Privacy Commissioner amends Australian Privacy Principle Guidelines

April 2, 2015 |

The Privacy Commissioner has announced the amendment of the Australian Privacy Principles (the “APPs”).  They are not wholesale but in part are significant.  In particular it is worth noting the tighter wording of APP 8 regarding “use” and the concept of reasonable steps in APP 11.

The news update provides:

The Office of the Australian Information Commissioner (OAIC) has issued updates to the Australian Privacy Principle (APP) guidelines. The APP guidelines were released in February 2014 ahead of the commencement of privacy law reform, and are the primary guidance for entities in how to interpret and comply with the APPs. These updates have been made following feedback from stakeholders throughout the first year of the new privacy laws.

Changes have been made to four chapters, clarifying some aspects of the guidance and responding to issues such as the introduction of separate privacy legislation in the ACT. Some of the main changes are:

  • Chapter A: to explain that the APP guidelines may provide relevant guidance to Australian Capital Territory public sector agencies covered by the ACT Information Privacy Act 2014
  • Chapter B: to clarify and expand upon guidance about ‘carries on business in Australia’, a component of the test for whether an APP entity has an ‘Australian link’
  • Chapter 8: to clarify guidance about the circumstances where an APP entity may be taken to breach the APPs, when it provides personal information to an overseas contractor as a ‘use’, and the information is mishandled overseas; and to expand guidance about the circumstances in which the ‘international agreement’ exception in APP 8.2(e) applies
  • Chapter 11: to update guidance about ‘reasonable steps’ and examples for consistency with the OAIC’s Guide to securing personal information (2015). 

The changes are:

Inclusion of [A.4] and [A 29] – [A.32]

These changes provide guidance to the ACT public sector organisations.

Amendments to [B.7], [B.13] – [B.21], [B.64], [B.68], [B.104] and [B.139].

The described changes to [B.7] are:

Clarified the circumstances in which small business operators are treated as organisations and therefore APP entities

B.7 now provides:

B.7 A non-APP entity may be treated as an organisation (and therefore as an APP entity) in certain circumstances, for example, a small business operator that is related to an organisation covered by the Privacy Act (s 6D(9)) or an entity that chooses to be treated as an organisation (s 6EA). Also, some small business operators are treated as organisations (and therefore an APP entity) in relation to the following activities they carry out:

  • activities of reporting entities or authorised agents relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its Regulations and Rules (s 6E(1A))
  • certain acts and practices in connection with the operation of a residential tenancy database (s 6E(2)) and regulation 7 of Privacy Regulation 2013
  • activities related to the conduct of a protection action ballot (s 6E(1)(B)).

The described changes to [B.13] – [21] are:

Revised and expanded discussion about ‘carries on business in Australia’, a component of the test for whether an APP entity has an ‘Australian link’

B.13 – B.21 now provides, absent footnotes:

B.13 The phrase ‘carries on business in Australia’ in s 5B(3)(c) is not defined in the Privacy Act. However, it arises in other areas of law, including corporations and consumer law. Guidance may be drawn from judicial consideration of the phrase in those contexts.

B.14 The two elements – ‘carries on business’ and ‘in Australia’ – are connected but can be considered separately. Australian courts have held that both are questions of fact.[4] An assessment should be made having regard to all relevant circumstances, particularly the nature of the enterprise conducted by an entity, and the particular Act being applied. In this instance, it is the Privacy Act being applied.

Carry on business

B.15 The general law concept of ‘carrying on business’ has been said to ‘generally involve conducting some form of commercial enterprise, systematically and regularly with a view to profit’; or to embrace ‘activities undertaken as a commercial enterprise in the nature of a going concern, that is, activities engaged in for the purpose of profit on a continuous and repetitive basis’.

B.16 The focus of those definitions upon conducting or establishing a commercial enterprise for the purpose of profit is important. Nevertheless, a necessary modification of the concept in the context of the Privacy Act is that the Act can apply to a non-profit entity that is an ‘organisation’ as defined in s 6C(1). As to those entities, the more important element may be the repetition of commercial acts on a systematic or continuing basis as part of the activities of the entity.

In Australia

B.17 Whether a business is carried on ‘in Australia’ focusses upon whether activity is undertaken in Australia as part of the entity’s business. There is ‘a need for some physical activity in Australia through human instrumentalities, being activity that itself forms part of the course of conducting business’. However, as noted in another decision, ‘provided that there are acts within Australia which are part of the company’s business, the company will be doing business in Australia although the bulk of its business is conducted elsewhere and it maintains no office in Australia’.

