The Federal Government has taken its first step in implementing its reforms to Australia's privacy laws with the release of the draft legislation for a new set of privacy principles, to be known as the Australian Privacy Principles (APPs).
This is the Government's first step in implementing its reforms to Australia's privacy laws. The APPs will replace the existing National Privacy Principles (NPPs, which apply to the private sector) and the Information Privacy Principles (IPPs, which apply to the Commonwealth public sector).
Key areas affected by the new Australian Privacy Principles
Key areas impacted are:
privacy policies and privacy collection statements - additional details will need to be included in privacy policies and privacy collection statements;
- direct marketing - a new privacy principle will specifically regulate the use and disclosure of personal information for direct marketing;
- disclosures overseas - entities that disclose personal information to overseas recipients will be accountable for privacy breaches by the overseas recipients (subject to some exceptions); and
privacy compliance - entities will be specifically required to take reasonable steps to implement practices, procedures and systems which ensure privacy compliance. This includes a shift to a "privacy by design" approach, meaning that privacy and data protection must be considered in the design of new information systems.
The new direct marketing principle in the proposed APPs is designed to place extra limitations on private sector organisations that use or disclose personal information for direct marketing.
Under the existing NPPs, privacy protections only apply where the personal information was not collected for the primary purpose of direct marketing. If an organisation collects personal information for the primary purpose of direct marketing (even without the knowledge of the relevant individual), the organisation can use and disclose the personal information for that purpose (although other laws, such as the laws concerning spam and the Do Not Call Register, may also apply). The direct marketing principle in the APPs however will apply regardless of the primary purpose for which the information was collected.
Under the proposed new direct marketing principle, use or disclosure of sensitive information (such as health information or information about a person's membership of a professional or trade association) for direct marketing will be prohibited unless the relevant individual has consented.
In the case of other (non-sensitive) personal information, organisations will be permitted to use the personal information for direct marketing if it was collected directly from the individual and the individual would reasonably expect the organisation to use or disclose the information for direct marketing. Organisations will also be required to provide a simple and effective opt-out.
If the individual would not reasonably expect his or her personal information to be used or disclosed for direct marketing, or the information is collected from a third party (rather than directly from the relevant individual), the individual's consent will be required unless it is impracticable to obtain that consent. Organisations will also need to prominently draw attention to the opt-out in these circumstances.
Individuals will have the ability to opt out of direct marketing and to request details of an organisation's source of their personal information.
The application of the new direct marketing principle will be subject to the laws relating to spam and the Do Not Call Register.
The draft of the APPs and an accompanying companion guide have been referred to a Senate Committee for review, with a report due on 21 September 2010.
The Government has flagged there will be further privacy reforms in the near future:
comprehensive credit reporting and enhanced protections for credit reporting information
further protections for sharing health information and the ability to use personal information to facilitate research in the public interest; and
- changes to the Privacy Commissioner's powers and functions.