A recent report on privacy law led to changes in the privacy legislation from 2014. Thirteen legally binding Australian Privacy Principles apply to personal information held by Australian government agencies and most Australian companies. There are further credit provider provisions apart from small business, with some exemptions including journalism and politics. Breaches attract heavy penalties. Privacy codes can be approved and registered.
Major changes to the PA 1988 commenced on 12 March 2014. These changes, introduced by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) gave effect to more than half of the recommendations of the Australian Law Reform Commission’s report on Australia’s privacy law (ALRC Report 108/2008 – For Your Information – Australian Privacy Law and Practice).
Two key features of the PA 1988 are:
•The 13 Australian Privacy Principles (APPs).
These are legally binding principles that apply to the handling of personal information by the Australian government (generally only federal agencies) and most Australian companies (although an exception applies to small business).
•Obligations on credit providers and credit reporting bodies.
Credit providers and credit reporting bodies (as defined in the PA 1988) must comply with the credit reporting provisions in Part IIIA of the PA 1988 and with the legally binding Privacy (Credit Reporting) Code 2014 (Version 1.2) registered under the PA 1988 by the Australian Information Commissioner.
Both the APPs and the obligations on credit providers and credit reporting bodies are products of the March 2014 changes. The APPs replaced the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) that existed previously. Previous obligations on credit providers and credit reporting bodies were replaced with a new credit reporting regime.
The Australian Information Commissioner has issued advisory guidelines that outline the requirements of the APPs and provide the Commissioner’s views on how best to comply with them. These guidelines are available on the OAIC website at www.oaic.gov.au.
Entities to which the Privacy Act applies
The PA 1988 applies to federal government agencies as well as to some private sector organisations, including:
•individuals who collect, use or disclose personal information in the course of running a business; bodies corporate; and
•partnerships, unincorporated associations and trusts.
Some of the APPs apply differently to Australian government agencies and private sector organisations. The term “APP entity” is used where the APPs apply to both private sector organisations and government agencies.
The APPs replace the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs), which prior to 12 March 2014, provided separate obligations for government and private-sector organisations. The APPs broadly cover the same areas as the IPPs and NPPs, although the standards required by the APPs are higher in some respects.
Individuals acting in a non-business capacity and personal information collected for personal and household affairs
The PA 1988 does not apply to personal information that individuals collect, hold, use or disclose for the purposes of their personal, family or household affairs. In other words, the PA 1988 does not apply to an individual’s handling of personal information unless it is done in the course of running a business.
Most small business operators are exempt from complying with the PA 1988. A small business is an organisation with an annual turnover of $3 million or less.
Some small businesses are not exempt from the PA 1988, including those that:
•provide a health service and hold any health information;
•trade in personal information, either:
– disclosing personal information for a benefit, service or advantage; or
– providing a benefit, service or advantage to collect an individual’s personal information from anyone else (unless the individual consents, or the disclosure or collection is required or authorised by law);
•are contracted service providers for a Commonwealth contract; or
•are a “reporting entity” under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) for activities conducted to comply with that Act.
Acts and practices that are directly related to:
•a current or former employment relationship; and
•an employee record,
are exempt from the PA 1988. “Employee record” refers to a record of personal information relating to the employment of a person, such as information about the employee’s:
•engagement, training, disciplining or resignation;
•terms and conditions of employment;
•personal and emergency contact details;
•performance or conduct;
•taxation, banking or superannuation affairs.
Note that the exemption does not include applicants for employment.
The journalistic activities and practices of media organisations are exempt from the PA 1988. A “media organisation” is an organisation whose activities consist of the collection, preparation and dissemination of news, current affairs, information or documentaries. The media organisation must be publicly committed to observing published industry standards that deal with privacy in the context of the activities of media organisations. Examples of such published industry standards include industry codes regulated by the Australian Communications and Media Authority and the Australian Press Council.