B.18 An important consideration in applying this territorial requirement in the context of the Privacy Act is that the Act, though technologically-neutral, operates in an environment where personal information is regularly collected, held, used and disclosed online by organisations that may simultaneously carry on business through the web in many countries. In addition, an object of the Privacy Act is to ‘promote the protection of the privacy of individuals’ (s 2A(a)), which requires that regard be had to contemporary and practical circumstances.

B.19 In this context, factors that may be considered in assessing if an entity carries on business in Australia include whether:

  • the entity has a place of business in Australia
  • people who undertake business acts for the entity are located in Australia – for example, an entity may carry on business in Australia where an agent acting on its behalf carries on its business from some fixed place in Australia[10]
  • the entity has a website that offers goods or services to countries including Australia
  • Australia is one of the countries on the drop-down menu appearing on the entity’s website
  • web content that forms part of carrying on the business, was uploaded by or on behalf of the entity, in Australia
  • business or purchase orders are assessed or acted upon in Australia
  • the entity is the registered proprietor of trademarks in Australia.

B.20 The presence or absence of one of these factors may not be determinative in assessing whether an entity carries on business in Australia. For example, where an entity does not have a place of business in Australia, this does not necessarily mean that it does not carry on business in Australia.

B.21 An entity will not generally be regarded as carrying on business in Australia solely on the basis that a purchase order can be placed in Australia or that it has a website that can be accessed from Australia.

The described changes to B.64 are:

Small clarifications to the discussion about ‘disclosure’, including the addition of a new footnote reference to an AAT decision

B.64 and B.68 now provides:

B.64 An APP entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control. This focuses on the act done by the disclosing party, and not on the actions or knowledge of the recipient. Disclosure, in the context of the Privacy Act, can occur even where the personal information is already known to the recipient.

and

B.68 ‘Disclosure’ is a separate concept from:

  • ‘unauthorised access’ which is addressed in APP 11. An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. Examples include unauthorised access following a cyber-attack or a theft, including where the third party then makes that personal information available to others outside the entity. However, where a third party gains unauthorised access, the entity may breach APP 11 if it did not take reasonable steps to protect the personal information from unauthorised access (see Chapter 11 (APP 11))
  • ‘use’, which is discussed in paragraphs B.142–B.144 below. The concept of ‘use’ encompasses information handling and management activities occurring within an entity’s effective control, for example, when staff of an entity access, read, exchange or make decisions based on personal information the entity holds.

The described changes to B.104 are:

Minor stylistic change

B.104 now provides:

B.104 The terms ‘reasonable’ and ‘reasonably’ are used in the Privacy Act and APPs to qualify a test or obligation. Examples include that ‘personal information’ is information about an individual who is ‘reasonably’ identifiable (s 6(1)) and an APP entity must not collect personal information unless it is ‘reasonably necessary’ for one or more of the entity’s functions or activities (APP 3).

The described changes to B.139 are:

Updated discussion about ‘sensitive information’ to explain that information may be sensitive information where it clearly implies one of the matters listed in the definition of ‘sensitive information’ in s 6(1)

B 139 now provides:

B.139 Information may be sensitive information where it clearly implies one of these matters. For example, many surnames have a particular racial or ethnic origin, but that alone will not constitute sensitive information that clearly indicates the racial or ethnic origin of an individual with that surname.

Amendments to 8.15, 8.47 – 8.51, 8.1 8.21.

The described changes to 8.15 are:

Revised discussion of the circumstances where an APP entity may be taken to breach the APPs, when it provides personal information to an overseas contractor as a ‘use’, and the information is mishandled overseas

8.15 now provides:

8.15 Where the provision of personal information to an overseas contractor is a use, an APP entity may breach the APPs if the information is mishandled while in the overseas contractor’s physical possession. This is because the APP entity is considered to still ‘hold’ the information (as it has effective control of the information), and a number of APPs apply to an entity that ‘holds’ personal information (‘holds’ is discussed in Chapter B(Key Concepts)).

