CHAPTER 1
Introduction
Background and purpose of the Bill
1.1
On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection)
Bill 2012 (Bill) was introduced into the House of Representatives by the
Attorney‑General, the Hon. Nicola Roxon MP.[1]
On 19 June 2012, the Senate referred the Bill to the Legal and Constitutional
Affairs Legislation Committee (committee) for inquiry and report by 14 August
2012.[2]
The reporting date was subsequently extended to 25 September 2012.[3]
The House of Representatives passed the Bill on 17 September 2012,[4]
and the Bill was introduced into the Senate on 18 September 2012.[5]
1.2
The Bill amends the Privacy Act 1988 (Privacy Act) to implement
the Australian Government's first stage response to the 2008 Australian Law
Reform Commission's (ALRC) report, For Your Information: Australian Privacy
Law and Practice.[6]
According to the Explanatory Memorandum (EM), the Bill:
- creates the Australian Privacy Principles, a single set of
privacy principles applying to both Commonwealth agencies and private sector
organisations;
- introduces more comprehensive credit reporting with improved
privacy protections, and revises provisions relating to credit reporting;
-
introduces new provisions on privacy codes and the credit
reporting code; and
- clarifies and improves the functions and powers of the Australian
Information Commissioner.[7]
1.3
The introduction of the Bill follows a number of reviews into
Australia's privacy legislation. In addition to the ALRC, reviews have, for
example, been conducted by the Office of the Privacy Commissioner (now the
Office of the Australian Information Commissioner)[8]
and the Senate Legal and Constitutional Affairs References Committee.[9]
In 2010-2011, the Senate Finance and Public Administration Legislation Committee
examined Exposure Drafts of the current Bill.[10]
1.4
In her second reading speech, the Attorney-General stated that the Bill
is one of the most significant developments in privacy law reform and will
bring Australia's privacy protection framework into the modern era.[11]
Overview of the Bill
1.5
The Bill contains six schedules, each of which proposes amendments
relating to a particular subject and associated matters (such as definitions):
- Schedule 1 – Australian Privacy Principles;
- Schedule 2 – Credit reporting;
-
Schedule 3 – Privacy codes;
- Schedule 4 – Other amendments to the Privacy Act, including the
functions and powers of the Australian Information Commissioner;
- Schedule 5 – Consequential amendments to other Commonwealth Acts;
and
- Schedule 6 – Application, transitional and savings provisions.
1.6
Schedules 1 to 4 of the Bill amend the Privacy Act; Schedule 5 of the
Bill amends 55 other Commonwealth Acts; and Schedule 6 of the Bill sets out
provisions relating to both the Privacy Act and the 55 other Commonwealth Acts.
Australian Privacy Principles
1.7
Schedule 1 of the Bill abolishes the Information Privacy Principles,
which apply to the public sector, and the National Privacy Principles, which
apply to the private sector.[12]
It replaces them with the Australian Privacy Principles (APPs), which are
reproduced in Appendix 1 to this report.[13]
The APPs will be a single set of thirteen privacy principles in relation
to which Commonwealth agencies and certain private sector organisations (APP
entities) must comply as relevant.[14]
1.8
The APPs will be inserted into the Privacy Act in a new Schedule 1[15]
and will be grouped in five Parts. Each part deals with a particular set of
principles:
- Part 1 – principles that require APP entities to consider the
privacy of personal information, including ensuring that personal information is
managed in an open and transparent way (APP 1, APP 2);
- Part 2 – principles that deal with the collection of personal
information, including dealing with unsolicited personal information (APP 3,
APP 4, APP 5);
- Part 3 – principles about how APP entities deal with personal
information and government-related identifiers, including the use and
disclosure of personal information and identifiers, and direct marketing (APP
6, APP 7, APP 8, APP 9);
- Part 4 – principles about the integrity of personal information (quality
and security) (APP 10, APP 11); and
- Part 5 – principles that deal with access to, and the correction
of, personal information (APP 12, APP 13).[16]
1.9
The EM contains a detailed explanation of each APP;[17]
however, individual APPs will be described and discussed in later chapters of
the committee's report only where relevant to the examination of particular
issues and concerns raised in the inquiry.
