CHARTERED SECRETARIES AUSTRALIA

New Privacy Laws

6 June 2013

• Introduction

• The changes

• Future reform

Malte Spitz

“The fall of the Berlin Wall would never have happened if the Stasi had known what the mobile companies know now.”

• Introduction

• The changes

• Future reform

What are the changes?

• Privacy Amendment (Enhancing Privacy Protection) Act 2012

• New Australian Privacy Principles (APPs)

• Powers of the Commissioner

APP 1 – Open and transparent management of personal information

• Organisations must have a privacy policy that is clear and current

• Organisations must take reasonable steps to comply with the APPs

APP 2 – Anonymity and pseudonymity

• Individuals may interact with organisations anonymously or using a pseudonym

• There are exceptions

APP 3 – Collection of personal and sensitive information

• Collection of personal information must be reasonably necessary for the organisation’s functions or activities

• Collection of sensitive information must be reasonably necessary for the organisation’s functions or activities and the individual must consent to the collection of the information

APP 4 – Dealing with unsolicited personal information

• Was the organisation entitled to collect the information under APP3?

• If not, the information must be destroyed or de-identified

APP 5 – Notification of collection

• Organisations must tell individuals certain things when personal information is collected, including:

• Who the organisation is and how to contact it

• The purpose(s) of the collection

• Consequences of non-collection

• Complaint handling process

• Potential overseas disclosure

APP 6 – Use or disclosure

• Outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual.

• Limited exceptions to permit use or disclosure for some secondary purposes.

APP 7 – Direct marketing

• Personal information must not be used for direct marketing except in the specified circumstances

• Does not limit other laws about direct marketing

APP 8 – Cross border disclosure

• Organisations must take reasonable steps to ensure overseas recipients to not breach the APPs

• Subject to some exceptions, organisations can be liable for breaches by overseas recipients

APP 9 – Adoption, use or disclosure of government related identifiers

• Subject to some exceptions, organisations must not adopt or use government related identifiers

APP 10 – Quality

• Organisations must take reasonable steps to ensure personal information it collects, uses or discloses is accurate, up-to-date and complete

• Organisations must also ensure that personal information that is used or disclosed is also relevant to the purpose of the use or disclosure

APP 11 – Security

• Organisations must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure

• Subject to some exceptions, personal information that is no longer needed must be destroyed or de-identified

APP 12 – Access

• Organisations must meet certain standards when asked for access to personal information

• Within a reasonable timeframe

• In the requested manner

• If refused, reasons to be provided

• Complaint mechanism

• Charges must not be excessive

APP 13 – Correction

• Organisations must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, relevant and not misleading

• Statement required if organisation refuses to correct information and the individual requests it

• Introduction

• The changes

• Future reform

Future reform

• A statutory cause of action for breach of privacy?

• Single parent’s pension

• Rent subsidy

• Subsidised school fees

• Subsidised child care fees

• $55,000 judgment for fraud