The described changes to 8.47 – 8.51 are:

Revised and expanded discussion about the circumstances in which the ‘international agreement’ exception in APP 8.2(e) applies

8.47 – 51 now provides:

Disclosing personal information to an overseas recipient as required or authorised under an international agreement relating to information sharing

8.47 An agency may disclose personal information to an overseas recipient without complying with APP 8.1 where the disclosure is ‘required or authorised by or under an international agreement relating to information sharing to which Australia is a party’ (APP 8.2(e)). This exception does not apply to organisations.

8.48 The term ‘international agreement’ is not defined in the Privacy Act. This guideline clarifies that the term includes documents binding at international law (for example, treaties and conventions), as well as other formal written documents not binding at international law (for example, a memorandum of understanding or an official exchange of letters[17]) that provide for information sharing between an agency and an overseas recipient. This exception applies only to such documents where the parties are Australia and one or more foreign states, although the overseas recipient of shared information may be a non-state entity.

8.49 Information sharing may not be the only or the primary subject of the agreement, so long as the agreement makes provision for ‘information sharing’. Additionally, the disclosure of personal information to the overseas recipient must be ‘required or authorised’ by or under the agreement.

8.50 To meet those requirements, the agreement should make specific arrangements for disclosure of information to an overseas recipient, including identifying the agency and the overseas recipient, the categories of personal information that may be disclosed to the recipient under the agreement and the circumstances in which or the purposes for which the information will be disclosed. This exception is unlikely to apply to an agreement that contains only a general commitment by the parties to facilitate, or remove obstacles to, the disclosure or exchange of information (the terms ‘required’ and ‘authorised’ are discussed in more detail in Chapter B (Key concepts)).

8.51 The agreement could also include provisions dealing with the responsibility of the parties to ensure adequate protection of the personal information that is disclosed according to standards comparable to those in the APPs, and the procedure to be followed to ensure that obligations or undertakings imposed by the agreement are met. The discussion of contractual measures in paragraphs 8.16–8.18 above lists other matters that could be considered for inclusion the agreement.

The described changes to 8.1 and 8.21 are:

Minor amendments to footnotes to correct website references

The changes are now:

8.1 APP 8 and s 16C create a framework for the cross-border disclosure of personal information. The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.[1] This reflects a central object of the Privacy Act, of facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected (s 2A(f)).

[1] An accountability approach was adopted in the Asia-Pacific Economic Cooperation (APEC) Privacy Framework in 2004, Information Privacy Principle IX (Accountability), see APEC website <publications.apec.org>. The accountability concept in the APEC Privacy Framework was in turn derived from the accountability principle from the Organisation for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 1980, see OECD website <www.oecd.org.au>.

Law or binding scheme

8.21 An overseas recipient may be subject to a law or binding scheme, where, for example, it is:

  • bound by a privacy or data protection law that applies in the jurisdiction of the recipient
  • required to comply with another law that imposes obligations in relation to the handling of personal information, for example some taxation law includes provisions that expressly authorise and prohibit specified uses and disclosures, permit the retention of some data, require destruction after a certain period of time and under particular circumstances, and include a right of access to an individual’s personal information
  • subject to an industry scheme or privacy code that is enforceable once entered into, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code
  • subject to Binding Corporate Rules (BCRs). BCRs allow multinational corporations, international organisations and groups of companies to make intra-organisational transfers of personal information across borders in compliance with EU Data Protection law.[13] BCRs typically form a stringent, intra-corporate global privacy policy that satisfies EU standards. The Article 29 Working Party issued several guidance documents on BCR content, acceptance criteria and submission process.[14]

[13] European Commission website <ec.europa.eu/justice/data-protection/index_en.htm>.

[14] Available at European Commission website <ec.europa.eu/justice/data-protection/index_en.htm>. See in particular documents WP 133 (2007), WP 153 (2008), WP 154 (2008), WP 155 (2008).

Amendments to 11.10, 11.34, 11.7 – 10, 11.11, 11.42, 11.15 – 11.21, 11.37.

The amendments to 11.10 and 11.34 are described as:

New reference to the OAIC Guide to securing personal information (2015)

The amendments now provide:

11.10 For further discussion of personal information security and the information lifecycle and examples of steps that may be reasonable for an APP entity to take under APP 11.1, see the OAIC’s Guide to securing personal information.

and

11.38 Where it is not possible for an organisation to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. However, an organisation could instead consider whether de-identifying the data would be appropriate (see paragraphs 11.41–11.45 below) and if so, take reasonable steps to de-identify the personal information.

