Clayton Utz Insights

19 July 2012

The Australian Privacy Principles - one set of privacy principles to rule us all Part 2

By Avinesh Chand.

Key Points:

The new Australian Privacy Principles attempt to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.

The proposed amendments to the Privacy Act 1988 currently before the Australian Parliament will, when enacted, end complexity and confusion in the application of privacy laws by creating a single set of Australian Privacy Principles ("APP") that will apply to both Commonwealth agencies and private sector organisations.

We've already looked at some of the changes to the Australian Privacy Principles in our last edition – this week, we'll finish our analysis and see how far these reforms have progressed.

APP 7 – Direct marketing

An organisation that holds personal information (other than sensitive information) about an individual must not use or disclose the information for the purpose of direct marketing unless:

  • the organisation collected the information from the individual; and
  • the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
  • the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications and the individual has not made such a request to the organisation (APP 7.2).

Where an organisation collects personal information (other than sensitive information) from an individual who would not reasonably expect the organisation to use or disclose the information for the purpose of direct marketing or from someone other than the individual, it may use it for the purposes of direct marketing if:

  • the individual has consented to the use or disclosure of the information for that purpose; or
  • it is impracticable to obtain this consent and:

(i) the organisation provides a simple way by which the individual may easily request not to receive the direct marketing communication; and

(ii) in each direct marketing communication, the organisation includes a prominent statement that the individual may make a request not to receive the direct marketing communication or otherwise draws the individual's attention to the fact that he/she may make such a request; and

(iii) the individual has not made such a request (APP 7.3).

In relation to sensitive information, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose (APP 7.4).

An individual may request an organisation that uses or discloses personal information about him/her for the purpose of direct marketing to provide its source of the information. If he or she does, the organisation must notify the individual of its source without any charge within a reasonable period of time, unless it is impracticable or unreasonable to do so (APP 7.6).

APP 7 is based on NPP 2.

APP 8 – Cross-border disclosure of personal information

Before an APP entity discloses personal information about an individual to an overseas recipient, it must take such steps as are as reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information (APP 8.1).

There are exceptions, including:

  • where the APP entity reasonably believes that the overseas recipient of the information is subject to a law or binding scheme that has the effect of protecting the information in a substantially similar way in which the APPs protect the information, and there are mechanisms that the individuals can access to take action to enforce the law or binding scheme;
  • the disclosure is required or authorised by or under an Australian law or a court/tribunal order;
  • the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing by the APP entity.

APP 8 is based on NPP 9. There is no current IPP equivalent to APP 8.

APP 9 – Adoption, use or disclosure of government related identifiers

APP 9 provides that an organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless this is required or authorised by or under Australian law or a court/tribunal order, or one of the circumstances set out in APP 9.2 applies. These include:

  • where the use or disclosure of the identifier is reasonably necessary for an organisation to verify the identity of an individual for the purposes of its activities or functions; or
  • to fulfil its obligations to an agency or a State or Territory organisation; or
  • the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body.

APP 9 is based on NPP 7.

APP 10 – Quality of personal information

APP 10 requires APP entities to take reasonable steps to ensure that personal information that is collected, used or disclosed is accurate, up-to-date and complete and relevant.

APP 10 is based on IPP 8 and NPP 3.

APP 11 – Security of information

APP entities must take reasonable steps to protect personal information that they hold from misuse, interference, loss and unauthorised access, modification or disclosure.

They must also take reasonable steps to destroy or de-indentify personal information they hold if it is no longer needed to any purpose for which it may be used or disclosed, it is not contained in a Commonwealth record, and the entity is not required by or under an Australian law or a court or tribunal order to retain it.

APP 11.1 is based on IPP 4. There is no current equivalent of APP 11.2 in the IPPs, although it is generally followed by Commonwealth agencies as part of good record-keeping principles.

APP 12 – Access to personal information

APP entities that hold personal information about an individual must, on request by that individual, give the individual access to the personal information.

If an APP entity is an agency and it can refuse to give access to the requested personal information under the Freedom of Information Act 1982 or any other Commonwealth Act, it doesn't have to give access to the personal information under APP 12 to the same extent (APP 12.2).

APP 12.3 sets out circumstances in which an organisation may refuse to give access to an individual to personal information that is held by it – these generally mirror relevant exemptions in the FOI Act.

Agencies must respond to requests for personal information within 30 days after the request is made. Similarly, organisations are required to respond to requests for personal information within a reasonable period after the request is made (APP 12.4).

Agencies must not charge an individual either to make a request for access to their personal information or the giving of access to such information (APP 12.7). By contrast, charges applied by an organisation for the giving access to their personal information must not be excessive, and cannot be levied for the making of a request (APP 12.7).

APP 12.9 provides that where an individual's request for personal information is refused, the individual must be given reasons for the refusal unless it would be unreasonable to do so and also advised of the mechanisms available to complain about the refusal.

APP 12 is based on IPP 6 and NPP 6.

APP 13 – Correction of personal information

An APP entity must take reasonable steps to correct personal information that it holds to ensure that, having regard to the purpose for which the information is held, it is accurate, up-to-date, complete, relevant and not misleading where the individual whom the information is about requests the entity to correct the information.

If an individual's amendment request is refused, he or she must be given reasons for the refusal unless it would be unreasonable to do so, and also advised of the mechanisms available to complain about the refusal (APP 13.3).

Agencies must respond to amendment requests within 30 days after the request is made (APP 13.5). Similarly, organisations are required to respond to amendment requests within a reasonable period after the request is made. APP entities must not charge for amendment requests or for correcting personal information.

APP 12 is based on IPP 7 and NPP 6.

Current progress of the Bill

The Bill was referred for consideration to the House Standing Committee on Social Policy and Legal Affairs on 24 May 2012. The Bill is also being currently considered by the Senate Legal and Constitutional Affairs Legislation Committee which is due to report on it on 14 August 2012.

You might also be interested in ...

For more information, contact...
Email: Avinesh Chand, Senior Associate
Tel: +61 2 9353 4657
Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.
Avinesh Chand
Avinesh Chand