The political activities of registered political parties, members of parliament and local government councillors are exempt from the PA 1988. For the purposes of the exemption, the political activities must have some connection with an election under electoral law, a referendum or some other aspect of the political process. The political activities of contractors and volunteers of registered political parties for these purposes are also exempt.
Where an entity breaches an APP, this is “an interference with the privacy of an individual” under section 13(1) of the PA 1988. Part V of the PA 1988 gives the Australian Information Commissioner powers to investigate possible interferences with privacy, on his own initiative or in response to a complaint. The Commissioner can seek certain remedies for breaches of the APPs, including enforceable undertakings, injunctions and civil penalty orders.
If an entity engages in serious or repeated breaches of the APPs or a registered privacy code, the Commissioner may apply to the Federal Court or the Federal Circuit Court for an order that the entity pay a civil penalty of up to $1.7 million for corporations or up to $340,000 for individuals.
The Privacy Commissioner has the power to approve and register enforceable codes to cover certain entities – for example, entities in a particular industry. The former Australian Information Commissioner has issued guidelines for developing privacy codes. The Privacy (Credit Reporting) Code 2014 (Version 1.2) was registered by OAIC on 22 January 2014 (and subsequently varied on 24 April 2014) (see “Credit reporting”), however no APP Codes had been registered at the time of publication (July 2014).
APP 1 requires that APP entities take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. APP 1 also requires that APP entities have a clear policy about the entity’s management of personal information that addresses a list of prescribed matters. The policy must be made available free of charge and in an appropriate form (e.g. by publishing on a website). The list of prescribed matters includes:
•the kinds of personal information that the entity collects and holds;
•how the entity collects and holds personal information;
•the purposes for which the information is collected, held, used and disclosed;
•how an individual may access and, if necessary, correct the information;
•how an individual can complain about the entity’s use of the information; and
•whether the entity is likely to disclose the information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if it is practicable to specify those countries in the policy).
APP 2 states that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter. The requirement does not apply, however, where it is impracticable for the APP entity to deal with individuals who have not identified themselves, or where the APP entity is permitted by law to deal with individuals who have identified themselves.
APPs 3, 4 and 5 cover the collection of personal information.
APP 3 provides that an APP entity must collect personal information only by lawful and fair means, and must (where reasonable and practicable) collect personal information about an individual directly from that individual.
Further, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of the APP entity’s functions or activities (in the case of a government agency, collection is also permitted where the information is directly related to one of those functions or activities). The entity collecting the information must be able to demonstrate that a reasonable person who is properly informed would agree that the collection is necessary.
The APP guidelines refer to previous decisions where, in the circumstances, an entity’s collection of information was held not to be reasonably necessary (e.g. it was not reasonably necessary for a bank to collect information about a person’s marital status to open a bank account, or for a medical practitioner to photograph a patient for their medical file when this was not necessary to provide a health service.
In addition, “sensitive information” may generally only be collected if the individual about whom the information relates has consented to the collection. “Sensitive information” means information about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record; health information about an individual; genetic background, or biometric identification (such as fingerprints that is to be used for the purpose of automated biometric verification).
There are some limited exceptions where consent is not required to collect sensitive information, including where the collection of the information is required by law, or is required to prevent a serious threat to health or safety. There is also an exception permitting non-profit organisations, including charities, to collect sensitive information if it relates solely to the members of the organisation, or to people who have regular contact with it for the purpose of its activities. Also, private sector organisations can collect health information from an individual in certain circumstances in connection with providing a health service.
APP 4 states that if an APP entity receives personal information that it has not solicited from an individual, it must first determine whether or not it could have collected the information under APP 3 if it had solicited the information. If not, it must destroy or de-identify the information.
APP 5 requires that, when an entity collects personal information about an individual, it must take reasonable steps to notify the individual, or otherwise ensure they are aware, of certain matters, including:
•the identity of the organisation and how to contact it;
•the fact that the entity has collected the information;
•any law that requires the information to be collected;
•the purposes for which the information is collected;
•the consequences for the person if the information is not collected;
•organisations to which the information is usually disclosed;
•how the individual can access and, if necessary, correct the information;
•how the individual can complain about the entity’s use of the information; and
•whether the entity is likely to disclose the information to overseas recipients, and if practicable, the countries where they are located.
