Privacy Act Review Report: Chapter 5, Flexibility of the APPs. Analysis and comment

April 19, 2023 |

Chapter 5 of the Report is devoted to amending the powers in the Privacy Act relating to developing APP Codes and Emergency Declarations. The focus is quite narrow and technical. The amendments should not be controversial given the nature of the changes are build on what is already in the Privacy Act. There are relatively few APP Codes and the Emergency Declarations thankfully do not commonly arise.

The Act sets out a process for making APP codes in which the Commissioner identifies code developers and registers codes developed by them.  An ‘APP code developer’ is any of an APP entity, a group of APP entities, or an association or body representing one or more APP entities.  Currently the Commissioner is only permitted to make an APP code if a code developer has been requested to make a code by the Commissioner and has not complied with the request/  the Commissioner does not to register a proposed code.

The Report proposes to give the Commissioner more power and flexibility in developing Codes.  To that end the Report recommends that the Commissioner be given  additional power to make an APP code on the direction or approval of the Attorney?General:

  • where it is in the public interest for a code to be developed, and
  • where there is unlikely to be an appropriate industry representative to develop the code.

An APP code could be made in the absence of a suitable industry code developer.

The process would not be unfettered. A code developed by the Commissioner would be a disallowable instrument. This is to to allay  concerns about the Commissioner having excessive power to initiate and develop regulations.  The concerns are not well founded given a Code cannot go beyond the powers in the Act.  There is scant evidence that the Commissioner would seek to over regulate certain industries.  The Commissioner has been a restrained, if not timid, regulator.  While a Code is a disallowable instrument, thereby permitting Parliament to disallow it the reality is that Parliament does not in practice do that in this complex area of law.  Given the Attorney General must either direct or approve the Code it is difficult to see how the Government of the day would do anything but support that direction or approval.  

The second process that will be incorporated is a mandatory consultation period of at least 40 days regarding -developed codes and powers to consult.  That is longer than the current requirement. 

The Proposal is:

5.1 Amend the Act to give power to the Information Commissioner to make an APP code where the Attorney?General has directed or approved that a code should be made:

·         where it is in the public interest for a code to be developed, and

·         where there is unlikely to be an appropriate industry representative to develop the code.

In developing an APP code, the Information Commissioner would:

·         be required to make the APP Code available for public consultation for at least 40 days,

·         be able to consult any person he or she considers appropriate and to consider the matters specified in any relevant guidelines at any stage of the code development process.

The Report also proposes that the Commissioner should have power to develop a temporary urgent code to enable an APP code to be made more quickly to respond to an urgent situation such as during a pandemic. The code would be time limited, for a period no longer than 12 months, which would be consistent with a Temporary Public Interest Determination.  The Commissioner would need to publish a temporary code and ensure that those affected by the code are aware of it.  The Code would not be a disallowable instrument.

The proposal is:

5.2 Amend the Act to enable the Information Commissioner to issue a temporary APP code for a maximum 12?month period on the direction or approval of the Attorney-General if it is urgently required and where it is in the public interest to do so.

The Report also proposes to amend the Emergency Declarations Part of the Privacy Act.  Currently, the Prime Minister or Attorney?General may make an ED which allows for wide sharing of personal information provided it relates to the declared emergency or disaster. It enables an entity to share personal information about an individual if the entity believes the individual may be involved in the relevant emergency or disaster, the handling of personal information is for a permitted purpose and the disclosure is to a specified type of entity. An entity which handles personal information in accordance with the ED provisions will not be in breach of the APPs or most secrecy provisions in other legislation.

The proposal is to amend the legislation to enhance the capacity for EDs to assist in disaster and emergency situations by targeting by entity, personal information types or by specified acts and practices. The rationale is that it would allow for a narrower scope of information sharing under EDs where appropriate, enabling agencies and organisations to strike a better balance between sharing personal information in order to respond to an emergency, and protecting individuals’ privacy.  The security and destruction obligations under the Act would continue to apply to entities in relation to information received under an ED.

The proposal is:

5.3 Amend the Act to enable Emergency Declarations to be more targeted by prescribing their application in relation to:

o  entities, or classes of entity

o  classes of personal information, and

o  acts and practices, or types of acts and practices.

The Report proposes ensuring the ED framework is available in the circumstance of an ongoing emergency, such as declared pandemics.

The Proposal is:

5.4 Ensure the Emergency Declarations are able to be made in relation to ongoing emergencies.

Finally the Report proposes that the Act be amended to permit organisations to disclose personal information to state and territory authorities when an ED is in force.  The provisions would only permit organisations to disclose information to authorities in states or territories with comparable privacy laws to the Commonwealth. An individual would be able to make a complaint to the relevant state or territory privacy commissioner in respect of privacy breaches under the relevant state or territory privacy law. The state and territory authority receiving personal information under an ED would be bound by their obligations under state and territory privacy laws and the information received under an ED should not be used for any purpose other than a permitted purpose under the Act.

The Proposal is:

5.5 Amend the Act to permit organisations to disclose personal information to state and territory authorities under an Emergency Declaration, provided the state or territory has enacted comparable privacy laws to the Commonwealth.

Leave a Reply