The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 has been passed by the House of Representatives.
The reforms represent one of the most significant developments in privacy reform since the Privacy Act was first enacted in 1988. The Government chose to act on over half of the Australian Law Reform Commission’s proposed recommendations in the 2008 ‘For your information’ report. It marks the conclusion of a long process of privacy law reform, in which the OAIC has been actively involved.
That process commenced back in January 2006, when the Australian Law Reform Commissioner (ALRC) received a reference from the Federal Government to conduct a review of the Privacy Act. The ALRC’s review of privacy from 2006 to 2008 included the release of Issues Papers 31 and 32, Discussion Paper 72, and extensive consultation, culminating in the release of Report 108, titled ‘For Your Information’, Australian Privacy Law and Practice in August 2008 (ALRC Report 108)
The Bill will be introduced in the Senate where it is currently being considered by the Senate Legal and Constitutional Affairs Legislation Committee. The Committee’s report is expected to be released on 20 September 2012. (published here)
The Parliamentary Joint Committee on Intelligence and Security is also currently considering ways to further strengthen privacy protections as part of its Inquiry into potential reforms of National Security Legislation.
The Government may implement further amendments in the Senate in response to the Senate Legal and Constitutional Committee’s report.
The legislation amends the Privacy Act 1988 (Cth) to create a single set of unifying Australian Privacy Principles (APPs), which will apply to both Commonwealth agencies and private sector organisations, replacing the Information Privacy Principles (IPPs) for the public sector and the National Privacy Principles (NPPs) for the private sector. Commonwealth agencies and private sector organisations will be known as “APP entities”.
The Bill also introduced more comprehensive credit reporting provisions, accompanied by enhanced privacy protections. New provisions on privacy codes and the Credit Reporting Code will be introduced, in addition to powers for the Commissioner to register codes in the public interest which will be binding on specific agencies and organisations.
The reforms are aimed at making it easier for consumers to access and correct their personal credit information, and altering the type of information that banks and financial institutions will be able to see relating to consumers, enabling them to assess credit risks far more accurately. Credit providers will now be under obligations to assist consumers to correct their credit information and the legislation will make it easier for consumers to make complaints about incorrect credit reporting information. The legislation also prohibits the collection of credit reporting information of individuals under 18.
The Bill will clarify the range of functions and powers vested in the Privacy Commissioner, improving the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and generally promote compliance with privacy obligations. The Privacy Commissioner will be able to make determinations to direct an organisation to take steps to cease engaging in certain conduct, or to take reasonable action to redress any loss or damage suffered.
The Commissioner will also be given power to obtain enforceable undertakings from organisations, meaning that a court can then make appropriate orders, including orders for compensation. Civil penalty orders against organisations will be at the disposal of the Privacy Commissioner upon action to a Court.
The new functions and powers will help to redress serious and systemic interferences with individuals’ privacy, and provide a clear directive to organisations that they must take privacy obligations seriously. Fines of up to $1.1 million could apply for a body corporate for serious or repeated interferences with privacy. ‘Serious’ is not currently defined in the legislation.
The legislation introduces a new privacy principle for direct marketing and more robust protections for consumers when companies disclose personal information overseas. The new direct marketing privacy principle will more provide stronger regulation over the use of personal information for direct marketing.
In terms of transborder data flows, privacy policies will now have to include information as to whether a company or agency is likely to disclose information to overseas recipients and, if so, which countries the information is likely to go to.
The Australian Privacy Principles will also afford stronger protection to ‘sensitive information’ which includes, amongst other things, health related information, DNA and biometric data.
The government will be allowing government agencies and industries a period of nine months to review and update their privacy policies and practices to prepare for the reforms, and the Bill will therefore not commence operation until nine months after it receives Royal Assent.
The Coalition has supported banks and telecommunications companies in their fight against the proposed reforms which are intended to preclude them from sharing information about their customers with overseas companies.
Government amendments to the Privacy Act would restrain companies from transferring valuable information about customers’ credit-worthiness offshore, except where the recipient of the information is formed in, or controlled from Australia.
Commonwealth agencies using cloud computing have an obligation to comply with privacy laws and regulations when adopting cloud computing solutions.