Often, this involves providing a privacy notice at the time of collection, such as on a form used to collect personal information, or in a script read over the telephone.
APP 6 regulates an organisation’s use and disclosure of personal information. It provides that, as a general rule, an entity should only use or disclose personal information for the purpose for which it was collected.
An entity can use or disclose personal information about an individual for another purpose if:
•the individual has consented; or
•the individual would reasonably expect the organisation to use the information for a secondary purpose, and the secondary purpose is related to the primary purpose (or directly related in the case of sensitive information).
An entity may also be able to disclose personal information for some secondary purposes related to the public interest, such as law enforcement, public safety, research purposes or emergency situations.
APP 7 concerns the circumstances in which an entity can use personal information for direct marketing. The term “direct marketing” is not defined in the PA 1988, however the Explanatory Memorandum to the Act provides that it involves “communicating directly with a consumer to promote the sale of goods and services to the consumer”. The APP Guidelines state that direct marketing can be through a “a variety of channels, including telephone, SMS, mail, email and online advertising”.
APP 7 prohibits private sector organisations from using personal information for direct marketing except in certain limited circumstances.
If personal information has been collected directly from an individual, direct marketing is only permitted where:
•the individual would reasonably expect the information to be used for the purpose of direct marketing, and
•the entity includes a simple means to opt out of the direct marketing communications (and the individual has not made a request to opt-out).
A “simple” means to opt-out, according to the APP Guidelines, should require minimal time and effort. It should be clear, easily understood, accessible and free (or involve no more than a nominal cost; for example, a standard text message charge). If an individual has opted-out of receiving direct marketing from an entity, the entity must not use or disclose the individual’s personal information for the purpose of direct marketing.
Additional restrictions apply if the individual would not have reasonably expected their personal information to be used for direct marketing, or if the personal information was collected from a third party.
APP 7 generally applies only to private sector organisations, however it can apply to certain Australian Government agencies named in the Freedom of Information Act 1982 (Cth) and its regulations. There are also a number of exceptions to the prohibition on direct marketing in APP 7, such as where the direct marketing is necessary for an entity to fulfil its obligations under a government contract.
Where other laws apply that contain specific provisions regarding direct marketing (such as the Spam Act 2003 (Cth)), these provisions displace the more general rules in APP 7.
APP 8 covers the disclosure of personal information outside of Australia. It is particularly relevant in a context where an increasing number of entities use information technology services that disclose or transfer personal information to overseas recipients (such as outsourcing, off-shoring and cloud computing). Subject to certain exceptions, before an APP entity makes personal information available to a third party located outside of Australia, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This will usually involve the APP entity entering into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs. In some circumstances, the APP entity may be deemed liable for a breach committed by the overseas recipient (even if the organisation has taken reasonable steps to ensure the overseas entity complies with the APPs).
APP 9 limits the use of government-related identifiers (such as passport, Medicare numbers and drivers’ licence numbers) by private sector organisations. Its purpose is to ensure that government-related identifiers do not become universal identifiers, and to prevent government-related identifiers from being used for data-matching. As such, APP 9 generally prohibits an entity from adopting government-related identifiers as its own way to identify an individual. There are exceptions where using the identifier is reasonably necessary for certain purposes.
APP 10 requires that APP entities take reasonable steps to ensure that the information they collect, use and disclose is accurate, up-to-date and complete.
APP 11 concerns the security of personal information held by an entity. It requires that APP entities take reasonable steps to protect the personal information they hold from misuse, interference and loss and from unauthorised access, modification or disclosure. Further, the entity must take reasonable steps to destroy or de-identify the information if it no longer needs the information for any purpose for which the information may be used or disclosed by the entity under the APPs.
APP 12 requires that as a general rule, an entity must, upon request, give an individual access to any personal information that the entity holds about them.
