02 July 2010

Privacy reforms: Government releases draft of new Australian Privacy Principles

The Federal Government has taken its first step in implementing its reforms to Australia's privacy laws with the release of the draft legislation for a new set of privacy principles, to be known as the Australian Privacy Principles (APPs).

This is the Government's first step in implementing its reforms to Australia's privacy laws. The APPs will replace the existing National Privacy Principles (NPPs, which apply to the private sector) and the Information Privacy Principles (IPPs, which apply to the Commonwealth public sector).

Key areas affected by the new Australian Privacy Principles

Key areas impacted are:

  • privacy policies and privacy collection statements - additional details will need to be included in privacy policies and privacy collection statements;
  • direct marketing - a new privacy principle will specifically regulate the use and disclosure of personal information for direct marketing;
  • disclosures overseas - entities that disclose personal information to overseas recipients will be accountable for privacy breaches by the overseas recipients (subject to some exceptions); and
  • privacy compliance - entities will be specifically required to take reasonable steps to implement practices, procedures and systems which ensure privacy compliance. This includes a shift to a "privacy by design" approach, meaning that privacy and data protection must be considered in the design of new information systems.

Direct marketing

The new direct marketing principle in the proposed APPs is designed to place extra limitations on private sector organisations that use or disclose personal information for direct marketing.

Under the existing NPPs, privacy protections only apply where the personal information was not collected for the primary purpose of direct marketing. If an organisation collects personal information for the primary purpose of direct marketing (even without the knowledge of the relevant individual), the organisation can use and disclose the personal information for that purpose (although other laws, such as the laws concerning spam and the Do Not Call Register, may also apply). The direct marketing principle in the APPs however will apply regardless of the primary purpose for which the information was collected.

Under the proposed new direct marketing principle, use or disclosure of sensitive information (such as health information or information about a person's membership of a professional or trade association) for direct marketing will be prohibited unless the relevant individual has consented.

In the case of other (non-sensitive) personal information, organisations will be permitted to use the personal information for direct marketing if it was collected directly from the individual and the individual would reasonably expect the organisation to use or disclose the information for direct marketing. Organisations will also be required to provide a simple and effective opt-out.

If the individual would not reasonably expect his or her personal information to be used or disclosed for direct marketing, or the information is collected from a third party (rather than directly from the relevant individual), the individual's consent will be required unless it is impracticable to obtain that consent. Organisations will also need to prominently draw attention to the opt-out in these circumstances.

Individuals will have the ability to opt out of direct marketing and to request details of an organisation's source of their personal information.

The application of the new direct marketing principle will be subject to the laws relating to spam and the Do Not Call Register.

What next?

The draft of the APPs and an accompanying companion guide have been referred to a Senate Committee for review, with a report due on 21 September 2010.

The Government has flagged there will be further privacy reforms in the near future:

  • comprehensive credit reporting and enhanced protections for credit reporting information
  • further protections for sharing health information and the ability to use personal information to facilitate research in the public interest; and
  • changes to the Privacy Commissioner's powers and functions.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this bulletin. Persons listed may not be admitted in all states and territories.
For more information, contact...
Email: Narelle Smythe, Partner
Tel: +61 2 9353 4220
Email: Steven Klimt, Partner
Tel: +61 2 9353 4133
Email: Jason Shailer, Special Counsel
Tel: +61 2 9353 4789
Email: Chris McLeod, Partner
Tel: +61 3 9286 6214
Email: Sharon Segal, Special Counsel
Tel: +61 3 9286 6323
Email: David Kreltszheim, Special Counsel
Tel: +61 3 9286 6970
Email: Randal Dennings, Partner
Tel: +61 7 3292 7017 | +61 2 9353 5155 | +61 4 0887 8711
Email: Simon Newcomb, Partner
Tel: +61 7 3292 7243
Email: John Carroll, Partner
Tel: +61 2 6279 4006
Email: Caroline Bush, Partner
Tel: +61 2 6279 4029
Email: Scott Crabb, Partner
Tel: +61 8 9426 8430
Email: Paul Fitzpatrick, Partner in Charge
Tel: +61 8 9426 8416