When entering into contracts with cloud service providers Commonwealth agencies are under an obligation to comply with the Privacy Act 1988 (Cth) and the eleven Information Privacy Principles (IPPs) set out in s14 of the Act which regulate how Commonwealth agencies collect, use and disclose the personal information of individuals.
s95B of the Privacy Act requires agencies to take contractual measures to ensure that contracted service providers don’t do anything that would be in breach of the IPPs.
Commonwealth agencies which contract with cloud service providers (and their sub-contractors) have been under an obligation to ensure that any contracts they enter adequately protect personal information, by making the cloud service provider signal in the contract that it will comply with the former IPPs.
The legal obligations contained in s95B of the Privacy Act apply to Commonwealth Agencies and contracted service providers, irrespective of whether the contractor is in Australia or offshore. When contracting offshore, agencies must make sure they are still able to enforce the provisions of any contract they enter into.
Whenever an Commonwealth agency collects information from an individual IPP2 obliges the agency to advise the individual whether the agency is likely to be disclosed to any other entity.
IPP11 regulates the disclosure of personal information, setting out the circumstances under which an agency can disclose personal information.
Whenever an agency shares personal information with a cloud service provider, this might be characterised as either a ‘use’ or a ‘disclosure’ of information. Whether or not it is deemed as a use or a disclosure depends upon the degree of control the agency retains over the information collected.
A Commonwealth agency which cedes control over personal information to the outsourced provider will be treated as having disclosed the information, whereas an agency that maintains control over that information will be treated as having used the information.
This begs the question of the degree of control required to characterise the personal information shared with the contracted service provider as a use as opposed to a disclosure.
Indications that the agency has maintained control over the information it has shared with a contracted service provider include where the agency has given the information to the provider for the limited purpose which assists the agency. In the context of giving information to a cloud service provider the use would typically be for the purpose of providing relevant services to the agency.
Any contract entered into by the services provider and the agency will bind not only the service provider but also any sub-contractors of the service provider not to use or disclose the information other than for the limited purposes for which it was entrusted.
Additionally the contract would grant to the agency the right to retrieve, access and modify the information.
Therefore it is important that Commonwealth agencies when engaging the services of a cloud computing service that stores or processes personal information offshore is done in such a manner as to retain sufficient control over the information so as to qualify as a use, even where the informtion is hosted offshore. This would be achieved by contractual measures which ensure that the agency has the practical and legal right to access and recover the information at all times.
The privacy reforms would affect companies that outsource information to international call centres, data-processing centres and data stored by way of cloud computing.
The adoption and transitioning to cloud services may offer various business benefits to Australian small and medium businesses, but there are also inherent risks, the level of which will be contingent upon the cloud model adopted, risk assessments conducted and contractual and other measures taken to address issues such as data sovereignty, data spillage, loss or unauthorised use.
Many businesses have adopted or are considering a cloud based solution, but need to be aware of the key risks which are inherent in any cloud environment, in particular privacy and data security obligations which arise when transferring personal and sensitive information into the cloud.
There are significant risks and issues associated with cloud computing. Guiding
principles are necessary to ensure that businesses consider and address these risks and
issues. Businesses must have sound contract arrangements that are effectively managed. Information security, confidentiality, integrity, and availability are key considerations when deciding to adopt cloud technologies. There are significant governance, security, and privacy issues.
Any business engaging the services of a cloud computing provider should conduct a thorough risk assessment assessment to determine the viability of using cloud computing services to ensure that a business can meet it’s business goals whilst also maintaining an acceptable level of risk. Part of the risk assessment should include identifying potential risks and taking steps to manage those risks, by negotiating agreements with the cloud computing service.
The specific risks and issues which arise in a cloud computing environment will be addressed more comprehensively in the next article, including some recommendations as how to navigate those risks.
Under the proposed privacy reforms, even organisations that have taken reasonable steps to secure information transferred offshore will, subject to limited exceptions, remain liable for breaches of the APPs even where overseas access to that information was unauthorised, such as by hackers. This concern was raised in the context of cloud computing arrangements. Objection was taken to an accountability model which renders an entity liable for any acts done, or practices engaged in, by an overseas recipient in relation to that information.
The Government is yet to respond to all of the ALRC’s recommendations which include a proposed statutory cause of action for serious invasions of privay, the removal of certain exemptions such as the employee records exemption and the small business exemption from the Privacy Act, and to implement the compulsory notification of serious data breaches.
However the Government’s first stage response represents a significant step towards the national harmonisation of privacy laws, including their simplification and strengthening.