It must be free for an individual to make an access request. Australian government agencies must also provide access for free. Private sector organisations may charge for providing access, but the charge cannot be excessive. The APP Guidelines suggest that a charge may be considered excessive were it to exceed the actual cost incurred in giving access.
APP 12 sets time periods within which entities must respond to requests for access. Australian government agencies must respond to requests within 30 days of the request. Private sector organisations must deal with requests within a reasonable time period.
An entity must take reasonable steps to give access, which may mean providing access through an agreed intermediary. If the entity refuses access on the basis of an exception (these are described below), the individual is entitled to receive a written notice setting out the reasons for the refusal and the mechanisms by which to complain about the refusal.
There are several exceptions to APP 12 that permit an entity to refuse access. These exceptions differ depending on whether the entity is a private sector organisation or an Australian government agencies, because agencies have responsibilities to provide access to information under other Commonwealth legislation such as the FOI Act (see Freedom of information law). The intention of APP 12 is that individuals should rely on the FOI Act as the primary way to seek access to their personal information held by agencies. Therefore, APP 12 lists several grounds upon which an agency can refuse access, which cross-reference the FOI Act and other Commonwealth legislation. However, a request for access under APP 12 is a decision made under the PA 1988, not the FOI Act, and so the agency is still obliged to provide reasons for the refusal, and an individual is entitled to complain to the Australian Information Commissioner.
Private sector organisations can also refuse access in some circumstances – for example, if:
•it would be unlawful to provide the information;
•it would have an unreasonable impact on the privacy of another individual;
•it would pose a serious and imminent threat to the life or health of any individual;
•the request is frivolous or vexatious; or
•giving access would reveal evaluative information in connection with a commercially sensitive decision (in which case the entity’s reasons for refusal may include an explanation for the commercially sensitive decision).
APP 13 requires an APP entity to take reasonable steps to correct any personal information it holds if it is satisfied that the information is out of date, inaccurate, incomplete, irrelevant or misleading, or if an individual requests the correction of the information. On request from the individual, the entity must also communicate the correction to third parties to whom it has previously disclosed the information.
If an entity refuses to correct information, it must provide a statement explaining the refusal and the mechanisms available for the individual to complain. The entity may also have to inform users of the information that the individual believes it to be incorrect.
For government agencies, APP 13 operates alongside the right to amend or annotate personal information under part V of the FOI Act.
Part IIIA of the PA 1988 regulates the handling of certain types of personal information by credit providers and credit reporting bodies (as defined in PA 1988). The provisions in part IIIA are supplemented by the Privacy (Credit Reporting) Code 2014 (Version 1.2) (“CR Code”), a code of practice relating to credit reporting registered under the PA 1988 (together, “Credit Reporting Regime”).
Depending on the specific context, the Credit Reporting Regime applies to collection, use or disclosure of credit-related information instead of, or in addition to, the APPs as set out in part IIIA of the PA 1988.
The Credit Reporting Regime distinguishes between consumer and commercial credit (as defined in the PA 1988). It focuses on regulation of information that has a bearing on an individual’s credit-worthiness in respect of consumer credit.
By way of example of the functions of the Credit Reporting Regime, credit providers (such as banks, telcos, energy retailers) commonly use information relating to an individual’s consumer creditworthiness when they assess an application for a consumer loan, credit card or supply of goods on deferred payment terms (e.g. an application for a post-paid mobile phone service). In some instances, carrying out of a “credit check” by a credit provider before entry into an arrangement to provide credit is mandated by applicable law (including, for example, under the National Credit Code, the Telecommunications Consumer Protection Code or the National Energy Retail Rules).
Credit reporting bodies are permitted to collect, use and disclose credit-related information about individuals, including for the purpose of providing such information on request to credit providers for the purpose of assessing an application for consumer credit. For example:
•ordinarily, a credit reporting body would record any request by a credit provider for credit-related information for the purposes of assessing an application for consumer credit, which record would become part of the credit-related information held by the credit reporting body; and
•a credit provider may disclose certain details relating to consumer credit it provides to an individual as discussed below.
