CHAPTER 1


CHAPTER 1

Introduction

Background and purpose of the Bill

1.1        On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) was introduced into the House of Representatives by the Attorney‑General, the Hon. Nicola Roxon MP.[1] On 19 June 2012, the Senate referred the Bill to the Legal and Constitutional Affairs Legislation Committee (committee) for inquiry and report by 14 August 2012.[2] The reporting date was subsequently extended to 25 September 2012.[3] The House of Representatives passed the Bill on 17 September 2012,[4] and the Bill was introduced into the Senate on 18 September 2012.[5]

1.2        The Bill amends the Privacy Act 1988 (Privacy Act) to implement the Australian Government's first stage response to the 2008 Australian Law Reform Commission's (ALRC) report, For Your Information: Australian Privacy Law and Practice.[6] According to the Explanatory Memorandum (EM), the Bill:

  • creates the Australian Privacy Principles, a single set of privacy principles applying to both Commonwealth agencies and private sector organisations;
  • introduces more comprehensive credit reporting with improved privacy protections, and revises provisions relating to credit reporting;
  • introduces new provisions on privacy codes and the credit reporting code; and
  • clarifies and improves the functions and powers of the Australian Information Commissioner.[7]

1.3        The introduction of the Bill follows a number of reviews into Australia's privacy legislation. In addition to the ALRC, reviews have, for example, been conducted by the Office of the Privacy Commissioner (now the Office of the Australian Information Commissioner)[8] and the Senate Legal and Constitutional Affairs References Committee.[9] In 2010-2011, the Senate Finance and Public Administration Legislation Committee examined Exposure Drafts of the current Bill.[10]

1.4        In her second reading speech, the Attorney-General stated that the Bill is one of the most significant developments in privacy law reform and will bring Australia's privacy protection framework into the modern era.[11]

Overview of the Bill

1.5        The Bill contains six schedules, each of which proposes amendments relating to a particular subject and associated matters (such as definitions):

  • Schedule 1 – Australian Privacy Principles;
  • Schedule 2 – Credit reporting;
  • Schedule 3 – Privacy codes;
  • Schedule 4 – Other amendments to the Privacy Act, including the functions and powers of the Australian Information Commissioner;
  • Schedule 5 – Consequential amendments to other Commonwealth Acts; and
  • Schedule 6 – Application, transitional and savings provisions.

1.6        Schedules 1 to 4 of the Bill amend the Privacy Act; Schedule 5 of the Bill amends 55 other Commonwealth Acts; and Schedule 6 of the Bill sets out provisions relating to both the Privacy Act and the 55 other Commonwealth Acts.

Australian Privacy Principles

1.7        Schedule 1 of the Bill abolishes the Information Privacy Principles, which apply to the public sector, and the National Privacy Principles, which apply to the private sector.[12] It replaces them with the Australian Privacy Principles (APPs), which are reproduced in Appendix 1 to this report.[13] The APPs will be a single set of thirteen privacy principles in relation to which Commonwealth agencies and certain private sector organisations (APP entities) must comply as relevant.[14]

1.8        The APPs will be inserted into the Privacy Act in a new Schedule 1[15] and will be grouped in five Parts. Each part deals with a particular set of principles:

  • Part 1 – principles that require APP entities to consider the privacy of personal information, including ensuring that personal information is managed in an open and transparent way (APP 1, APP 2);
  • Part 2 – principles that deal with the collection of personal information, including dealing with unsolicited personal information (APP 3, APP 4, APP 5);
  • Part 3 – principles about how APP entities deal with personal information and government-related identifiers, including the use and disclosure of personal information and identifiers, and direct marketing (APP 6, APP 7, APP 8, APP 9);
  • Part 4 – principles about the integrity of personal information (quality and security) (APP 10, APP 11); and
  • Part 5 – principles that deal with access to, and the correction of, personal information (APP 12, APP 13).[16]

1.9        The EM contains a detailed explanation of each APP;[17] however, individual APPs will be described and discussed in later chapters of the committee's report only where relevant to the examination of particular issues and concerns raised in the inquiry.

1.10      Schedule 1 of the Bill also sets out a range of provisions relating to the APPs (such as new definitions). Several key terms or concepts will be amended, including: the term 'personal information'; the meaning of 'reasonably necessary'; the term 'sensitive information'; the issue of consent; and the requirement to 'take reasonable steps'.[18]

Credit reporting

1.11      Schedule 2 of the Bill amends provisions throughout the Privacy Act which deal with credit reporting.[19] The credit reporting provisions (currently set out in Part IIIA of the Privacy Act) regulate the handling and maintenance of certain kinds of personal information regarding consumer credit that is intended to be used wholly or primarily for domestic, family or household purposes.[20]

1.12      Item 72 of Schedule 2 of the Bill completely revises the credit reporting provisions, with the repeal of current Part IIIA of the Privacy Act and the creation of new Part IIIA of the Privacy Act. Proposed new Part IIIA will deal with the privacy of credit reporting related information in six substantive Divisions:

