In Brief: Recent changes to the Privacy Act

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 was signed into law on 12 December 2012 – and the changes made by that Act commenced on 12 March 2014. It was the most significant reform of the Privacy Act 1988 since the privacy regime was extended to cover private sector businesses in 2001.

The 10 National Privacy Principles were replaced with 13 Australian Privacy Principles (APPs). In addition, the regulator (the Privacy Commissioner) has published extensive legally binding APP guidelines. With respect to "credit reporting", the provisions in Part IIIA of the Privacy Act which deal with "credit reporting" have been completely replaced with a new Part IIIA that enables a more "comprehensive" credit reporting system and imposes more restrictions and obligations on credit providers (which includes trade credit providers), credit reporting bodies and others who deal with credit related information (such as debt collectors). A new legally binding Credit Reporting Privacy Code (CR code) has also been published.

In addition, the changes introduced a significant new civil penalty regime and the regulator, has been given significant additional powers, including the power to accept and enforce Enforceable Undertakings.

Key changes: the APPs

Privacy by design:

APP 1 introduces a positive obligation for businesses to take reasonable steps in the circumstances to have and implement practices, procedures and systems that will ensure compliance with the APPs and enable them to deal with inquiries or complaints about their compliance. This is often referred to as "privacy by design". Businesses may be able to demonstrate this, for example, by developing and maintaining training programs, staff manuals, standard procedures and other relevant documents that demonstrate awareness of, and compliance with, their obligations. Businesses should also be able to demonstrate that their systems, such as their data management systems, will enable them to comply with their obligations.

This requirement for an internal framework is perhaps the biggest change and the one most often overlooked.

In addition to the internally documented practices, businesses must update (and make publicly available) a clearly expressed external privacy policy about their management of personal information (and it must be kept up-to-date policy).

One way to think of this, is that your external privacy policy explains to the public and your customers what you will do to protect their privacy. On the other hand, your internal framework tells your staff how your privacy compliance program will be implemented, monitored and managed.

New potential liability for overseas disclosures:

There are new restrictions on disclosing personal information to overseas recipients (which includes allowing someone overseas to access personal information that resides on systems located in Australia). Businesses may be deemed to be responsible for (and held liable for) any breaches by overseas recipients.

Increased notification obligations:

When collecting personal information (whether directly from an individual or from a third party), businesses must take reasonable steps in the circumstances (if any) to notify additional matters to individuals – or to otherwise ensure individuals are aware of the additional matters. These include information about the business' access, correction and complaints processes (replicating much of what is contained in their external APP privacy policy), and also the location of any likely overseas recipients of individuals' information.

Direct marketing:

There are additional restrictions and conditions on direct marketing. These include telling the individual, if they request, the source of their information used to direct market (when the information is not collected directly from the individual – for example, when businesses buy marketing lists) and conditions relating to opt-out mechanisms. Corrections: There are new obligations in relation to correcting personal information if either the business is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading, or the individual requests correction. A business must notify others (that it had previously provided the personal information to) of any correction if the individual asks them to.

Key changes: Part IIIA and the credit reporting system

Personal information in the context of commercial credit:

The new Part IIIA applies to credit providers, including commercial lenders and trade credit providers who provide credit to individuals (sole traders, partners, trustees) or who take guarantees from individuals for credit provided to someone else (for example, a director's guarantee for credit provided to a company).

Access to consumer credit history:

The types of consumer credit related information that can be held by a regulated credit reporting body has been expanded. If a commercial lender or trade credit provider wants to access an individual’s consumer credit history (from a regulated credit reporting body) to assist in their commercial lending decision, the lender or trade credit provider will be subject to all of the restrictions in Part IIIA that include highly prescriptive rules about the collection, use and disclosure of credit related personal information by and to credit providers and credit reporting bodies.

From both a reputational and regulatory risk perspective it is important you understand the privacy management practices of those from whom you obtain credit reports. In particular, you need to understand if any consumer credit history (including information derived from such information such as credit scores) is included in credit reports that you get. If so, certain obligations will apply to your handling of that information.

