There has been a mixed reaction from the ICT industry to amendments to the Privacy Act with some organisations welcoming the changes while others say more work needs to done on privacy issues.
The <i>Privacy Amendment (Enhancing Privacy Protection) Bill 2012</i> legislation was passed in Parliament this week and will give privacy commissioner Timothy Pilgrim more powers, including the right to seek civil penalties in the case of serious breaches of privacy.
The legislation also permits the commissioner to conduct assessments of privacy performance for both Australian government agencies and private companies.
The reforms introduce a single set of privacy principles called the Australian Privacy Principles (APPs) and a number of changes to how personal information is handled, including when it can be used for direct marketing and sent overseas.
Communications Alliance CEO John Stanton praised Attorney General Nicola Roxon and her staff for working with the ICT industry to come up with a successful conclusion to resolving what he called the "Australian Link" issue.
This issue is the introduction of provisions restricting the ability of credit card providers to disclose credit eligibility to entities that do not have a presence in Australia.
“The prohibition on disclosure of any credit-related information to organisations that do not have an Australian link would have major impacts for companies with existing offshore call centres and data processing facilities,” Stanton said in a statement.
The Association for Data-driven Marketing & Advertising (ADMA)'s CEO Jodie Sangster also welcomed the amendments but said she was “disappointed” that the opportunity to create a model privacy framework for the digital era had been missed.
"The government, opposition and parliamentary committees have produced a workable set of APPs including one for marketing, introducing positive credit reporting and updating the powers of the privacy commissioner,” Sangster said in a statement.
However, she added that were still important aspects relating to the use of social media and online channels that needed to be negotiated with privacy commissioner Timothy Pilgrim.
“We hope to develop codes and guidelines for digital and online platforms that will promote and enhance consumer protection and privacy whilst making privacy issues more manageable for business,” Sangster said.
ADMA had lobbied for amendments to the Bill on behalf of the Australian marketing and advertising industry.
- Removing the prohibition on direct marketing
- Reducing the requirement to include opt-out notices on all marketing communications
- Limiting the obligation to allow customers to engage under a pseudonym
- Re-configuring the requirement on transfer of data.
She added that that while this week's developments removed some of the uncertainty around changes to privacy laws, the government's intentions for mandatory data breach notification and a civil right to privacy were “still unknown.”
“Businesses have enough to deal with in ensuring they are complying with the new privacy law in 2013,” Sangster said.
“It would be beneficial to allow businesses to deal with the latest privacy changes before imposing yet more laws.”
Middletons partner Cameron Abbott who specialises in ICT law, advised that organisations that collect or hold information in Australia will need to change their practices to comply with the Privacy Bill before commencement in 15 months’ time.
He also said that the APPs replace the existing National Privacy Principles and Information Privacy Principles governing the collection, use, disclosure and maintenance of personal information by both public and private sector organisations.
For example, there have been changes with APP 1 which covers open and transparent management of personal information.
“APP 1 contains new obligations regarding data transparency, and specifies the information that must be included by organisations in their privacy policies,” he said in a statement.
“Organisations will need to specify how an individual can make a complaint about a breach of their privacy, whether the organisation is likely to disclose information overseas, and, if practicable, the locations in which personal information is likely to be held or disclosed.”
Turning to APP 5, which covers notification of the collection of personal information, he said that existing collection of personal information notification requirements will be expanded.
“Organisations will be required to disclose the circumstances in which they collected the information if not directly from the individual, whether they are likely to disclose the information overseas, and the location of any likely overseas disclosure."
Lastly, Abbott examined APP 8, which covers cross-border disclosure of personal information. Under this principle, organisations must take reasonable steps to ensure that the recipient of the information does not breach the APPs.
“Importantly, although organisations that meet this requirement will be permitted to disclose information lawfully, they may still be held liable for any breach of the APPs by the recipient and be penalised,” he said.
This article and the comments within it should not be construed as legal advice