Privacy Commissioner speech on amendments to the Privacy Act

May 10, 2013 |

The Privacy Commissioner has published the speech he gave last week. It can be found here.

Below is a slightly edited transcript.  It relevantly provides:

Privacy law reform—Get in on the Act


Privacy law reform

It should be no surprise that privacy law reform is a priority for business. It is fair to say that the Privacy Amendment (Enhancing Privacy Protection) Act 2012 will bring about the most significant changes in privacy regulation and compliance for over two decades.  

In the time I have with you today, I will set out some of the key changes to the Privacy Act. In particular, I will talk about the new Australian Privacy Principles (or APPs) and the enhanced powers that will be available to me to resolve investigations. I also want to let you know how we will assist you prepare for the changes.

The APPs

Thirteen new APPs will apply to both Commonwealth agencies and private sector organisations, or ‘APP entities’ as both will be referred to in the amended Act. These principles will replace the existing Information Privacy Principles (or IPPs) and National Privacy Principles (or NPPs) that apply to government agencies and businesses respectively.

The APPs are structured to more closely reflect the information lifecycle — from ensuring transparency in information collection, through to use and disclosure, quality and security, access and correction.

To make the most of out time today, I am going to focus on the APPs that have some key changes and will be most relevant in your role as privacy professionals.

APP 1—Open and transparent management of personal information

APP 1 seeks to ensure that agencies manage personal information in an open and transparent way and take a proactive approach to informing individuals about how their personal information will be handled.

To that end APP 1 requires organisations to have a clearly expressed and up-to-date privacy policy outlining the way they handle personal information.

Of course, the requirement to have a privacy policy is not new. However, APP 1 expands on the existing requirements in NPP 5 by identifying the minimum information that must be contained in an APP privacy policy.

While these changes will require you to review your privacy policy, there is no denying that greater openness and transparency can only improve customer service and build trust with your customers.

Evidence continues to suggest that few people read privacy policies. And here lies our shared challenge. We need to develop privacy policies that not only create greater transparency, but that also engage, and I commend organisations that are starting to meet this challenge (McAfee’s Privacy Ninja).

Under APP 1 organisations must also take such steps as are reasonable to implement practices, procedures and systems to ensure compliance with the APPs or a registered APP code that binds the entity. Those practices, procedures and systems must also enable entities to deal with inquiries or complaints from individuals.

What is considered ‘reasonable in the circumstances’ will always depend on the specific circumstances. However, some things your organisation could do to fulfil your obligations under APP 1 include:

  • training staff about the organisation’s policies and practices
  • establishing procedures to receive and respond to privacy complaints and inquiries, and to identify and manage privacy risks and compliance issues.

APP 1 is a bedrock principle for all APP entities — by complying with this APP you will be establishing a culture and set of processes for your workplace that will assist you in complying with all the other APPs, right from the start.

Aside from this being a legal requirement, it should not be difficult to build a business case for this principle. The adage that prevention is better than the cure rings true, and is more compelling than the case for data breach insurance in my mind.

APP 7—Direct marketing

The use and disclosure of personal information for direct marketing is now addressed in a privacy principle (rather than as an exception in NPP 2). This principle has created some concern and will be one we will spend some time consulting on and addressing in our detailed APP guidelines.

Generally, organisations may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.

A welcome reform is the clarification that APP 7 will be displaced where another Act specifically provides for a particular type of direct marketing, such as the Spam Act. But, APP 7 will still apply to organisations involved in direct marketing relating to electronic messages and other activities not covered by such instruments.

We have heard the concerns about this APP. However, it is important to understand that direct marketing continues to be an area of increasing community concern, particularly in the online environment.

In privacy research conducted by the University of Queensland last year, 56 per cent of respondents disapproved of having advertising targeted to them based on their personal information.

There is also evidence that with the growing prevalence of tracking and aggregation, consumers are choosing not to use services due to privacy concerns.

Compliance with APP 7, including the requirement to provide a ‘simple means’ by which the individual can request not to receive any marketing, not only allows individuals to exercise choice, it potentially prevents loss of business. Customers care that you care about how you handle their personal information. They also care that you listen to how they want you to use their personal information.

APP 8—Cross-border disclosure of personal information

APP 8 is an important new principle on the cross-border disclosure of personal information to an overseas recipient, replacing NPP 9. APP 8 requires an entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information, subject to limited exceptions.  

APP 8 and the related s 16C create a framework under which a disclosing entity remains accountable for the subsequent handling of that personal information by the overseas recipient. In some circumstances, the disclosing entity will be liable for an act or practice of the overseas recipient that would breach the APPs.

