in dealing with serious credit infringement to allow for those listings, not relating to intentional fraud, to be dealt with in a different manner.[114]
The Financial Ombudsman Service supports the amendment to the definition of serious credit infringement. It states that serious credit infringement listings:
should not be lightly made and in that context it is appropriate that the…Bill include a requirement that the Financial Services Provider must have taken reasonable steps to contact an individual and that at least 6 months should have passed without contact prior to entering a serious credit infringement listing.[115]
There is no requirement in the Bill that a person be notified when information about them is used. Rather, there are requirements that the disclosing party make a written note of that disclosure. Proposed subsection 20E(5), for instance, provides:
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
Breach of subsection 20E(5) attracts a civil penalty of up to 500 penalty units.
The Law Institute of Victoria argues that:
in addition to being required to make written notes of disclosure and use of credit reporting information, credit reporting agencies should also be required to notify the relevant individual…the requirement of documenting uses and disclosures is of little consequence unless the individual knows that these uses and disclosures are occurring. Individuals should be provided with more knowledge, and therefore control, over the use and disclosure of their information … without knowledge of disclosures, it would be difficult if not impossible to enforce [several obligations like] the prohibition on use and disclosure of false or misleading credit reporting information. [116]
The Bill includes a new requirement that prevents the disclosure of information to persons without an ‘Australian link’, a term that is defined narrowly. [117]
Both Telstra and Optus criticise what seem to be the unforeseen consequences of the application of the new credit reporting rules to entities that provide credit incidentally to the provision of other services like utility and telecommunications services. In particular, they are concerned about the ‘Australian link’ requirement. Telstra says:
We are concerned at the provisions restricting the ability of credit providers to disclose credit eligibility to entities that do not have an ‘Australian link’ (in sections 21G, 21J, 21K, 21M and 21N), which appear in the Bill but which did not appear in the Exposure Draft – Credit Reporting.
The Australian Law Reform Commission’s recommendation 54-5 (from Report 108) – which was accepted by the government in its ‘First Stage Response’ to that Report – referred to excluding the ‘disclosure of credit reporting information to foreign credit providers’. No reference to ‘foreign service providers’ was made. In order to align the Bill with Recommendation 54-5, and not place unnecessary restrictions on industry partners, we encourage the government to consider removing the Australian link requirement from those provisions which do not involve disclosure to other credit providers, in particular sections 21G(3)(b) (related bodies corporate), 21G(3)(c) (credit managers), 21K (guarantors) and 21M (debt collectors). To the extent that the government remains concerned about enforcement of overseas providers’ privacy breaches, consideration could be given to holding the Australian credit provider accountable for its service provider’s conduct in the manner of the Bill’s new section 16C.[118]
Optus says:
Optus has serious concerns about the introduction in this Bill of the concept of ‘Australian link’ in Schedule 2. The prohibition on disclosure of any credit-related information to organisations that do not have an Australian link will have major impacts for companies with existing off-shore call centres and data processing facilities.
5.2 This concept was not included in the previous Exposure Draft which was reviewed by the Senate’s Finance and Public Administration Legislation Committee, nor does it appear to have been considered in the Regulation Impact Statement submitted to the Office of Best Practice Regulation. The Explanatory Memorandum to the current Bill states (p6) that “The term ‘Australian link’ is used to define the entities that are subject to the operation of the Act…”, but in fact the use of the term in relation to credit information is more far-reaching.[119]
The Law Council of Australia is also concerned about the Australian link requirement, as it may interfere with established arrangements including those related to data storage and backup.[120] The Australian Bankers’ Association also makes detailed criticism of the Australian link requirements in the Bill.[121]
ANZ Bank:
is concerned that [the] restriction on the disclosure of [credit eligibility information] will effectively prohibit legitimate business practices and is in excess of the cross border protections applied to other types of information under the Privacy Act.
