Privacy & Data Protection 27 August 2008

Update - Privacy

27 August 2008

PDF Download

This article is available in PDF format. 

privacy-update-august-2008.pdf [Adobe Acrobat PDF - 80.59 KB] 

privacy update

27 august 2008


Privacy law reform – what does it mean for your business?

What is the report about?

On 11 August 2008 the Special Minister of State, Senator John Faulkner, released the Australian Law Reform Commission (ALRC) Report “For Your Information: Australian Privacy Law and Practice”. This Report into Australian privacy law contains 295 recommendations and is over 2,700 pages in length. The Report considers overhauling the 20 year old Federal Privacy Act, and also considers the way the Privacy Act interacts with other legislation and how regulation could be streamlined. The Report also recognises the major technology changes that have occurred since the introduction of the Privacy Act in 1988 and the implications that has had for business.

The Government has confirmed it will consider the Report in two stages. The first stage will focus on the revised Unified Privacy Principles (UPPs), health information, credit reporting regulations and educating people about the impact on privacy of new technology. The second stage will consider the removal of the current exemptions, data breach notifications and the recognition of an individual right to privacy.

One of the Government’s key issues is to increase education about privacy. The natural consequence of this will be that as individuals become more aware of their rights, they will seek to enforce them. Although the right to an action for serious breach of privacy is only being considered in the second stage, it is something businesses need to prepare for as consumers become more vigilant about use of their personal information.

What are the key recommendations?

Businesses need to review their operations in light of the key recommendations:

  • implementation of the UPPs;
  • introduction of laws to create national consistency;
  • rationalisation of exemptions including removal of the small business exemption, the employee records exemption, the political parties exemption and the journalism exemption;
  • review and restructure of the Office of the Privacy Commissioner to give the office further powers to enforce the Act;
  • mandatory data breach notification requirement where the privacy of an individual’s personal information has been breached;
  • more comprehensive credit reporting;
  • review of health information regulation; and
  • a statutory cause of action for serious invasion of privacy.

 

Will the changes apply to my business?

Many businesses would consider that the Privacy Act does not apply to them as they do not collect personal information. The Report proposes a slight change to the definition of the term “personal information” but also notes that while an email address or an IP address are not of themselves personal information, where an organisation collects information around that initial email address, then at some point it may be that the organisation holds personal information about an individual and is bound by the Privacy Act. It may be that organisations will not realise they hold personal information which is regulated. Given the increasing complexity of client relationship databases, it is likely that organisations will hold much more regulated personal information than they would first think.

The proposed UPPs are likely to be legislated within the next 12 to 18 months and to the extent they contain provisions not in the existing National Privacy Principles (NPPs), businesses should prepare to comply with them. While the UPPs generally mirror the existing NPPs, UPP6 on direct marketing deals far more closely with the use of information for direct marketing purposes. A business can now only use information for direct marketing if:

  • the individual would reasonably expect the organisation to use or disclose the information for the purpose of direct marketing; and
  • the organisation provides a simple and functional means by which the individual can opt out of receiving further direct marketing communications.

The proposed direct marketing UPP will have an impact on the way businesses use their customer databases and the care which they need to take to ensure functional unsubscribe provisions.

The other issue which will be significant for many businesses is the UPP on cross-border data flows. Given the tendency to outsourcing, this will affect organisations that outsource functions processing personal information. They will only be entitled to do this if they reasonably believe that the recipient of the information is subject to a law that effectively upholds privacy protections similar to the UPPs, the individual consents to the transfer after being expressly advised of the consequence of providing consent, or the organisation is required by law to transfer the information. This may cause organisations to review their existing outsourcing arrangements.

While the issue of consent is not addressed specifically in the UPPs, it is addressed in the Report, and it is suggested that the Office of the Privacy Commissioner will provide organisations with guidance around appropriate consent, and in what circumstances bundled consent is appropriate. If consent is not property obtained then the organisation will not have the benefit of the right to make use and disclosure in accordance with UPP5.

We will be providing seminars in relation to the more detailed operation of the proposals in the coming months.