As I mentioned, this is subject to limited exception. One exception is when the organisation expressly informs the individual that if they consent to the disclosure overseas then the organisation will not be required to take reasonable steps to ensure that the overseas recipient does not breach the APPs, and the organisation will not remain accountable for what happens to that information.

Like direct marketing, the disclosure of personal information overseas remains a concern for much of the public and APP 8 reflects this concern.

I understand that being held accountable for the mishandling of personal information by your overseas contractor is a concern. However, I imagine the cost of an overseas data breach (including the costs of remediation, loss of reputation and customer trust and, potentially, customers) is equally concerning. This APP is a compelling business case for you to protect your business when you are planning to send personal information overseas.   

APP 11—Security of personal information

APP 11 relates to an entity’s obligation to protect the personal information it holds. While the obligations largely remain the same as those under IPP 4 and NPP 4 there are some differences to note.

Under APP 11, an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The inclusion of ‘interference’ is new and may require additional measures to be taken to protect against computer attacks and other interferences of this nature, but the requirement is conditional on steps being ‘reasonable in the circumstances’.
APP 11 also sets out that an entity has obligations to destroy or de-identify personal information in certain circumstances.

To assist organisations understand their information security requirements this week the Federal Attorney-General launched the OAIC’s new Guide to information security at the OAIC’s business breakfast to launch PAW. The Guide clarifies what ‘reasonable steps’ should be taken under the Privacy Act. The guide isn’t binding but does send a clear message about my expectations in this area, so naturally we intend to refer to the guide when assessing compliance with the data security obligations in the Privacy Act.

What I am seeing in the hacking related data breaches, both here and overseas, are cases of organisations that have not taken reasonable steps to protect the personal information they hold. Reasonable steps include regularly updating their security systems.

Compliance with the security requirements under Privacy Act will not only minimise the risk of the costs of a data breach as I have previously outlined, but potentially the loss of valuable customer information to your competitors.

Commissioner’s new powers

Let’s now look at the Commissioner’s new powers.

From March 2014 I will be able to conduct Performance Assessments of private sector organisations to determine whether they are handling personal information in accordance with the new APPs, the new credit reporting provisions and other rules and codes.

The power will consolidate the existing discretion to conduct audits of Australian Government Agencies, tax file number recipients, credit reporting agencies, credit providers and extend it to include organisations.

These assessments may be conducted at any time, whether the organisation has had a previous Privacy breach or not. So I will be putting businesses on notice that they need to have their systems and processes in place to be ready at all times for a Performance Assessment.

I also have enhanced code making powers that will allow me to approve and register enforceable codes which are developed by entities, on their own initiative or on request from the Commissioner, or by the Commissioner directly.

From the first day of operation, the privacy reforms will provide me with enforcement powers and remedies in regards to own motion investigations – those that commence as a result of my own initiative rather than as a result of a complaint from an individual.

I will be able to make a determination (as I can already with a complaint lodged by an individual), accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies.

I will not be taking a softly softly approach.

Let’s remember that the public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, so these concepts are not new. Fundamentally the most of the principles remain the same.

Most of the requirements are not new requirements and in my view should already be happening so I will not shy away from taking action where it is appropriate to do so.

However, before you get too excited, I would note that since I became Privacy Commissioner in mid-2010, I have been telling business and government that my focus will always be on resolving the majority of complaints via conciliation.

How we will help

I would now like to outline  the resources our office is developing for you to use in your work.

Our office has a role to educate all organisations and agencies, as well as the community more generally, about the changes that are coming. We are doing this on a very limited budget, having received no additional funding from Government, so it is encouraging to see that a number of you are already producing and disseminating helpful guidance on these important changes.

There is guidance to assist agencies and businesses already available. To date, we have published:

We will be conducting targeted public consultation processes to assist us in developing this guidance. I would encourage you to contribute to these consultations, so we can arrive at guidance that is practical and meets the needs of business.

To keep across the latest guidance and other materials, if you haven’t already, I encourage you to sign up with the Privacy Connections Network, our network for private sector privacy professionals.


It is an exciting time to be working in the privacy field — the large scale of these reforms present interesting challenges and opportunities for all of us.

Be assured I will have the concerns of business in mind when administering the reformed Privacy Act. I will, though, always balance these concerns against the rights of individuals to control how their personal information is handled. These individuals value their personal information and they choose where they spend their money.

The business case is simply that good privacy practice is good business practice.


Leave a Reply