The proposed amendments to the Privacy Act 1988 currently before the Australian Parliament will, when enacted, end complexity and confusion in the application of privacy laws by creating a single set of Australian Privacy Principles ("APP") that will apply to both Commonwealth agencies and private sector organisations.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 seeks to implement the Government's first stage response to the recommendations made by the Australian Law Reform Commission following its inquiry into Australian privacy laws by amongst other things, amending the Privacy Act to consolidate the current Information Privacy Principles ("IPPs") and National Privacy Principles ("NPPs") into the APPs. The consolidation of the privacy principles, the cornerstone of the privacy protection framework of the Privacy Act 1988, will foster national and international consistency in privacy regulation and simplify the application of privacy laws.
As with the IPPs and NPPs, when enacted, the APPs will regulate the collection, holding, use and disclosure of personal information that is included in records. The APPs will apply to government agencies to which the IPPs currently apply and to private sector organisations to which the NPPs currently apply (collectively referred to as APP entities in the Bill).
Most of the APPs are based to some extent on the existing IPPs and NPPs. However, the APPs also include some significant changes from the IPPs and NPPs in order to keep pace with changing technology, emerging privacy issues and developments in privacy law in Australia and internationally.
We look at the first half in this edition, with the rest to be considered in the next edition of Insights.
APP 1 – Open and transparent management of personal information
APP 1 requires APP entities to manage personal information in an open and transparent way. This includes APP entities being required:
to take reasonable steps to implement practices, procedures and systems relating to the entity's functions or activities that will ensure that it will comply with the APPs; and
APP 1 is based on NPP 5. There is no current equivalent of APP 1 in the IPPs.
APP 2 – Anonymity and pseudonymity
Under APP 2, individuals must have the option of dealing with an APP entity anonymously or through the use of a pseudonym in relation to a particular matter unless:
the APP entity is required or authorised by or under an Australian law or a court/tribunal order to deal with individuals who have identified themselves; or
it is impracticable for the APP entity to deal with individuals who have not identified themselves.
APP 2 is based on NPP 8. Again, there is no current equivalent of APP 2 in the IPPs.
APP 3 – Collection of solicited personal information
APP 3 applies to personal information solicited by an APP entity. Under it:
if an APP entity is an agency, it must not collect personal information (other than sensitive information) unless the information is reasonably necessary for or directly related to, one or more of the entity's functions or activities;
if an APP entity is an organisation, it must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity's functions or activities.
In relation to sensitive information (currently defined at section 6 of the Privacy Act and which includes information relating to racial or ethnic, political opinion, religious beliefs, sexual preferences and health information), an APP entity must not collect sensitive information about an individual unless:
An APP entity can solicit sensitive information in some cases without complying with APP 3.3, including where the collection is required or authorised by or under an Australian law or a court/tribunal order.
APP 3 is based on IPP 2 and NPP 1.
APP 4 – Dealing with unsolicited information
Where an APP entity receives personal information and the entity did not solicit the information, the entity must, within a reasonable period of time determine whether or not it could have collected the information under APP 3 if the information had been solicited by the entity (APP 4.1).
Where the APP entity determines that it could not have collected the personal information and the information is not contained in a Commonwealth record, it must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or de-identify it (APP 4.3).
If APP 4.3 does not apply to the personal information, then APPs 5-13 apply to the information as if it had been collected under APP 3.
There is no current IPP or NPP equivalent of APP 4.
APP 5 – Notification of collection of personal information
An APP entity collecting personal information must notify or make individuals from whom it is collecting information aware that it is doing so, either at or before the collection of a number of matters set out at APP 5.2. If that is not practicable, it must do so as soon as practicable after the collection. APP 5 is based on IPP 2 and NPP 1. The matters set out at APP 5.2 are generally matters currently listed in IPP 2 and NPP 1.
APP 6 – Use and disclosure of personal information
If an APP entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose it for another purpose unless:
APP 6 is based on IPP 10 and 11 and NPP 2. The exceptions at APP 6.2 and 6.3 are very similar to the exceptions set out at IPP 10 and 11 and NPP 2.
Next edition we'll look at the remaining APPs and, in particular, their effect on direct marketing.
You might also be interested in...