Key aspects of the Credit Reporting Regime, described in turn below, include the following:
•restrictions on the types of information permitted to be exchanged under the Credit Reporting Regime;
•restrictions on the use and disclosure by credit providers and credit reporting bodies of credit-related information;
•obligations on credit providers and credit reporting bodies to notify individuals about certain matters in relation to their handling of credit-related information; and
•rights for individuals to request access to credit-related information about them, to seek amendments or to submit complaints.
Broadly, the Credit Reporting Regime permits credit providers and credit reporting bodies to collect and disclose certain types of credit-related information, for example information about:
•an individual’s identity;
•details of credit that the individual holds or has previously applied for, including the type and amount of credit, and the dates when the credit account was opened and terminated;
•an individual’s repayment history;
•credit defaults (that is, payments of $150 or more that are at least 60 days overdue);
•certain terms and conditions on which consumer credit is issued, and agreements by an individual to vary those terms; and
•court proceedings or personal insolvency, and information about serious credit infringements.
Repayment history information, and consumer credit liability information, could not be disclosed under the credit reporting regime as it existed prior to 12 March 2014. Credit providers may disclose to credit reporting bodies repayment history information relating to payments an individual has made or missed since 12 December 2012.
Information about an individual’s repayment history can be quite detailed: it can include whether an individual has met monthly payments, including the day on which payment was due and the day on which it was paid. A credit provider is permitted to disclose (and receive from a credit reporting body or another credit provider) repayment history information only if the credit provider holds an Australian Credit Licence under the National Consumer Credit Protection Act 2009 (Cth).
Credit reporting bodies can also use and disclose information that they derive from other credit-related information. For example, a credit reporting body might use other information it collects to give an individual a credit score or risk assessment, and may disclose this to a credit provider who has requested a credit report. A credit provider may in turn use this information (and other information they hold) to derive their own conclusions about credit eligibility.
The Credit Reporting Regime permits credit reporting bodies and credit providers to disclose credit-related information, but only for certain permitted purposes.
For example, a credit reporting body may disclose credit-related information if it is requested by a credit provider for the purpose of assessing an individual’s application for consumer credit, or to collect payments that are overdue in relation to consumer credit. A credit reporting body may also disclose credit-related information to a credit provider for the purpose of assessing an application for commercial credit if the relevant individual has consented to the disclosure for that purpose.
Subject to some limitations, a credit provider can generally disclose to a credit reporting body credit-related information about an individual that the credit provider reasonably believes is over 18 years old, provided that the credit provider is a member of a recognised external dispute resolution scheme. Additional limitations apply to the disclosure of certain types of information, including information about repayments or credit defaults.
A credit provider is permitted to use or disclose credit-related information obtained from a credit reporting body (referred to in the Credit Reporting Regime as “credit eligibility information”) only for purposes permitted under the Credit Reporting Regime.
There is a general prohibition on credit-related information being used or disclosed by a credit reporting body for the purposes of direct marketing. However, a credit reporting body is permitted to use certain types of credit-related information to make a “pre-screening assessment”: an assessment about specified individuals’ eligibility to receive direct marketing from credit providers for the purpose of eliminating ineligible individuals from a list provided by a credit provider. The credit provider can then use this pre-screening assessment to conduct direct marketing. Individuals have a right to request that credit reporting bodies not to use information about them to make pre-screening assessments.
Credit reporting bodies are also prohibited from using or disclosing credit-related information if an individual reasonably believes that they have been a victim of fraud, and requests that the information not be disclosed during a ban period (of 21 days, unless extended) unless required to do so by law or the individual consents. If a credit provider provides consumer credit to the relevant individual during a “ban period”, the credit provider is not permitted to disclose credit information relating to that consumer credit to a credit reporting body unless the credit provider has taken reasonable steps to identify the individual.
Obligations to notify individuals about certain matters in relation to handling of credit-related information
The Credit Reporting Regime imposes obligations on credit providers and credit reporting bodies to give individuals notice about certain uses and disclosures of credit-related information.
