Reforms to the Privacy Act 1988
On 17 September 2012 the House of Representatives passed important reforms to the Privacy Act 1988. Key reforms include expanded powers of the Australian Information Commissioner and a new set of 13 Australian Privacy Principles (APPs) to replace the current Information Privacy Principles for the public sector and National Privacy Principles for the private sector.
The APPs are high level principles which set out standards, rights and obligations in relation to the handling and maintenance of personal information. The APPs broadly follow the form and content of the exposure draft APPs, but contain a number of changes.
Significant changes to the Privacy Act create additional obligations
The significant changes include:
- changes to how personal information may be sent outside of Australia, including a general obligation on organisations, before disclosing personal information to an overseas recipient, to take reasonable steps to ensure the overseas recipient does not breach the APPs (subject to specified exceptions)
- requiring that sensitive information may (subject to certain exceptions) only be collected by an organisation if the individual has consented to the collection and the information is reasonably necessary for one or more of the organisation’s functions or activities
- creating an obligation on organisations where personal information is corrected to take reasonable steps to notify any other entity to which it had previously disclosed the information, if that notification is requested by an individual.
While the changes listed above are the most significant affecting the private sector we encourage you to refer to the Bill for a complete understanding of all of the changes that will be implemented by the APPs.
Increased powers of the Australian Information Commissioner
The reforms will also enhance the powers of the Australian Information Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance. A key change will include the ability of the Commissioner to accept written undertakings from organisations that they will take, or refrain from taking, specific action to ensure compliance with the Privacy Act. This will allow organisations to take active responsibility for actions which might otherwise result in a court-based outcome. The Commissioner will also receive new powers to direct an organisation to prepare a privacy impact assessment for particular projects or programs.
What organisations should do now
Should the Bill pass the upper house, which may occur this year, the proposed reforms to the Privacy Act will have a significant impact on the regulatory framework governing how personal information is collected and handled by Australian organisations. The private sector should be aware of the proposed changes and be seeking advice on how the reforms will affect existing privacy policies and procedures and contractual arrangements to ensure compliance. These regulatory changes will likely require changes to an organisation’s policies and, potentially, existing contractual arrangements. Once the Bill passes the upper house, organisations will need to act to ensure compliance when the amendments to the Privacy Act become effective. We will keep you informed of the Bill's progress.