…
The current Bill provisions would mean an Australian-based organisation would not be able to transfer [credit eligibility information] to a wholly owned offshore entity for the purposes of that entity performing services for the organisation.[122]
In the telecommunications sector, the Telecommunications Consumer Protection Code (C628) already exists, and has been recently revised, that deals with matters covered by the credit reporting system. This creates a potential for overlap and duplication.
Telstra points out that there is already in place a regulatory framework for the telecommunications sector that deals with matters and practices covered by this Bill. It says:
There are a range of consumer credit obligations with which telecommunication suppliers (Suppliers) must comply. Most predominantly is the Telecommunications Consumer Protection Code (C628) (the Code). This Code outlines rules that Suppliers must follow in relation to several subject areas, including credit management. The Code rules cover matters such as:
- undertaking credit assessments before supplying a new service
- providing certain types of information to customers about credit assessments, the risks if the customer will not be the principal end user of the services, acting as a guarantor, etc.
- the provision of credit control tools to assist customers to manage their expenditure levels
- advising customers prior to restricting, suspending or disconnecting their service
- not taking further credit management action over disputed amounts
- the behaviour of collections agents
- updating credit bureau files within certain timeframes
- assisting customers who are experiencing financial hardship.[123]
Telstra argues that the existence of two schemes leads to duplication — for instance, in relation to dispute resolution schemes— overlap, and inconsistency.[124]
Optus similarly points to the existence of an existing industry-specific regulatory scheme for complaints — including credit complaints — in the Telecommunications Consumer Protections Code and the Telecommunications Industry Ombudsman Scheme. It says that:
…imposing new and different obligations just for credit complaints will create an administrative burden for telecommunications providers, and confusion for telecommunications customers, who should be able to have a consistent experience with their telecommunications provider regardless of the nature of the complaint.[125]
Optus also criticises the complaint handling requirements as being badly aligned with the many ways in which customers actually interact with providers:
3.6 In addition, we are concerned that the prescriptive complaint handling requirements set out in the Bill (such as the requirement for written acknowledgement of complaints and then written confirmation of the outcomes of complaints) are very rigid and reflect an out-dated method of interacting with customers. Such restrictive practices do not take into account the multitude of ways in which customers are able to contact their providers in the digital environment.
3.7 Optus’ customers, for example, can contact us in person via our shopfronts, by telephone, by mail, by email, via our website, via our smartphone apps, by web chat, by Twitter or by Facebook. Indeed, we exist in an industry which is always searching for the next medium and next technology to allow Australians to communicate more comprehensively, more easily, and using a method of their choosing. Our experience is that customers expect telecommunications providers to allow for multiple means of communication, and that if a customer contacts us via a particular method of communication, they expect a response via that same method.
3.8 It is therefore disappointing to see rigid obligations in the Bill that require providers to give written notice to their customers on a number of occasions during a complaint investigation. In Optus’ view, this lack of flexibility is unlikely to facilitate the fast and efficient resolution of complaints using the customer’s preferred form of communication, and may instead lengthen and complicate the complaint handling process, and increase a customer’s frustration with that process.[126]
Optus proposes that:
the detail about complaint handling be removed from the Bill, and replaced with a requirement that complaint handling processes be dealt with in the CR Code which is to be developed. The CR Code will be able to more easily set out the minimum requirements for complaint handling, but allow for different industry sector approaches according to the existing regulatory regimes in each of the banking, telecommunications and utilities sectors (which all have their own existing Ombudsman schemes, for example). The result will be a universal minimum standard, with an even higher water mark set by additional regulation in some industries, rather than a one‑size-fits-all legislative approach.
3.13 In addition, codes of practice are more easily future-proofed than legislation, and can be quickly and easily amended over time when needed, to deal with practical issues arising from the implementation of the Bill, the experience of consumers in relation to their credit complaints, and the introduction of presently-unknown technologies or communication practices.[127]
The concerns raised by Optus would seem to be partly answered by the Electronic Transactions Act 1999, which allows for certain communications required to be given ‘in writing’ to be made electronically.[128] Most, if not all, of the modes of communication listed by Optus — except telephone communications —appear to be permitted under that Act. Nonetheless, the Bill’s requirements do seem ill-adapted to some kinds of complaints, like those that are capable of easy resolution on the phone, for instance, and particularly in sectors where credit provision is not a core business, like telecommunications. There seems to be merit therefore, in the Optus suggestion that the complaint handling rules be dealt with in the Code, which would preserve a degree of flexibility suitable for different kinds of complaints and different sectors.