A credit provider is required to notify an individual of certain matters at or before the time it collects credit-related information about that individual that it is likely to disclose to a credit reporting body. A credit provider is also required to notify the individual of certain additional matters under APP5 (discussed above) if it collects credit-related information about that individual.
Significantly, a credit provider must give notice if, within 90 days of obtaining a credit report about an individual, the credit provider refuses a consumer credit application. The notice must be provided within 10 business days of the credit provider notifying the individual of the refusal.
A credit provider must also provide notice to an individual before passing on information about their credit defaults to a credit reporting body. The individual must be given a written notice informing them that their payment is overdue by 60 days or more, and requesting that the overdue amount be paid. The credit provider must then give the individual a separate notice of their intention to disclose the information to a credit reporting body, and cannot disclose the information until 14 days have passed since that second notice was given.
Credit providers and credit reporting bodies must also give notices of decisions in respect of requests by individuals to access or correct their credit-related information.
An individual can request to access the credit-related information that a credit provider or credit reporting body holds about them. Credit providers and credit reporting bodies must provide access within a reasonable period (of no longer than 10 days in the case of a credit reporting body, or 30 days for a credit provider unless unusual circumstances apply).
Individuals are entitled to access information held by a credit reporting body at no charge:
•once every 12 months, or
•at any time within 90 days of being refused credit by a credit provider.
Otherwise, a credit reporting body can impose access charges, so long as such charges are not excessive. Credit providers may impose a reasonable charge for providing access to credit information.
Credit providers and credit reporting bodies must present information to individuals in a clear and accessible way, and must provide reasonable explanations and summaries to assist the individual in understanding how the information impacts on their credit worthiness.
Information on how to access information held by a credit reporting body or a credit provider is required to be included in the credit reporting body’s or credit provider’s credit reporting policy, which will generally be available on the credit reporting body’s or credit provider’s website. Contact information for the main Australian credit reporting bodies is provided in “Contacts”.
A credit provider or credit reporting body that refuses an individual’s request to access credit-related information must give the individual a notice setting out their reasons for the refusal and how the individual can make a complaint.
An individual has the right to seek correction of their credit-related information. Credit providers and credit reporting bodies must correct information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, within 30 days of receiving a request from an individual (or a longer period agreed by the individual in writing).
A credit provider or credit reporting body is generally required to deal with a request themselves; that is to say, they cannot simply refer the request to another credit provider or credit reporting body. A credit provider or credit reporting body is required to consult another credit provider or credit reporting body if necessary to determine whether the relevant information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
To meet their obligations to correct information, credit providers and credit reporting bodies must take reasonable steps to ensure that any derived information, such as credit scores or ratings, reflects the corrections.
Individuals have additional rights in respect of information about credit defaults – for example, an individual can request a credit reporting body to destroy any default information where the limitation period for recovery of the debt (generally 6 years) has expired.
Credit providers and credit reporting bodies are obliged to notify an individual of a decision about a correction request, generally within 5 days of the decision, and if a request is refused, must provide the reasons for the refusal.
An individual can make a complaint about how credit providers and credit reporting bodies have handled their information or dealt with their requests.
In the first instance, an individual should generally complain to the relevant credit provider or credit reporting body. If the individual is not satisfied with the outcome, the individual can complain to an external dispute resolution scheme of which the credit provider or the credit reporting body is a member. However, if a complaint is about a decision in relation to access or correction, an individual can complain directly to an external dispute resolution scheme or to the Australian Information Commissioner.
External dispute resolution schemes recognised by the Commissioner include the Financial Ombudsman Service, the Credit and Investments Ombudsman, the Telecommunications Industry Ombudsman Limited and a number of others that correspond to particular industries or sectors.
If an individual is not satisfied with the outcome of external dispute resolution, they may complain to the Australian Information Commissioner, who can then consider whether to investigate the complaint. Contact information for OAIC is provided in “Contacts”.