Key Changes In Privacy Act 1988 And Their Impact On National And Overseas Organizations

National and Overseas Effects of the New Privacy Act

Discuss about the Key Changes in Privacy Act 1988 and how these Changes affect the National and Overseas Organization.

The privacy Act 1988 (Privacy Act) provide protection to the personal information. Personal information is considered as information which can identify the person, such as name, address, Phone number, date of birth, records related to medical, bank account details, and opinions related to the person.

There are number of amendments related to the Privacy Act and these amendments are introduced on 12^th March 2014. It states the new set of Australian Privacy Principles (APPs), and these principles define the procedure through which information is handled by private sector organizations and Australian Government agencies. It also includes the changes related to the collection and use of credit information, and imposed various new powers in the Office of the Australian Information Commissioner (OAIC) for the purpose of resolving privacy complaints and investigations.

This paper contains the discussion on National and overseas effects of the new privacy Act. In this, a provision related to privacy Act of other countries is also discussed. Lastly, paper is concluded with brief conclusion.

Key changes:

Amendments made by government in the Privacy Act include various new provisions and obligations in terms of corresponding compliance. Two parts of the Act are completely changed by these new amendments. Provisions of Privacy Act in relation to credit reporting are completely replaced by new credit provisions. Numbers of important changes are introduced in the current framework such as policy related to the credit information, collection and recording of information related to credit, and disclosure of such information to overseas entities. It is necessary for those retail businesses that issue credit cards, banks, business organizations which substantially involve the provision related to the credit, those suppliers which supplies goods and services on credit payment/terms, equipment lessors, and credit providers to follow this new framework. This framework was amended on the basis of revised Credit Reporting Privacy Code developed by Australian Retail Credit Association, and it was registered by the Australian Privacy Commissioner (Commissioner) (Goblin, 2014).

It must be noted that credit reporting provisions under the privacy Act states various types of credit providers which includes banks and retailers. However, maximum organization can be considered as:

• Agent of credit provider which helps the credit provider in processing the application for credit.
• Organization is considered as credit provider if it allows the client to defer the repayment of the cost in relation of goods purchased by client or services provided to the client for the period of seven days.

It is very important for organizations to ensure that their privacy policy, credit reporting policy, and collection statements provide details of the actual management of the personal information in context of that organization. Documentation related to privacy compliance must be reflective in nature for the purpose of collection, uses, storage, disclosures, access and correction of the personal information.

Key Changes

However, the main legal risk related to an organization is occurred because of the statements included by organization in the privacy compliance document, and these risks arise because there is misalignment of privacy policy with the actual practices of the organization. Therefore, it is clear that noncompliance and liability on organization arise because organization fails to fulfill its promises (Delaney & Davis, 2014).

It must be noted that these key changes are mainly reflected by the APP1 and APP5 that is privacy policy and notification obligations respectively. These standards impose higher burden on business organizations to institute practices, procedures and policies which ensure privacy protection. It also includes procedures related to inquiries and complaints in regards of organization compliance with the APPs. It must be noted that privacy policy must be transparent, accessible to the public, and must be available for free of charge. Following are some details stated below which must be included in the privacy policy of the organization:

• Particular type of personal information which is collected and holds by the organization, and method for the purpose of collection and holding such information.
• Policy must state the primary and secondary purpose for which such information is collected, hold, and disclosed by the organization.
• Method through which individual access his personal information and how changes can be made by the individual in such information.
• Procedure related to the complaint in case of breach of the APPs or an applicable registered APP code; and how organization deals with complaint made by individual.

Other changes:

Some other changes are also stated below which affect the working and obligations of organizations at both national and overseas:

APP2- this standard provides that when there is no obligation on individual to disclose their identity then such individual can use a pseudonym. Previously individuals only have option of anonymity.

APP4- this standard provides that in case organization receives any information through unsolicited means and it is not possible for organization to receive that information through solicited means then it is the obligation of organization to destroy that information.

APP7- this standard increases the requirements for consent of informed user in relation to direct marketing. Organizations must ensure simple ways through which individual can place request for not receiving direct marketing and also for making request that personal information of the individual is not given to any third party for the similar purpose (OAIC, 2014).  

Section 16C and APP8 that is disclosure to overseas entities are considered as the most controversial and least understood change. It must be noted that above stated changes mainly impact the organizations working at national level, but this change impacts the organization working at overseas.

APP8 set out the new principal of accountability and states that if any organization works in Australia wants to disclose personal information to an overseas entity then it is the duty of Australian organization to take such steps which ensures that overseas entity to which such information is disclosed must compiled with the APP standards. Personal information disclosures also include provision related to electronic viewing access, and it is not necessary that there must be physical transfer of data. In case overseas organization fails to comply with the APP standards in respect of personal information, then Australian organization is accountable and liable under section 16C in such manner as Australian organization failed to compile with the Privacy Act.