  • Divisions 2 and 3 contain rules that apply to 'credit reporting bodies' and 'credit providers' pertinent to their handling of information related to credit reporting;
  • Division 4 contains rules that apply to 'affected information recipients' in relation to their handling of 'regulated information';
  • Division 5 deals with complaints to 'credit reporting bodies' and 'credit providers' about acts or practices that might breach certain provisions of new Part IIIA of the Privacy Act or the registered credit reporting code;
  • Division 6 deals with entities that obtain 'credit reporting information' or 'credit eligibility information' by false pretence, or when they are not authorised to do so under new Part IIIA of the Privacy Act; and
  • Division 7 provides for compensation orders and other orders to be made by the Federal Court of Australia or the Federal Magistrates Court.[21]

1.13      By way of summary, the EM states that the main credit reporting reforms are:

  • introduction of more comprehensive credit reporting to provide additional information about an individual's ongoing credit arrangements;
  • changes to the obligations relating to the retention of different categories of personal information;
  • introduction of specific rules to deal with pre-screening of credit offers and the freezing of access to an individual's personal information in cases of suspected identity theft or fraud;
  • provision of additional consumer protections by enhancing obligations and processes dealing with notification, data quality, access and correction, and complaints; and
  • changes to the regulation of credit reporting to more accurately reflect the information flows within the system and the general obligations set out in the APPs.[22]

1.14      Other amendments in Schedule 2 relate to matters of interpretation, including general definitions in subsection 6(1) of the Privacy Act[23] and key definitions relating to credit reporting.[24]

1.15      In her second reading speech, the Attorney-General stated that the Bill is the first major reform to credit reporting since its introduction in 1990 and identified the ways in which banks, financial institutions, the finance and credit industry, businesses and individuals will benefit from the reforms:

Banks and financial institutions will be able to see more accurate and positive information...[meaning] more families can access credit. And it will mean the banks can assess credit risks more accurately...

These reforms will give the Australian finance and credit industry more information—with the appropriate privacy protections—so that they can make more accurate risk assessments. More information—which will need to be more up to date and accurate under this bill—will assist both consumers and the credit reporting industry. It is expected that these reforms will lead to decreased levels of over-indebtedness and then lower credit default rates.

For Australian businesses and the credit industry more comprehensive credit reporting will enable better management of capital and growth targets, improve credit decisions and enhance the effectiveness of how credit reporting agencies collect data.

It is also expected to lead to more competition and efficiency in the credit market, which may in turn lead to more affordable credit and mortgage insurance for families and first home buyers.[25]

Privacy codes

1.16      Schedule 3 of the Bill repeals current Part IIIAA of the Privacy Act,[26] which sets out provisions relating to privacy codes, and inserts a new Part IIIB.[27]  Proposed new Part IIIB of the Privacy Act will provide for information privacy codes of practice (APP code)[28] and credit reporting codes of practice (CR code).[29]

1.17      An APP code may be developed by an 'APP code developer' or, in certain circumstances, by the Australian Information Commissioner (Commissioner).[30] An APP code: must set out how one or more of the APPs are to be applied or complied with; may impose requirements in addition to those imposed by the APPs; and may deal with other specified matters.[31] Once an APP code has been developed, an 'APP code developer' may apply to the Commissioner for registration of the code.[32] The Commissioner may register an APP code developed by an 'APP code developer' or by the Commissioner.[33]

1.18      The process for the development of a CR code is similar to the development of an APP code. A CR code may be developed by a 'CR code developer' on request from the Commissioner or, in certain circumstances, by the Commissioner.[34] A CR code:

  • must set out how one or more of the credit reporting provisions are to be applied or complied with;
  • must deal with matters required or permitted by the credit reporting provisions to be provided for by the 'registered CR code';
  • must bind all 'credit reporting bodies'; and
  • may deal with other specified matters.[35]

1.19      Once a CR code has been developed, the 'CR code developer' may apply to the Commissioner for registration of the code.[36] The Commissioner may register a CR code developed by a 'CR code developer' or by the Commissioner.[37]

1.20      Registered APP codes and registered CR codes will be disallowable legislative instruments[38] and, if bound by one of these codes, APP entities and credit reporting entities will be prohibited from doing an act, or engaging in a practice, which breaches that code.[39] A breach of a registered code will constitute an interference with the privacy of an individual,[40] which will be subject to investigation by the Commissioner under Part 5 of the Privacy Act (Investigations).