In its report, the Senate Legal and Constitutional Affairs Legislation Committee makes nine recommendations which are largely of a technical nature. However, in recommendations 16 to 18 the Committee suggests that changes to the rules concerning the correction of information by credit providers and credit reporting agencies. Subject to its recommendations being accepted, the Committee recommends that the Bill be passed.
The 2000 reforms to the Privacy Act introduced, among other things, a new Part IIIAA which allows private sector organisations and industries to develop and enforce their own privacy codes. Once the Privacy Commissioner approves a privacy code, it replaces the NPPs for those organisations bound by the code (existing section 16A). This 'co-regulatory' arrangement was intended to allow for privacy principles to be tailored to meet the needs of a particular part of the private sector. However it has been suggested that industry codes under the current Privacy Act have had mixed success, with only four Codes registered since 2000 and two of these being subsequently withdrawn or deregistered.[129]
Apart from the private sector privacy codes, existing section 18A of the Privacy Act requires the Privacy Commissioner to issue a Code of Conduct relating to credit information files and credit reports. The Privacy Commissioner issued the Credit Reporting Code of Conduct in 1991. The Code supplements Part IIIA on matters of detail not addressed by the Privacy Act and creates a set of legally binding rules.
Schedule 3 of the Bill proposes to replace the existing provisions dealing with privacy codes and the Credit Reporting Code of Conduct with a proposed new Part IIIB (item 29) dealing with codes of practice under the APPs (called APP codes) and a code of practice about credit reporting (called the CR Code).
Proposed section 26E provides that an APP code may be developed by APP code developers[130] either at their own initiative or following a request from the Commissioner.
Proposed section 26C describes the features of an APP code. In contrast to the existing code provisions, APP codes do not replace the APPs, but operate in addition to the requirements of the APPs. An APP code must set out how one or more of the APPs are to be applied or complied with. An APP code may also deal with other relevant matters, and may impose additional requirements to those imposed by the APPs so long as the additional requirements are not contrary to, or inconsistent with, the APPs.
Once the APP code has been developed, an application may be made to the Commissioner for registration of the code (proposed section 26F). The Commissioner then decides whether or not to register the APP code (proposed section 26H).
The Commissioner also has the power to develop an APP code if satisfied that it is in the public interest to do so (proposed section 26G). This power can only be exercised if the Commissioner has requested the development of an APP code and the request has not been complied with, or the Commissioner has decided not to register the APP code that was developed as requested. The Commissioner may then register the APP code that was developed by the Commissioner.
Any registered APP code will be a disallowable legislative instrument (proposed section 26B).
An APP entity that is bound by a registered APP code must not do an act, or engage in a practice, that breaches the code (proposed section 26A).
Registered APP codes can be varied or removed from the register (proposed sections 26J and 26K).
A breach of the registered APP code by an entity bound by the code will be an interference with privacy by that entity under section 13 of the Privacy Act (item 42 of Schedule 4 of the Bill).
APP code developers are defined by proposed additions to section 6 (1) as an APP entity or group, or umbrella body of APP entities.
The Australian Privacy Foundation (APF) is in favour of the new option of allowing code development at the request of the Commissioner and by the Commissioner as this should ‘potentially allow the Commissioner to initiate a process for imposing additional binding information privacy obligations on APP entities where this is justified’. The APF argues this is a useful addition to the toolkit of privacy protection, particularly as codes can apply, for the first time, to Commonwealth agencies. However it also notes that the value of these Commissioner‑initiated Code provisions ‘will of course only be realised if the Commissioner has both the will and the resources to utilise them’.[131]
Whereas APP codes are discretionary, the CR code is an essential part of the regulatory structure of the credit reporting system. Proposed section 26P provides that the Commissioner may request a CR code developer to develop a CR code. This is consistent with the ALRC’s recommendation 54-9 that a credit code be developed by industry in consultation with consumer groups and regulators. The ALRC recommended that the Code be developed by industry to allow it to have a greater involvement in developing procedures which affect its day to day compliance with the legislation.
