Privacy Amendment (Enhancing Privacy Protection) Amendment Act 2012 (Cth)

On 29 November 2012, the Privacy Amendment (Enhancing Privacy Protection) Amendment Act 2012 (Cth) was enacted. The Act amended the Privacy Act 1988 to implement the major legislative elements of the Government’s first stage response (PDF) (Word) to For Your Information. The reforms commence 15 months after royal assent.

The Privacy Act was amended to:

  • replace the current privacy principles for the public and private sectors with a single set of privacy principles (the Australian Privacy Principles (APPs));
  • implement a comprehensive credit reporting system which includes five kinds of personal information;
  • provide for codes of practice under the APPs and a credit reporting code, including powers for the Privacy Commissioner to develop and register codes that are binding on specified agencies and organisations; and
  • clarify the functions and powers of the Information Commissioner and increase the commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolutions services, conduct investigations and promote compliance with privacy obligations.

The APPs set out standards, rights and obligations in relation to the handling and maintenance of personal information by APP entities, including dealing with privacy policies and the collection, storage, use, disclosure, quality and security of personal information, and access and correction rights of individuals in relation to their personal information.

As recommended by the ALRC, the APPs and credit reporting provisions are structured to more accurately reflect the ‘life cycle’ of personal information. The amending legislation also introduced a number of additional safeguards for the protection of privacy, including enhanced notification, quality, correction, and dispute resolution mechanisms for individuals.

In addition, the Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), introduced into Parliament in May 2013, would implement ALRC recommendations concerning data breach notification. The Bill would amend the Privacy Act to establish a framework for the mandatory notification by regulated entities of serious data breaches to the Australian Information Commissioner and to affected individuals.

Healthcare Identifiers Act 2010 (Cth)

The Healthcare Identifiers Act 2010 received assent on 28 June 2010, and commenced on 29 June 2010. The Act provides that:

  • Medicare Australia will be responsible for establishing and operating the health identifier system;
  • collection, use and disclosure of an individual health identifier will be subject to the privacy and other laws applicable to that information; and
  • unauthorised disclosure of an individual health identifier may be pursued as a breach of privacy under the Privacy Act and subject to criminal penalties set out in the Bill.

The privacy safeguards provided in the Act are generally consistent with the ALRC’s recommendation in relation to electronic health information systems in Chapter 61 of For Your Information (Recommendation 61–1).

Combating the Financing of People Smuggling and Other Measures Act 2011 (Cth)

The Combating the Financing of People Smuggling and Other Measures Act 2011 received assent on 28 June 2011. The verification of identity measures within this Act implement Recommendation 57–4 of For Your Information.

The Act also amends the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)  and the Privacy Act 1988 (Cth) to enable reporting entities to use credit reporting data to verify the identity of their customers. It introduces a number of privacy protections to ensure that information is used only for the purpose of verifying identity. It also establishes the offences of unauthorised access to verification information, obtaining access to verification information by false pretences and unauthorised use or disclosure of verification information.