Privacy Act 1998
On 12 March 2014, the Privacy Act 1988 (Cth) was amended with some significant changes.
Set out below is an overview of some of the key changes to the Act and how they impact on the University and its controlled entities.
The University is not required to comply with the new Australian Privacy Principles (which are further described below) in the Privacy Act 1988 (Cth) as it is not an "organisation" within the meaning of the Act.
The University is, however, a "file number recipient" for the purposes of the Privacy Act because it holds records of employees which contain tax file number information. This means that it must comply with any rules relating to tax file number information, issued under section 17 of the Privacy Act.
A breach of any rules is an interference with privacy under section 13 of the Privacy Act.
A copy of the latest tax file number guidelines currently in force is available at http://www.comlaw.gov.au/Details/F2011L02748. Under transitional arrangements for the amendments made to the Privacy Act on 12 March 2014, the TFN Guidelines continue in operation as if they were rules issued under s 17 of the Privacy Act.
Under the Privacy Act, the Commissioner has a range of powers in relation to file number recipients, which include the power to:
- investigate acts and practices of file number recipients that may breach guidelines;
- conduct audits of records of file number recipients; and
- authorise a person in writing to enter premises to carry out these functions (s68).
Controlled entities of the University must comply with the following privacy acts:
- Privacy Act 1988 (Cth) (Privacy Act)
- Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
- Health Records and Information Privacy Act 2002 (NSW) (HRIPA)
Concurrent compliance with Acts
Section 3 of the Privacy Act contemplates that an entity may have duties under both NSW and Commonwealth privacy acts. However, to the extent that there are inconsistencies between the federal Privacy Act and the NSW privacy acts which apply to a controlled entity, the provisions of the federal Privacy Act will prevail.
New Australian Privacy Principles
The Privacy Act now consolidates the existing Commonwealth National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) into one set of privacy principles which are called the Australian Privacy Principles (APPs).
As noted above, the University is not required to comply with the new APPs as it is not an "organisation" within the meaning of the Privacy Act.
However, the controlled entities of the University must comply with the new APPs from 12 March 2014. A controlled entity is an "organisation" within the meaning of the Privacy Act and an APP entity to whom the APPs apply.
The APPs are set out in Schedule 1 to the Privacy Act 1988 (Cth). A copy of the APPs is also available at the Office of the Australian Information Commissioner's website.
The OAIC has published APP Guidelines which outline the mandatory requirements of the APPs, how the OAIC will interpret them and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.
The new APPs include the following requirements:
- APP 1: An APP entity (which includes a controlled entity) must have a clearly expressed and up-to-date policy about the management of personal information which should be permanently available to the public. The policy must contain certain information including whether or not the entity is likely to disclose personal information to overseas recipients, and where practicable to which countries.
- APP 4: An APP entity which receives unsolicited information should consider whether it would have collected that information itself under the APPs and if not, should have processes in place to destroy or de-identify that information.
- APP 5: An APP entity is required to address an expanded list of matters about how their information is collected and used by an AAP entity, including whether the entity is likely to disclose the information to overseas recipients and if so, to which countries;
- APP 7: An APP entity is not permitted to use or disclose personal information for direct marketing unless an exemption applies;
- APP 8: An APP entity must take reasonable steps to ensure that an overseas recipient of personal information does not breach the APPs. Although an APP entity may have taken these reasonable steps, they may still be held liable for a breach of an APP by an overseas entity to whom personal information is disclosed. The information does not need to be transferred to that overseas entity, disclosure is sufficient. There are limited ways in which an entity can avoid APP 8.1 as set out in APP 8.2.
New civil penalty regime
Section 13G is a civil penalty provision relevant to controlled entities. It provides for a civil penalty of 2,000 units ($340,000) where an entity does an act or engages in practice that is a serious interference with the privacy of an individual or where the entity repeatedly does an act or engages in a practice that is an interference with the privacy of one or more individuals. An interference with the privacy of an individual includes a breach of an APP.
The Privacy Commissioner has increased powers of investigation and audit, including the power to commence proceedings against a non-compliant entity in the Federal Court or the Federal Magistrates Court and to seek an additional pecuniary penalty of up to $1.7 million from that entity for contravention of a civil penalty provision.
The Office of the Australian Information Commissioner's website has details on the recent amendments and how they will affect organisations which can be found here: http://www.oaic.gov.au/privacy/privacy-news