Proposed section 26N describes the features of a CR code. A CR code must set out how one or more of the credit reporting provisions are to be applied or complied with, and may deal with other matters. The CR code must bind all credit reporting bodies and must set out which credit providers or other entities (for example, mortgage insurers and trade insurers) are bound. The code may be expressed to apply differently in relation to classes of entities or specified classes of information.
Once the CR code has been developed an application may be made to the Commissioner for registration of the code (proposed section 26Q). The Commissioner then decides whether or not to register the CR code (proposed section 26S). The Commissioner must ensure that there is one, and only one, registered CR code.
The Commissioner can develop the CR code if the code developers do not develop the CR code as requested, or the Commissioner decides not to register the CR code that was submitted for registration (proposed section 26R).
An entity that is bound by the registered CR code must not do an act, or engage in a practice, that breaches the code (proposed section 26L).
A breach of the registered CR Code will be an interference with privacy by the entity under proposed section 13 of the Privacy Act (item 42 of Schedule 4 of the Bill).
Telstra observes that:
the [Office of the Australian Information Commissioner] can veto the industry‑developed code and create its own. It is not required to provide reasons for a decision not to register the CR Code. We do not consider this a reasonable outcome. Any Code should be the result of an open and transparent consultative process and not at the determination of one office.[132]
Item 2 repeals and replaces subsections 5B(1) and (1A). The amendments are significant in that they considerably expand the extra-territorial operation of the Privacy Act. Proposed new subsection 5B(1) will extend the extra-territorial operation of the Privacy Act to agencies. Currently extra‑territorial operation applies with respect to organisations but not agencies. This amendment implements the Government response to ALRC Recommendation 31-1.
Proposed subsection 5B(1A) is based on the existing subsection 5B(1) and will provide that the Act operates extra-territorially in relation to organisations and small businesses that have an ‘Australian link’. Under paragraph 5B(3)(c) as amended an ‘Australian link’ will exist where the personal information was collected or held by the organisation or operator in Australia or an external territory, and the other requirements of subsection 5B(3) are satisfied. The Explanatory Memorandum clarifies that the reference to ‘in Australia’ includes the collection, by an overseas entity, of personal information from an individual who is physically within the borders of Australia or an external territory, and that this would include collection from an individual physically located in Australia over the internet by a company which has no physical presence in Australia.[133] The OAIC suggests that this intended meaning is not clear on the face of the Bill. It suggests:
Given its importance in determining whether obligations under the Privacy Act apply, and to provide certainty for entities and the OAIC as the Privacy Act regulator, the OAIC recommends the meaning of ‘in Australia’ in s 5B(3)(c) be made explicit; for example, by amending ‘in Australia’ to ‘from Australia’.[134]
Item 42 repeals sections 13 and 13A and replaces them with a new proposed section 13. The new provision will outline the circumstances that will result in an ‘interference with the privacy of an individual’. This is based on existing sections 13 and 13A but is drafted to reflect the new APPs and also cover additional breaches, such as a breach of a registered APP code.[135]
Item 50 repeals sections 13E and 13F and replaces them with new proposed sections 13E to 13G. Proposed sections 13E and 13F are mainly consequential changes, however proposed section 13G is a more substantial and significant amendment. It creates a civil penalty of 2000 penalty units (which is $220 000 for an individual and $1.1 million for a company[136]) for a serious or repeated interference with the privacy of an individual. ‘Serious’ or ‘repeated’ are not defined, although the Explanatory Memorandum provides examples. It is anticipated that the OAIC will develop enforcement guidelines which will set out the criteria on which a decision to pursue a civil penalty will be made.[137]
The section implements the Government’s response to the ALRC Recommendation 50–2.