Privacy by design:

Similar to APP 1, Part IIIA introduces a positive obligation for commercial lenders and trade credit providers to take reasonable steps in the circumstances to have and implement practices, procedures and systems that will ensure compliance with Part IIIA, the new Credit Reporting Code of Conduct and the Regulations made under the Privacy Act and enable them to deal with inquiries or complaints about their compliance. In addition to the privacy policy required under APP1, commercial lenders and trade credit providers must have a clearly expressed and up-to-date “credit reporting policy” about their management of credit related personal information (this can be combined with the APP1 privacy policy)

Mandatory EDR scheme membership:

This is a new requirement. From 12 March 2015, a commercial lender or a trade credit provider will need to be a member of a recognised external dispute resolution scheme (EDR scheme) to get consumer credit reports from regulated credit reporting bodies. A temporary exemption from this requirement is currently in place as a result of an exempting Regulation, but will expire on 12 March 2015 unless a further Regulation is made prior to that date that has the effect of making the exemption permanent.

It is not yet clear whether a permanent exemption will be granted, so it may be wise to consider registering your interest to become an EDR scheme member sooner rather than later, as there may be a last minute ‘rush’ of applications if the final decision is that a permanent exemption will not be put in place.

AICM members were recently advised that Raj Venga, CEO and Ombudsman of the Credit Ombudsman Service Limited (COSL), has announced an offer of “Commercial Privacy Act Participant” membership category for AICM members who provide commercial credit, but whose core business is not the provision of financial services. This will apply to businesses that extend “trade credit” terms in connection with their core business of providing goods or services. The offer from COSL will enable those businesses to become members of COSL for a fixed annual cost of $850 (inc GST) in the first year, and $650 (inc GST) annually thereafter. There will be no additional COSL costs for handling complaints made. You can register your interest in this offer at https://www. surveymonkey.com/s/AICMCOSL1

Additional notifications obligations:

In addition to the requirements of the APPs, commercial lenders and trade credit providers must also notify individuals of other matters, or otherwise ensure individuals are aware of those matters, which generally replicate the matters set out in their “credit reporting policy” about their collection and handling of credit related personal information. When a commercial lender or trade credit provider intends to get a consumer credit report,  the individual must be notified of  (or otherwise made aware of) the name and contact details of the relevant credit reporting body.

Access, corrections and complaints:

There are increased obligations (over and above the APP requirements) that apply to access, corrections and complaints with respect to certain credit related personal information. The main feature of the new correction and complaint provisions is the ‘firstcontact” obligation, where the obligation to resolve a correction request or complaint lies with the first credit reporting body or credit provider that the individual contacts.

Audit:

Credit reporting bodies have an obligation to monitor and audit their customers’ compliance with key elements under Part IIIA.

Key changes:  penalties and powers

Civil penalty:

The Federal Court, hearing proceedings brought by the Privacy Commissioner, will have the power to impose civil penalties of up to $1.7 million for a breach by a corporation of specific provisions of Part IIIA or, more generally, for serious or repeated interferences with the privacy of an individual under the APPs.

Compensation:

If a court finds that a business has breached a civil penalty provision, any individual affected by that breach can apply to the court for compensation for any loss or damage suffered (which can include injury to the individual’s feelings or humiliation, in addition to monetary loss).

Assessments:

The Privacy Commissioner can conduct an assessment of whether personal information held by a business is being managed and maintained in according to the APPs and Part IIIA (which includes the Credit Reporting Code of Conduct).

Investigations:

The Privacy Commissioner can initiate and conduct investigations of a business’s compliance with the Privacy Act on its own initiative or as a result of a complaint made by an individual.

At the conclusion of an investigation, the Privacy Commissioner can make determinations that include ordering compensation to individuals and ordering a business to take specific action to prevent further repeats of the acts or practices investigated.

Enforceable Undertakings:

Significantly, the Privacy Commissioner can accept Enforceable Undertakings from businesses that they will take, or refrain from taking, specific action to ensure compliance with the Privacy Act, or to ensure that, in the future, they do not interfere with the privacy of an individual. The undertakings are enforceable by the Privacy Commissioner on application to the Federal Court.

Note:

There is no mandatory obligation to report data breaches to either individuals or to the Privacy Commissioner – yet. A Bill was tabled in tabled in May 2013 to make breach reporting mandatory. The Bill lapsed when the federal election was called. However, there appears to be bi-partisan support for the Bill and it may be re-introduced into parliament and passed in the not too distant future.

This briefing was prepared by Debra Kruse and Michael Hartman, Principal Consultants, Inflexion Point Consulting.
www.inflexionpoint.com.au You can contact Debra at dkruse@ inflexionpoint.com.au, or Michael at mhartman@inflexionpoint.com.au

FOOTNOTE: 1.   Registration of interest does not commit you to membership. Your registration will be followed up in early 2015 if it becomes clear that the temporary exemption will not be extended.

Download full article