1.21      Schedule 3 of the Bill also amends provisions relating to interpretation (including the insertion of new definitions);[41] and sets out provisions relating to a  register of codes which have been registered by the Commissioner in accordance with new Part IIIB of the Privacy Act, guidelines relating to codes and the review of the operation of registered codes.[42]

Other amendments to the Privacy Act

1.22      Schedule 4 of the Bill makes several amendments to the Privacy Act, including: insertion of an objects clause;[43] reform of the functions and powers of the Commissioner; and related matters (for example, provisions about interferences with privacy).[44]

1.23      In particular, current Division 2 of Part IV of the Privacy Act – which sets out the functions of the Commissioner – will be repealed[45] and will be replaced by new provisions relating to general, guidance-related, monitoring-related and advice-related functions of the Commissioner.[46]

1.24      According to the Attorney-General, the Commissioner's powers have been substantially amended to provide individuals with enforceable remedies for breaches of privacy.[47]

1.25      Schedule 4 of the Bill will insert several new provisions into the Privacy Act, allowing the Commissioner to:

  • conduct an assessment relating to an APP entity or credit reporting entity's maintenance and handling of personal information, and direct an agency to provide a 'privacy impact assessment' about a proposed activity or function involving the handling of personal information;[48]
  • accept a written undertaking given by an entity to take, or refrain from taking, specified actions to ensure compliance with the Privacy Act, and apply to the Federal Court of Australia or the Federal Magistrates Court for enforcement of the undertaking (including orders for compensation);[49]
  • recognise an external dispute resolution scheme;[50]
  • investigate, on the Commissioner's own initiative, acts or practices which might be an interference with the privacy of an individual or which might breach an APP;[51]
  • conciliate complaints;[52]
  • make inquiries of persons other than the respondent to a complaint;[53] and
  • include in a determination any order that is considered necessary or appropriate.[54]

1.26      Schedule 4 of the Bill also extends the extra-territorial operation of the Privacy Act, together with registered APP codes and registered CR codes, to organisations and small business operators with an 'Australian link'.[55]

1.27      Schedule 4 of the Bill inserts a new Part VIB into the Privacy Act.[56] The new Part VIB, which deals with civil penalty orders, will prohibit entities from contravening a 'civil penalty provision'.[57] The Commissioner may apply to the Federal Court of Australia or the Federal Magistrates Court for an order that an entity, which is alleged to have contravened a 'civil penalty provision', pay the Commonwealth a pecuniary penalty.[58] Proposed new section 13G of the Privacy Act makes special provision for serious and repeated interferences with the privacy of an individual.[59]

1.28      The Attorney-General noted:

Penalties range from 200 penalty units—$22,000 for an individual and $110,000 for a company—to 2,000 penalty units, which is $220,000 for an individual and $1.1 million for a company. For serious and repeated breaches of privacy, the penalty will be 2,000 penalty units. This is another remedy for consumers and will encourage compliance with the Privacy Act.[60]

1.29      The interaction between civil and criminal proceedings is addressed in proposed Division 3 of new Part VIB of the Privacy Act.[61]

Amendment of other Commonwealth Acts

1.30      Schedule 5 of the Bill contains consequential amendments to Commonwealth Acts, other than the Privacy Act. The EM states that these amendments primarily replace references to the Information Privacy Principles or National Privacy Principles with the APPs, and insert new definitions, including certain credit reporting terms, into Commonwealth Acts which interact with the Privacy Act.[62]

Application, transitional and savings provisions

1.31      Schedule 6 of the Bill addresses transitional issues relating to the commencement of the Bill's substantive provisions.[63] In her second reading speech, the Attorney‑General noted that there will be a nine-month transition period in which industry and government agencies are to review and update their privacy policies and practices.[64]

Financial and Regulation Impact Statements

1.32      The EM states that the Bill will have no significant impact on Commonwealth expenditure or revenue. However, a Regulation Impact Statement is required for the credit reporting measures contained in the Bill.[65]

Conduct of the inquiry

1.33      Details of the inquiry, the Bill and associated documents were placed on the committee's website at https://www.aph.gov.au/senate_legalcon. The committee also wrote to 117 organisations and individuals, inviting submissions by 9 July 2012. Submissions continued to be accepted after that date.

1.34      The committee received 59 submissions, which are listed at Appendix 2. Public submissions are available on the committee's website.

1.35      The committee held public hearings at Parliament House in Canberra on 10 and 21 August 2012. A list of the witnesses who appeared at the hearings is at Appendix 3, and the Hansard transcripts are available through the committee's website.

Acknowledgement

1.36      The committee thanks those organisations and individuals who made submissions and gave evidence at the public hearing.

Scope of this report

1.37      The committee's report is structured in the following way: chapter 2 examines some of the key issues raised during the committee's inquiry in relation to the APPs; chapters 3 and 4 discuss some of the proposed credit reporting definitions and proposed provisions for the regulation of credit reporting; chapter 5 examines issues raised with respect to the powers and functions of the Commissioner, as well as the proposed civil penalty regime; and chapter 6 contains the committee's views and recommendations.

Notes on references

1.38      References to the committee Hansard are to the proof Hansard. Page numbers may vary between the proof and the official Hansard transcript.

Navigation: Previous Page | Contents | Next Page