Item 54 of Schedule 4 of the Bill repeals and replaces sections 27 to 29, the provisions dealing with the functions of the Commissioner. The amendments re-arrange the functions and classify them according to:
- guidance related functions (proposed section 28) including publishing guidelines, promotion and education
- monitoring related functions (proposed section 28A) including monitoring security and accuracy, evaluating compliance and examining proposed enactments for potential privacy impact and
advice related functions (proposed section 28B) including advising and reporting to the Minister on matters relating to the Privacy Act and informing the Minister of the actions an agency needs to take to comply with the APPs.
Proposed section 29 is a general provision requiring the Commissioner, when performing functions and exercising powers, to have due regard to the objects of the Privacy Act. The objects of the Act are in proposed section 2A to be inserted by item 1 of Schedule 4 of the Bill.
The amendments will go towards implementing the Government’s response to ALRC Recommendation 5-2, and, according to the Explanatory Memorandum, the consolidation of the existing provisions will reduce repetition and assist in simplifying the Privacy Act.[138]
Of significance, Schedule 4 of the Bill also contains several amendments that will increase the powers of the Privacy Commissioner. These new powers relate to the following:
- compliance assessment: proposed section 33C (item 64) will empower the Commissioner to conduct an assessment of whether an entity’s handling of personal information complies with the Privacy Act. This assessment will be to determine whether personal information held by the entity is being maintained according to the APPs, credit reporting provisions and other specified rules or codes. Whereas the Commissioner currently has these powers with respect to agencies the new provision will apply to both organisations and agencies. This implements the Government’s response to ALRC Recommendation 47-6
- privacy impact assessments: proposed section 33D (item 64) will empower the Commissioner to direct an agency (but not an organisation) to conduct a privacy impact assessment of any proposed activity which could impact on privacy. This implements the Government’s response to ALRC Recommendation 47-4
- enforceable undertakings: proposed section 33E (item 64) will empower the Commissioner to accept written undertakings by entities to take certain actions or to refrain from taking certain actions to ensure compliance with the Privacy Act. The Commissioner may apply to the Federal Court or the Federal Magistrates Court to compel an entity to comply with an undertaking or to pay compensation for any loss or damage caused by non-compliance with an undertaking (proposed section 33F). These provisions implement the Government’s response to ALRC Recommendation 50-4
- external dispute resolution: proposed section 35A (item 66) will give the Commissioner the power to recognise external dispute resolution schemes which are capable of dealing with privacy-related complaints. This will partly implement the Government’s response to Recommendation 49-2 to amend the Privacy Act to empower the Commissioner to decline to investigate a complaint if it is already being, or would be more effectively or appropriately, dealt with by a recognised external dispute resolution scheme[139] and
- ‘own motion’ investigations: the proposed amendments to section 40 (items 78 and 79) have the effect of both clarifying and strengthening the Commissioner’s powers with respect to own motion investigations of any act or practice which may be an interference with an individual's privacy or a possible breach of APP 1.[140] Proposed subsection 52(1A) (item 109) provides that actions available to the Commissioner after such an investigation include:
– making a declaration that an interference of privacy has occurred
– ordering an entity to take specific actions to prevent further repeats of the acts or practices investigated and
– ordering an entity to redress or compensate any loss or damage suffered (loss or damage may include humiliation suffered by the complainant or injury to the complainant's feelings).
- conciliation: proposed section 40A (item 80) requires the Commissioner to make a reasonable attempt at conciliating a complaint made under section 36 where he/she considers it reasonably possible the complaint may be successfully conciliated.