1.10
Schedule 1 of the Bill also sets out a range of provisions relating to
the APPs (such as new definitions). Several key terms or concepts will be
amended, including: the term 'personal information'; the meaning of 'reasonably
necessary'; the term 'sensitive information'; the issue of consent; and the
requirement to 'take reasonable steps'.[18]
Credit reporting
1.11
Schedule 2 of the Bill amends provisions throughout the Privacy Act
which deal with credit reporting.[19]
The credit reporting provisions (currently set out in Part IIIA of the
Privacy Act) regulate the handling and maintenance of certain kinds of
personal information regarding consumer credit that is intended to be used
wholly or primarily for domestic, family or household purposes.[20]
1.12
Item 72 of Schedule 2 of the Bill completely revises the credit
reporting provisions, with the repeal of current Part IIIA of the Privacy Act
and the creation of new Part IIIA of the Privacy Act. Proposed new Part
IIIA will deal with the privacy of credit reporting related information in six
substantive Divisions:
- Divisions 2 and 3 contain rules that apply to 'credit reporting
bodies' and 'credit providers' pertinent to their handling of information
related to credit reporting;
- Division 4 contains rules that apply to 'affected information
recipients' in relation to their handling of 'regulated information';
- Division 5 deals with complaints to 'credit reporting bodies' and
'credit providers' about acts or practices that might breach certain provisions
of new Part IIIA of the Privacy Act or the registered credit reporting
code;
- Division 6 deals with entities that obtain 'credit reporting
information' or 'credit eligibility information' by false pretence, or when
they are not authorised to do so under new Part IIIA of the Privacy Act; and
- Division 7 provides for compensation orders and other orders to
be made by the Federal Court of Australia or the Federal Magistrates Court.[21]
1.13
By way of summary, the EM states that the main credit reporting reforms
are:
-
introduction of more comprehensive credit reporting to provide
additional information about an individual's ongoing credit arrangements;
- changes to the obligations relating to the retention of different
categories of personal information;
- introduction of specific rules to deal with pre-screening of
credit offers and the freezing of access to an individual's personal
information in cases of suspected identity theft or fraud;
-
provision of additional consumer protections by enhancing obligations
and processes dealing with notification, data quality, access and correction,
and complaints; and
- changes to the regulation of credit reporting to more accurately
reflect the information flows within the system and the general obligations set
out in the APPs.[22]
1.14
Other amendments in Schedule 2 relate to matters of interpretation,
including general definitions in subsection 6(1) of the Privacy Act[23]
and key definitions relating to credit reporting.[24]
1.15
In her second reading speech, the Attorney-General stated that the Bill
is the first major reform to credit reporting since its introduction in 1990
and identified the ways in which banks, financial institutions, the finance and
credit industry, businesses and individuals will benefit from the reforms:
Banks and financial institutions will be able to see more accurate
and positive information...[meaning] more families can access credit. And it will
mean the banks can assess credit risks more accurately...
These reforms will give the Australian finance and credit
industry more information—with the appropriate privacy protections—so that they
can make more accurate risk assessments. More information—which will need to be
more up to date and accurate under this bill—will assist both consumers and the
credit reporting industry. It is expected that these reforms will lead to
decreased levels of over-indebtedness and then lower credit default rates.
For Australian businesses and the credit industry more
comprehensive credit reporting will enable better management of capital and
growth targets, improve credit decisions and enhance the effectiveness of how credit
reporting agencies collect data.
It is also expected to lead to more competition and efficiency
in the credit market, which may in turn lead to more affordable credit and
mortgage insurance for families and first home buyers.[25]
Privacy codes
1.16
Schedule 3 of the Bill repeals current Part IIIAA of the Privacy Act,[26]
which sets out provisions relating to privacy codes, and inserts a new Part IIIB.[27]
Proposed new Part IIIB of the Privacy Act will provide for information
privacy codes of practice (APP code)[28]
and credit reporting codes of practice (CR code).[29]
1.17
An APP code may be developed by an 'APP code developer' or, in certain
circumstances, by the Australian Information Commissioner (Commissioner).[30]
An APP code: must set out how one or more of the APPs are to be applied or
complied with; may impose requirements in addition to those imposed by the
APPs; and may deal with other specified matters.[31]
Once an APP code has been developed, an 'APP code developer' may apply to
the Commissioner for registration of the code.[32]
The Commissioner may register an APP code developed by an 'APP code developer'
or by the Commissioner.[33]
1.18
The process for the development of a CR code is similar to the
development of an APP code. A CR code may be developed by a 'CR code developer'
on request from the Commissioner or, in certain circumstances, by the
Commissioner.[34]
A CR code:
- must set out how one or more of the credit reporting provisions
are to be applied or complied with;
- must deal with matters required or permitted by the credit
reporting provisions to be provided for by the 'registered CR code';
-
must bind all 'credit reporting bodies'; and
- may deal with other specified matters.[35]
1.19
Once a CR code has been developed, the 'CR code developer' may apply to
the Commissioner for registration of the code.[36]
The Commissioner may register a CR code developed by a 'CR code developer'
or by the Commissioner.[37]
1.20
Registered APP codes and registered CR codes will be disallowable
legislative instruments[38]
and, if bound by one of these codes, APP entities and credit reporting entities
will be prohibited from doing an act, or engaging in a practice, which breaches
that code.[39]
A breach of a registered code will constitute an interference with the privacy of
an individual,[40]
which will be subject to investigation by the Commissioner under Part 5 of
the Privacy Act (Investigations).
