Australian Privacy Laws: Changes, Principles, and Future Reform

1. CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013

2. Introduction • The changes • Future reform

3. Malte Spitz “The fall of the Berlin Wall would never have happened if the Stasi had known what the mobile companies know now.”

5. Introduction • The changes • Future reform

6. What are the changes? • Privacy Amendment (Enhancing Privacy Protection) Act 2012 • New Australian Privacy Principles (APPs) • Powers of the Commissioner

7. APP 1 – Open and transparent management of personal information • Organisations must have a privacy policy that is clear and current • Organisations must take reasonable steps to comply with the APPs

8. APP 2 – Anonymity and pseudonymity • Individuals may interact with organisations anonymously or using a pseudonym • There are exceptions

9. APP 3 – Collection of personal and sensitive information • Collection of personal information must be reasonably necessary for the organisation’s functions or activities • Collection of sensitive information must be reasonably necessary for the organisation’s functions or activities and the individual must consent to the collection of the information

10. APP 4 – Dealing with unsolicited personal information • Was the organisation entitled to collect the information under APP3? • If not, the information must be destroyed or de-identified

11. APP 5 – Notification of collection • Organisations must tell individuals certain things when personal information is collected, including: • Who the organisation is and how to contact it • The purpose(s) of the collection • Consequences of non-collection • Complaint handling process • Potential overseas disclosure

12. APP 6 – Use or disclosure • Outlines the circumstances in which an organisation may use or disclose the personal information that it holds about an individual. • Limited exceptions to permit use or disclosure for some secondary purposes.

13. APP 7 – Direct marketing • Personal information must not be used for direct marketing except in the specified circumstances • Does not limit other laws about direct marketing

14. APP 8 – Cross border disclosure • Organisations must take reasonable steps to ensure overseas recipients to not breach the APPs • Subject to some exceptions, organisations can be liable for breaches by overseas recipients

15. APP 9 – Adoption, use or disclosure of government related identifiers • Subject to some exceptions, organisations must not adopt or use government related identifiers

16. APP 10 – Quality • Organisations must take reasonable steps to ensure personal information it collects, uses or discloses is accurate, up-to-date and complete • Organisations must also ensure that personal information that is used or disclosed is also relevant to the purpose of the use or disclosure

17. APP 11 – Security • Organisations must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure • Subject to some exceptions, personal information that is no longer needed must be destroyed or de-identified

18. APP 12 – Access • Organisations must meet certain standards when asked for access to personal information • Within a reasonable timeframe • In the requested manner • If refused, reasons to be provided • Complaint mechanism • Charges must not be excessive

19. APP 13 – Correction • Organisations must take reasonable steps to correct personal information to ensure it is accurate, up-to-date, relevant and not misleading • Statement required if organisation refuses to correct information and the individual requests it

20. Introduction • The changes • Future reform

21. Future reform • A statutory cause of action for breach of privacy?

22. Single parent’s pension • Rent subsidy • Subsidised school fees • Subsidised child care fees • $55,000 judgment for fraud