Other Changes

Therefore, it is necessary for those organizations which provide personal information to overseas organization to consider contractual binding on those overseas entities for the purpose of complying with the new legislation and privacy policy of Australian organization. It also includes implementing the safeguards related to the privacy policy, legal exposure of the Australian organization in case overseas organization breaches the contract and fails to implement those safeguards (OAIC, 2015).

This can be understood through example in relation to Foreign IT suppliers, as per this IT suppliers are also bound by the privacy Act of Australia if they conduct any activity in the Australia. Even activities conducted by the suppliers outside the Australia then also they are covered by this Act if (Corrs, 2017):

• Suppliers carry their business in Australia or
• They collect and hold the personal information in Australia or
• They receive personal information from Australian organization.

For the above stated provisions, those organizations which are not physically present in the Australia but collect information from people through their online presence will be considered as organization which carries business in Australia. In other words, if any organization working at overseas collects any personal information from people in Australia through online source are bound by the Privacy Act of Australia.

From March 2014, new amendments enhanced the power of the commissioner in relation to investigation and enforcement. Various new powers are imposed such as commissioner has right to get injunction from the Court against any person and organization which contravenes the provisions of the Privacy Act, obtain enforcement undertakings by that person which breached the privacy Act. Commissioner can also seek penalty orders from Federal Court of civil if there is any serious breach. Enhanced powers of commissioner impact both national and overseas organizations in following manner:

Seeking permission- at the time of privacy reform process, complete banking sector and especially Australia and New Zealand Banking Group Limited (ANZ) show their concerns in relation to the changes occurred in principal of cross border disclosure and its impact on international operations of the banks. After the introduction of APP8 both ANZ and the Reserve Bank of Australia make application to the commissioner under public interest determinations for the purpose of allowing them and other authorized deposit taking institutions to disclose the personal information related to the beneficiary of an IMT to an overseas financial institution while processing the IMT.

The actual concern in relation to that application was that because of the increased complication in international transfer system and practices conducted by overseas organizations, it is necessary to disclose the personal information beyond the permission granted by APP8. In this situation two determinations are made by Commissioner under public interest, and one determination is specifically relates with the ANZ and second for remaining banking industry. Commissioner stated that while disclosing the personal information of the beneficiary in case of IMT, ADI will not be held responsible for APP breaches on behalf of overseas organizations (Macor, 2014).

Comparison with other country: it must be noted that provisions of privacy law vary country to country. This can be understood through example; it is very simple for US based companies to collect data from users in the EU. In EU strict data privacy laws are applicable if any organization is certified under a program called Safe Harbor. But few years before, safe harbor program was declared invalid by EU. As per Kate Lucente, attorney of US who works with the issues of data privacy “it is necessary for companies to ensure some back up mechanism for the purpose of making data transfer legal”.

It is clear that there is huge difference between the countries privacy law and every country makes their laws as per issues addressed by them in relation to data privacy.

Conclusion:

This paper states the Key changes of privacy Act and how these changes affect the national and overseas organization. various important changes are stated in this paper such as  Provisions of Privacy Act in relation to credit reporting are completely replaced by new credit provisions, enhanced powers of commissioner and how these powers affect the banking industry, information disclose to overseas organization, etc. This new privacy Act ensures protection of personal information of individuals and ensures data safety.

References:

Corrs, (2017). Major Changes To Australia's Privacy Act: Why They Matter For Foreign It Suppliers Doing Business In Australia. Viewed at: https://www.corrs.com.au/thinking/insights/major-changes-to-australias-privacy-act-why-they-matter-for-foreign-it-suppliers-doing-business-in-australia/. Accessed on 25^th August 2017.

Delaney, H. & Davis, M. Privacy Act: Are you compliant. Viewed at: https://www.findlaw.com.au/articles/5617/privacy-act-are-you-compliant.aspx. Accessed on 25^th August 2017.

Macor, N. (2014). The New Privacy Act: Six Months On. Viewed at: https://www.austlii.edu.au/au/journals/CommsLawB/2014/16.pdf. Accessed on 25^th August 2017.

OAIC, (2014). Privacy fact sheet 24: How changes to privacy law affect you. Viewed at: https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-24-how-changes-to-privacy-law-affect-you. Accessed on 25^th August 2017.

OAIC, (2015). Cross-border disclosure of personal information. Viewed at: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information. Accessed on 25^th August 2017.

Tobin, G. (2014). Privacy law in Australia: an overview. Viewed at: https://www.lexology.com/library/detail.aspx?g=f508c927-860b-43a4-832a-aabea4169037. Accessed on 25^th August 2017.