The Privacy Amendment (Enhancing Privacy Protection) Act 2012 has made many significant changes to the Privacy Act 1988.

The changes began on March 12. Perth, WA, barrister Jason Raftos spoke to Resolve about the amendments’ impact on the insurance industry.

The amendments “significantly affect how private and public sector entities collect and handle personal information”, he said.

The most significant changes were the Office of the Australian Information Commissioner’s (OAIC) ability to fine businesses up to $1.7 million; a new credit reporting regime; obligations when sending information across borders; and the quantum of civil penalties for private companies responsible for “significant breaches”.

Mr Raftos said there was “a lot of hype” about the amendments, but the industry was prepared and given plenty of information on how best to handle them. “There was lots of consultation among industry stakeholders before the changes were enacted.”

In June 2010, the Federal Government released exposure drafts of the amendment legislation in response to an Australian Law Reform Commission (ALRC) report. The exposure draft included draft Australian Privacy Principles (APPs) and credit reporting provisions. On June 24, 2010, the Senate referred the draft legislation to the Senate Finance and Public Administration Committee for an inquiry and report.

On September 23, 2011, the Federal Government released an issues paper on the right to sue for serious invasions of personal privacy, A Commonwealth statutory cause of action for serious invasion of privacy.

The paper invited comments to inform the government’s response to the ALRC report, which recommended introducing a statutory cause of action for serious invasions of privacy.

In November 2011, OAIC made a submission on the issues paper and on May 23, 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was introduced into federal parliament. It reflected elements of the government’s first stage response to the ALRC report.

It was referred to the House Standing Committee on Social Policy and Legal Affairs and the Senate Legal and Constitutional Affairs Legislation Committee.

The bill passed through parliament with amendments on November 29, 2012, and received royal assent on December 12.

The new privacy regime now includes a set of 13 harmonised privacy principles that regulate handling of personal information by Australian and Norfolk Island Government agencies and most private sector organisations.

The APPs replace Information Privacy Principles that applied to Australian Government agencies and National Privacy Principles that applied to private sector organisations.

Several APPs are significantly different from the previous principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.

“Dealing with the amendments is about having the right processes implemented and keeping up to date with record-keeping and audits,” Mr Raftos said.

“It is also important to review contracts for services provided and ensure due diligence, particularly [for] cross-border disclosures.”

OAIC has released APP guidelines outlining the APPs’ mandatory requirements, how OAIC interprets them, and matters OAIC may take into account when exercising its functions and powers.

The information commissioner has greater powers than did the former privacy commissioner, including the ability to accept enforceable undertakings; seek civil penalties for serious or repeated privacy breaches; and conduct assessments of privacy performance.

“OAIC went out of its way to help people with practical guidance,” Mr Raftos said.

Civil penalties for significant breaches are up to $1.7 million for businesses and $340,000 for individuals. Mr Raftos said the penalties were “rather large”.

The new credit reporting regime means credit reporting bodies can now collect ‘positive’ data about individuals, including repayment history information. It also provides significant new protections for individuals’ credit information, including a strengthened complaint process.

But Mr Raftos said the new legislation was lacking in some areas. “There were some issues that were not looked at but perhaps should have been.”

Elements that were not amended included principles for employee records exemptions, related bodies corporate exemptions and related federal laws.

Mr Raftos said some organisations fell outside the APPs’ application, for example, there were some exceptions for small businesses with annual turnovers of less than $3 million.

“I can see both positives and negatives to the changes. On one hand, it could be a concern for businesses because it’s another compliance requirement. But, on the other hand, the changes are important because information is much more valuable now than it was before,” Mr Raftos said.

In a Privacy Amendment Act report card, Gold Seal Practice Management managing director Sheila Baker said some businesses were still sorting through the requirements.

“Many larger companies in Australia had people working for months to ensure they were ready for the new Act. In contrast, it appears most intermediaries are in catch-up mode after looking at this shortly before March 12 and suddenly realising how much work complying entailed.”

She said compliance was an ongoing process and every time businesses changed their websites, insurers or software or took on new clients, they needed to consider whether a privacy policy update was required.

Ms Baker advised senior management to conduct regular reviews. “Even with the best procedures there is a likelihood a privacy breach could occur at some stage, so it is sound risk management to develop a plan for how to deal with a breach.”

• Back to top