1.21
Schedule 3 of the Bill also amends provisions relating to interpretation
(including the insertion of new definitions);[41]
and sets out provisions relating to a register of codes which have been
registered by the Commissioner in accordance with new Part IIIB of the Privacy
Act, guidelines relating to codes and the review of the operation of registered
codes.[42]
Other amendments to the Privacy Act
1.22
Schedule 4 of the Bill makes several amendments to the Privacy Act,
including: insertion of an objects clause;[43]
reform of the functions and powers of the Commissioner; and related matters
(for example, provisions about interferences with privacy).[44]
1.23
In particular, current Division 2 of Part IV of the Privacy Act – which sets
out the functions of the Commissioner – will be repealed[45]
and will be replaced by new provisions relating to general, guidance-related,
monitoring-related and advice-related functions of the Commissioner.[46]
1.24
According to the Attorney-General, the Commissioner's powers have been
substantially amended to provide individuals with enforceable remedies for
breaches of privacy.[47]
1.25
Schedule 4 of the Bill will insert several new provisions into the
Privacy Act, allowing the Commissioner to:
- conduct an assessment relating to an APP entity or credit
reporting entity's maintenance and handling of personal information, and direct
an agency to provide a 'privacy impact assessment' about a proposed activity or
function involving the handling of personal information;[48]
- accept a written undertaking given by an entity to take, or
refrain from taking, specified actions to ensure compliance with the Privacy Act,
and apply to the Federal Court of Australia or the Federal Magistrates Court
for enforcement of the undertaking (including orders for compensation);[49]
- recognise an external dispute resolution scheme;[50]
- investigate, on the Commissioner's own initiative, acts or
practices which might be an interference with the privacy of an individual or
which might breach an APP;[51]
- conciliate complaints;[52]
- make inquiries of persons other than the respondent to a
complaint;[53]
and
-
include in a determination any order that is considered necessary
or appropriate.[54]
1.26
Schedule 4 of the Bill also extends the extra-territorial operation of
the Privacy Act, together with registered APP codes and registered CR codes, to
organisations and small business operators with an 'Australian link'.[55]
1.27
Schedule 4 of the Bill inserts a new Part VIB into the Privacy Act.[56]
The new Part VIB, which deals with civil penalty orders, will prohibit entities
from contravening a 'civil penalty provision'.[57]
The Commissioner may apply to the Federal Court of Australia or the
Federal Magistrates Court for an order that an entity, which is alleged to have
contravened a 'civil penalty provision', pay the Commonwealth a pecuniary
penalty.[58]
Proposed new section 13G of the Privacy Act makes special provision for serious
and repeated interferences with the privacy of an individual.[59]
1.28
The Attorney-General noted:
Penalties range from 200 penalty units—$22,000 for an
individual and $110,000 for a company—to 2,000 penalty units, which is $220,000
for an individual and $1.1 million for a company. For serious and repeated breaches
of privacy, the penalty will be 2,000 penalty units. This is another remedy for
consumers and will encourage compliance with the Privacy Act.[60]
1.29
The interaction between civil and criminal proceedings is addressed in
proposed Division 3 of new Part VIB of the Privacy Act.[61]
Amendment of other Commonwealth
Acts
1.30
Schedule 5 of the Bill contains consequential amendments to Commonwealth Acts,
other than the Privacy Act. The EM states that these amendments primarily
replace references to the Information Privacy Principles or National Privacy
Principles with the APPs, and insert new definitions, including certain credit
reporting terms, into Commonwealth Acts which interact with the Privacy Act.[62]
Application, transitional and
savings provisions
1.31
Schedule 6 of the Bill addresses transitional issues relating to the
commencement of the Bill's substantive provisions.[63]
In her second reading speech, the Attorney‑General noted that there will
be a nine-month transition period in which industry and government agencies are
to review and update their privacy policies and practices.[64]
Financial and Regulation Impact
Statements
1.32
The EM states that the Bill will have no significant impact on
Commonwealth expenditure or revenue. However, a Regulation Impact Statement is
required for the credit reporting measures contained in the Bill.[65]
Conduct of the inquiry
1.33
Details of the inquiry, the Bill and associated documents were placed on
the committee's website at https://www.aph.gov.au/senate_legalcon. The committee
also wrote to 117 organisations and individuals, inviting submissions by 9 July
2012. Submissions continued to be accepted after that date.
1.34
The committee received 59 submissions, which are listed at Appendix 2. Public
submissions are available on the committee's website.
1.35
The committee held public hearings at Parliament House in Canberra on 10 and
21 August 2012. A list of the witnesses who appeared at the hearings is at
Appendix 3, and the Hansard transcripts are available through the
committee's website.
Acknowledgement
1.36
The committee thanks those organisations and individuals who made
submissions and gave evidence at the public hearing.
Scope of this report
1.37
The committee's report is structured in the following way: chapter 2
examines some of the key issues raised during the committee's inquiry in
relation to the APPs; chapters 3 and 4 discuss some of the proposed credit
reporting definitions and proposed provisions for the regulation of credit
reporting; chapter 5 examines issues raised with respect to the powers and
functions of the Commissioner, as well as the proposed civil penalty regime;
and chapter 6 contains the committee's views and recommendations.
Notes on references
1.38
References to the committee Hansard are to the proof Hansard.
Page numbers may vary between the proof and the official Hansard
transcript.
Navigation: Previous Page | Contents | Next Page