Transcript Privacy law reform for APP entities (organisations)

Privacy law reform for
APP entities (organisations)
Protecting information rights – advancing information policy
Privacy Awareness Week
www.oaic.gov.au
Asia Pacific Privacy Authorities
What does the Privacy Act cover?
Privacy Act 1988 provides for the protection of an
individual’s personal information
Privacy Act contains provisions that deal with:
–
–
–
–
‘personal information’
‘sensitive information’ (such as health information)
tax file numbers
credit information
Privacy law reform — outline
• Privacy Amendment (Enhancing Privacy Protection)
Act 2012
• New Australian Privacy Principles (or APPs)
• Enhanced powers of the Commissioner
• How to prepare for the changes
Australian Privacy Principles
• 13 new APPs to replace IPPs and NPPs
– Single set of principles which apply to both
public and private sectors
– Government agencies and organisations are
referred to as ‘APP entities’
– Structured to reflect the information life
cycle — collection, use and disclosure, quality
and security, access and correction
– Permitted general situation
APP 1 — Open and transparent
management of personal information
• Organisations must have a clearly expressed
and up to date privacy policy
• Organisations must take reasonable steps to
implement processes that will ensure that the
organisation complies with the APPs
APP 2 — Anonymity and
pseudonymity
• Allows individuals to interact with organisations by
not identifying themselves
• Permits the individual to use a pseudonym
• Exceptions apply, such as where it is impracticable
for the organisation to deal with an unidentified
individual
APP 3 – Collection of personal and
sensitive information
• Outlines obligations relating to the collection of
personal and sensitive information
• Collection must be ‘reasonably necessary’ for one or
more of an organisation’s functions or activities
• Higher standards for collection of sensitive
information. Some exceptions apply
APP 4 — Dealing with unsolicited
personal information
• New principle for handling unsolicited personal
information
• Establish if the information could have been
collected under APP 3
• Destroy or de-identify the information if it could not
have been collected under APP 3
APP 5 — Notification of collection
• Outlines the matters an organisation is required to
inform an individual of when the organisation
collects their personal information. These matters
include:
–
–
–
–
–
–
Who the organisation is and how to contact it
The purpose(s) of the collection
Any collections from third parties
Consequences of non-collection
Complaint handling process
Potential overseas disclosure
APP 6 — Use or disclosure
• Deals with use and disclosure of personal
information
• New additional limited exceptions, to permit use or
disclosure for secondary purpose:
– Locate missing person
– Establish, exercise or defend a legal equitable claim
– Confidential alternative dispute resolution
APP 7 – Direct marketing
• New principle dedicated to direct marketing
• Prohibits the use or disclosure of personal
information for direct marketing purposes, except in
specified circumstances
• Subject to the operation of other direct marketing
legislation, eg the Spam Act 2003
APP 8 – Cross border disclosure
• Introduces an accountability approach for crossborder disclosure
• Organisations must take reasonable steps to ensure
overseas recipients do not breach APPs
• Organisations may be accountable for a breach of
APPs by overseas recipients
• Exceptions apply
APP 9 — Adoption, use or disclosure
of government related identifiers
• ‘Identifiers’ and ‘government related identifier’
defined under s 6 of the Privacy Act
• Prohibits an organisation from adopting, or using a
government related identifier, unless an exception
applies
• Generally replicates the exceptions under National
Privacy Principle 7, with some additions
APP 10 — Quality
• Requires an organisation to take reasonable steps
to ensure personal information it collects, uses or
discloses is:
– Accurate
– Up-to-date
– Complete
• An organisation should ensure that personal
information that it uses or discloses is also
relevant for the purpose of the use or disclosure
APP 11 — Security
• Similar to NPP 4
• Inclusion of ‘interference’
– an organisation must take reasonable steps to protect
personal information it holds from misuse, interference
and loss, and from unauthorised access, modification or
disclosure
• New exceptions to the requirement to destroy or deidentify personal information that is no longer
needed
APP 12 — Access
• Organisations are required to respond to requests for
access of personal information within a reasonable
timeframe
• Access should be provided in the requested manner
(where reasonable and practicable)
• Written reasons for the refusal and complaint
mechanism
• Any charges for access to personal information must
not be excessive, and must not apply to the making
of the request
APP 13 — Correction
• Organisations required to take ‘reasonable steps’ to
correct personal information to ensure that it is
accurate, up-to-date, complete, relevant and not
misleading, if either:
– organisation satisfied it needs to be corrected, or
– individual requests correction
• Statement required if organisation refuses to correct
and individual requests statement
• Organisation must respond within reasonable period
• Written reasons for refusal and complaint mechanism
Commissioner’s new powers
• Performance assessments
• Code making powers
• Ability to make a determination to
resolve OMIs
• Enforceable undertakings
• Civil penalty orders
• Ability to direct Privacy Impact
Assessment to be conducted
OAIC guidance and resources
Stay in touch
• Privacy Connections
– Join: [email protected]
• Privacy law reform breaking news available
– Web & RSS: oaic.gov.au
• Follow us on social media
– Twitter: twitter.com/OAICgov and during PAW #2013PAW
– Facebook: facebook.com/OAICgov
– YouTube: youtube.com/user/OAICgov