CHARTERED SECRETARIES AUSTRALIA
New Privacy Laws
6 June 2013
• Introduction
• The changes
• Future reform
Malte Spitz
“The fall of the Berlin Wall would never have happened if the Stasi had known what the mobile companies know now.”
• Introduction
• The changes
• Future reform
What are the changes?
• Privacy Amendment (Enhancing Privacy Protection) Act 2012
• New Australian Privacy Principles (APPs)
• Powers of the Commissioner
APP 1 – Open and transparent management of personal information
• Organisations must have a privacy policy that is clear and current
• Organisations must take reasonable steps to comply with the APPs
APP 2 – Anonymity and pseudonymity
• Individuals may interact with organisations anonymously or using a pseudonym
• There are exceptions
APP 3 – Collection of personal and sensitive information
• Collection of personal information must be reasonably necessary for the organisation’s functions or activities
• Collection of sensitive information must be reasonably necessary for the organisation’s functions or activities and the individual must consent to the collection of the information
APP 4 – Dealing with unsolicited personal information
• Was the organisation entitled to collect the information under APP3?
• If not, the information must be destroyed or de-identified
APP 5 – Notification of collection
• Organisations must tell individuals certain things when personal information is collected, including:
• Who the organisation is and how to contact it
• The purpose(s) of the collection
• Consequences of non-collection
• Complaint handling process
• Potential overseas disclosure
APP 6 – Use or disclosure
• Outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual.
• Limited exceptions to permit use or disclosure for some secondary purposes.
APP 7 – Direct marketing
• Personal information must not be used for direct marketing except in the specified circumstances
• Does not limit other laws about direct marketing
APP 8 – Cross border disclosure
• Organisations must take reasonable steps to ensure overseas recipients to not breach the APPs
• Subject to some exceptions, organisations can be liable for breaches by overseas recipients
APP 9 – Adoption, use or disclosure of government related identifiers
• Subject to some exceptions, organisations must not adopt or use government related identifiers
APP 10 – Quality
• Organisations must take reasonable steps to ensure personal information it collects, uses or discloses is accurate, up-to-date and complete
• Organisations must also ensure that personal information that is used or disclosed is also relevant to the purpose of the use or disclosure
APP 11 – Security
• Organisations must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure
• Subject to some exceptions, personal information that is no longer needed must be destroyed or de-identified
APP 12 – Access
• Organisations must meet certain standards when asked for access to personal information
• Within a reasonable timeframe
• In the requested manner
• If refused, reasons to be provided
• Complaint mechanism
• Charges must not be excessive
APP 13 – Correction
• Organisations must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, relevant and not misleading
• Statement required if organisation refuses to correct information and the individual requests it
• Introduction
• The changes
• Future reform
Future reform
• A statutory cause of action for breach of privacy?
• Single parent’s pension
• Rent subsidy
• Subsidised school fees
• Subsidised child care fees
• $55,000 judgment for fraud