The amendments to 11.7 – 11.10 are described as:

Consolidation and amendment of discussion, about relevant considerations in taking ‘reasonable steps’, for consistency with OAIC Guide to securing personal information (2015)

The amendments now provide:

Taking reasonable steps

11.7 The ‘reasonable steps’ that an APP entity should take to ensure the security of personal information will depend upon circumstances that include:

  • the nature of the APP entity. Relevant considerations include an APP entity’s size, resources, the complexity of its operations and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or that outsources its personal information handling to a third party may be different to those it would take if it did not operate in this manner.
  • the amount and sensitivity of the personal information held. Generally, as the amount and/or sensitivity of personal information that is held increases, so too will the steps that it is reasonable to take to protect it. ‘Sensitive information’ (defined in s 6(1)) is discussed in more detail in Chapter B (Key concepts)
  • the possible adverse consequences for an individual in the case of a breach. More rigorous steps may be required as the risk of adversity increases
  • the practical implications of implementing the security measure, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
  • whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12)).

11.8 Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:

  • governance, culture and training
  • internal practices, procedures and systems
  • ICT security
  • access security
  • third party providers (including cloud computing)
  • data breaches
  • physical security
  • destruction and de-identification
  • standards.

11.9 As part of taking reasonable steps to protect personal information (also known as ‘personal information security’) an APP entity should consider how it will protect personal information at all stages of the information lifecycle. This should be considered before an entity collects personal information (including whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de-identified when no longer needed.

11.10 For further discussion of personal information security and the information lifecycle and examples of steps that may be reasonable for an APP entity to take under APP 11.1, see the OAIC’s Guide to securing personal information.[3]

The amendments to 11.11 and 11.42 are described as;

Minor stylistic changes

11.11 and 11.42 now provides:

11.1 APP 11 requires an APP entity to take active measures to ensure the security of personal information it holds, and to actively consider whether it is permitted to retain personal information.

and

11.42 An organisation that intends to comply with APP 11.2 by taking reasonable steps to ensure that personal information is de-identified should consider whether de-identification is appropriate in the circumstances. For more information on when and how to de-identify information, and how to manage and mitigate the risk of re-identification, see Privacy Business Resource 4 — De-identification of Data and Information and Information Policy Agency Resource 1 — De-identification of Data and Information.

The amendments to 11.15 – 11.21 are described as:

Loss

11.15 ‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an APP entity. This includes when an APP entity:

  • physically loses personal information, (including hard copy documents, computer equipment or portable storage devices containing personal information), for example, by leaving it in a public place, or
  • electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure.

11.16 Loss may also occur as a result of theft following unauthorised access or modification of personal information or as a result of natural disasters such as floods, fires or power outages.

11.17 However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the APPs.

Unauthorised access

11.18 ‘Unauthorised access’ of personal information occurs when personal information that an APP entity holds is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity[4] or independent contractor, as well as unauthorised access by an external third party (such as by hacking).

Unauthorised modification

11.19 ‘Unauthorised modification’ of personal information occurs when personal information that an APP entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act. For example, unauthorised modification may occur as a result of unauthorised alteration by an employee, or following unauthorised access to databases by an external third party.

Unauthorised disclosure

11.20 ‘Unauthorised disclosure’ occurs when an APP entity:

  • makes personal information accessible or visible to others outside the entity, and
  • releases that information from its effective control in a way that is not permitted by the Privacy Act.[5]

11.21 This includes an unauthorised disclosure by an employee of the APP entity.[6] The term ‘disclosure’ is discussed in more detail in Chapter B (Key concepts).

The amendment to 11.37 is described as:

Minor amendment to footnote to correct reference to Australian Government Information Security Manual and to Australian Signals Directorate website

11.37 now provides:

11.37 For example, for personal information held:

  • in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding

  • in electronic form, reasonable steps will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely remove stored personal information.[9] For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it. Where it is not possible to irretrievably destroy personal information held in electronic format, an organisation could instead comply with APP 11.2 by taking reasonable steps to de-identify the personal information (see paragraphs 11.41–11.45 below), or should put the information beyond use (see paragraphs 11.38–11.40 below) 
  • on a third party’s hardware, such as cloud storage, where the organisation has instructed the third party to irretrievably destroy the personal information, reasonable steps would include taking steps to verify that this has occurred.

Leave a Reply