A number of submissions from privacy advocates welcomed these proposed amendments which strengthen the powers of the Commissioner. For example, the Australian Privacy Foundation is generally supportive of these reforms, noting particularly that the new power to make determinations following ‘own motion’ investigations is highly desirable. It states:
In the hands of a sufficiently motivated Commissioner, it could be the strongest and most effective enforcement mechanism in the Act.[141]
Schedule 5 of the Bill makes amendments to other Acts that are consequential to the amendments to the Privacy Act proposed in Schedules 1 to 4 of the Bill. For example these consequential amendments include:
- removing references to the IPPs and NPPs in various Acts and replacing them with references to the APPs
- inserting the amended definition of ‘personal information’ in various Acts and
- removing references to ‘credit reporting agencies’ and inserting references to ‘credit reporting bodies’ in various Acts.
Schedule 6 of the Bill contains amendments to address transitional issues relating to the commencement of the new provisions.
The development of this long and complex Bill has been subject to extensive consultation and input. Submissions to the various parliamentary committee inquiries, while generally in agreement about the need for privacy reform, vary in their views about whether the Bill strikes an appropriate balance between the public interest in protecting the privacy of individuals and other public interests.
A common theme that appears in many submissions is disappointment that the Bill falls short of achieving the aim of a single set of high-level principles for the public and private sectors which promote national consistency and minimise complexity. As has been noted in a number of submissions, the previous Senate Committee report into the exposure draft Bill had recommended that the APPs be reassessed to improve clarity and that agency-specific provisions in the APPs should be dealt with in portfolio legislation. The Government has already considered this recommendation in relation to its exposure draft Bill and did not accept it.
There is however general support for the provisions in the Bill that increase the powers of the Commissioner, although as some have noted, the significance of those amendments is dependent on the extent to which they are embraced by the Commissioner, which also raises questions about adequate resourcing to accompany the Commissioner’s new powers.
Possibly the Bill’s greatest practical impact is likely to be in relation to the cross-border disclosure of personal information. Undoubtedly this is a difficult area in which to balance the objective of enhancing privacy protection of personal information flowing outside Australia against the need to avoid undue restrictions that would hinder Australia’s ability to flourish in a modern digital economy. Bringing government agencies within the ambit of this cross-border scheme is generally welcomed. There is, however, debate on whether the move to a more ‘accountable’ approach has swung the balance too much on the side of cross-border compliance at the cost of the convenient flow of information. At a practical level businesses and agencies will need to be more rigorous in protecting personal information outside Australia so as to avoid liability for any breaches of the APPs committed by overseas recipients of the information.
The move to more comprehensive credit reporting naturally finds support within the credit sector but there are legitimate concerns about overreach, particularly in the application of the rules to industries that are not predominantly involved in the provision of credit, like telecommunications companies. The existence of regulatory schemes, for that particular sector, that overlap with the new credit reporting rules and the ‘Australian link’ requirement have the potential to create regulatory burdens that exceed the benefits they seek to achieve. The strengthening of privacy protections to balance the move to more comprehensive credit reporting is welcomed by consumer advocates who consider, however, that the balance is tipped too much in favour of the credit sector. While there is unlikely to be agreement about the appropriate balance, it ought to be observed that increasing the amount of personal information in the system may benefit not just credit providers but borrowers too through the promotion of more responsible lending. On one view, this consideration may have been given insufficient weight by those resisting the expansion of personal information in the system.
Finally, it is worth noting that this Bill is only the first of the Government’s two-staged response to the ALRC report on privacy and generally its focus is on the less controversial ALRC recommendations. The more complex, sensitive and arguably more significant recommendations relating to the removal of exemptions, data breach notices, and a possible statutory tort of privacy have yet to be considered by the Government. Given the four year time-frame between the introduction of this Bill and the original ALRC report, it would seem unlikely that the second Bill will be introduced in the life of this Parliament.
Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2438 or (02) 6277 2795.
[1]. The rationale for the delayed commencement is to allow industry and government agencies nine months to review and update their privacy policies and practices.
[2]. Privacy Amendment (Private Sector) Act 2000 which came into effect on 21 December 2001.
[3]. Apart from the ALRC report (see footnote 4) there was: Senate Legal and Constitutional References Committee, The real big brother, Inquiry into the Privacy Act 1988, 2005. Office of the Privacy Commissioner, Getting in on the
Act: the review of the private sector provisions of the Privacy Act 1988, 2005.
[5]. Ibid., paragraph 1.1.
[8]. Ibid., paragraph 2.20.
[9]. Of these 197 recommendations, the Government accepted 141 recommendations either in full or in principle; accepted 34 recommendations with qualification; did not accept 20 recommendations and noted two recommendations.
[18]. Ibid., pp. 121–133.
[19]. Ibid., recommendation 20, p. 119.
[32]. Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p. 5.
[33]. Australian Privacy Foundation, op. cit., p. 2.
[34]. The definition of ‘agency’ includes, amongst other things a Minister or a Department (subsection 6(1)). An ‘organisation’ is defined to mean an individual, a body corporate, a partnership or any other unincorporated association or a trust, that is not a small business operator, a registered political party, an agency, a state or territory authority, or a prescribed instrumentality of a state or territory (section 6C).
[35]. Explanatory Memorandum, p. 55.
[38]. Item 23 of Schedule 1 of the Bill will insert a definition of ‘government related identifier’ into subsection 6(1) of the Privacy Act. Government related identifiers are specifically assigned by one of a range of specifically listed government-related bodies (in paragraphs (a)-(d) of the definition) and are used to identify an individual or verify the identity of the individual. The definition extends to state and territory authorities as well as Commonwealth agencies. Examples of government related identifiers include Medicare numbers and driver’s licence numbers. Explanatory Memorandum, p. 59.
[39]. Item 29 of Schedule 1 of the Bill inserts a definition of ‘misconduct’ into subsection 6(1) of the Privacy Act. It includes fraud, negligence, default, breach of trust, breach of discipline or any other misconduct in the course of duty.
[40]. For example, the Australian Privacy Foundation, op. cit., p. 11.
[41]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 8, p. 110.
[42]. Victorian Privacy Commissioner, op. cit., p. 8.
[43]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 9, p. 110.
[44]. Explanatory Memorandum, pp. 69–70.
[45]. Law Council of Australia, op. cit., p. 11.
[46]. Australian Privacy Foundation, op. cit., p. 11.
[48]. Items 16–19 of Schedule 1 of the Bill amend the definition of ‘enforcement body’ in subsection 6(1) of the Privacy Act to add: CrimTrac Agency; the Immigration Department; the Office of the Director of Public Prosecutions or its state equivalents; and the Corruption and Crime Commission of Western Australia.
[50]. Explanatory Memorandum, p. 75.
[51]. Law Council of Australia, op. cit., p. 6.
[52]. Office of the Australian Information Commissioner, op. cit., p. 15.
[57]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 6, p.109.
[58]. The Explanatory Memorandum at page 78 explains that the reference to information ‘contained in a Commonwealth record’ ensures that the requirements on agencies to retain such information under the Archives Act will override the APP 4 destruction or de-identification requirements.
[59]. Section 7A of the Privacy Act provides that an act or practice of an agency may be treated as an act or practice of an organisation if the agency engages in commercial activities.
[60]. Explanatory Memorandum, p. 82.
[61]. Australian Privacy Foundation, op. cit., p. 16.
[62]. Law Council of Australia, op. cit., p. 10.
[64]. Australian Direct Marketing Association, op. cit., p. 5.
[65]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 2, p. 106.
[66]. Australian Direct Marketing Association, op. cit., pp. 6–7.
[67]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., p. 29.
[69]. Australian Privacy Foundation, op. cit., p. 17.
[70]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 3, p.107.
[71]. See above at p. 16. Proposed section 16C provides further obligations and has the effect that an APP entity disclosing personal information to an overseas recipient would in some cases be liable for the acts and practices of an overseas recipient who breaches the APPs.
[72]. Victorian Privacy Commissioner, op. cit., p. 9. The Victorian Privacy Commissioner is of the view that storing information in the cloud in certain jurisdictions that do not have equivalent privacy laws could amount to a data security issue.
[73]. For further background on these approaches see the Explanatory Memorandum, p. 70.
[74]. Explanatory Memorandum, p. 83.
[75]. Victorian Privacy Commissioner, op. cit., p. 9.
[77]. Senate Legal and Constitutional Affairs Legislation Committee, op. cit., recommendation 4, p. 108.
[78]. Ibid., recommendation 5, p. 108.
[79]. Australian Direct Marketing Association, op. cit., p. 2.
[80]. Law Council of Australia, op. cit., p. 10.
[84]. The term ‘government related identifier’ is defined in item 23 of Schedule 1 of the Bill. See footnote 34 above.
[85]. Victorian Privacy Commissioner, op. cit., p. 10.
[86]. See footnote 34 above.
[87]. For example, if an APP entity is an agency it may not charge an individual for access to personal information. In other cases the charge must not be excessive and cannot apply to the making of the request.
[88]. Explanatory Memorandum, p. 88.
[91]. Explanatory Memorandum, p. 14.
[92]. See section 18E of the Privacy Act. ‘Serious credit infringement’ is defined at length in section 6 of the Privacy Act.
[93]. Australian Law Reform Commission, For your information: Australian privacy law and practice, ALRC report 108, 12 August 2008, Recommendations 55-1 to 55-5, viewed 19 October 2012, http://www.alrc.gov.au/publications/List%20of%20Recommendations/part-g%E2%80%94credit-reporting-provisions
[99]. Australian Privacy Foundation, op. cit., p. 23.
[102]. Ibid., p. 7 op. cit., p. 3.
[103]. Op. cit., footnote 93.
[104]. The definition of ‘serious credit infringement’ is set out at subsection 6(1) of the Privacy Act.
[111]. Explanatory Memorandum, p. 8.
[112]. CACL, op. cit. p. 3.
[113]. Australian Privacy Foundation, op. cit., p. 24.
[117]. Paraphrased, the definition of ‘Australian link’ in subsection 5B(2) of the Privacy Act, after amendment by items 4 and 5 of Schedule 4 of this Bill, would be ‘an organisation or small business operator has an Australian link if the organisation or operator is an Australian citizen; or a partnership, trust, body corporate formed, created or incorporated, as the case may be, in Australia or an external territory; or an unincorporated association that has its central management and control in Australia or an external territory; or if it carries on business in Australia or an external territory and the relevant personal information was collected or held by the organisation or operator in Australia or an external territory, either before or at the time of the act or practice’. [I changed this as all the conditions in 5B(3) need to be met]
[118]. Telstra, op. cit., p. 1.
[119]. Optus, op. cit., p. 8.
[120]. Law Council of Australia, op. cit., p. 14.
[123]. Telstra, op. cit., p. 2.
[125]. Optus, op. cit., p. 5.
[129]. Australian Privacy Foundation, op. cit., p. 35.
[130]. An APP code developer is defined by proposed additions to subsection 6(1) (inserted by item 2 of Schedule 3) as:
(a) an APP entity
(b) a group of APP entities or
(c) a body or association representing one or more APP entities.
[132]. Telstra, op. cit., p. 4.
[133]. Explanatory Memorandum, p. 218.
[134]. Office of the Australian Information Commissioner, op. cit., p. 17.
[135]. Explanatory Memorandum, p. 224.
[136]. Section 4AA of the Crimes Act 1914 provides that a ‘penalty unit’ is currently equal to $110. Section 4B of the Crimes Act allows the imposition on a corporation of a pecuniary penalty that is up to five times the maximum penalty that may be imposed on an individual.
[137]. Explanatory Memorandum, p. 226–227.
[140]. More specifically, item 78 will amend subsection 40(2) by inserting the phrase ‘on the Commissioner’s own initiative’ in relation to the Commissioner’s investigation under that subsection of acts or practices. Item 79 will amend paragraph 40(2)(a) by adding a breach of APP 1 to the circumstances in which the Commissioner may investigate an act or practice on his or her own initiative.
[141]. The Australian Privacy Foundation, op. cit., p. 6.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Feedback is welcome and may be provided to: web.library@aph.gov.au. Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Entry Point for referral.