Pages

Saturday, June 25, 2011

Senate committee sends Australian Privacy Principles back to the drawing board

The Senate Finance and Public Administration Committee Report on the Exposure Draft of the Australian Privacy Principles puts the first phase of privacy reform back in the government's court. The committee's 29 recommendations call for another go at drafting clear, simple principles that are understandable and accessible, not just by legal and privacy practitioners; re-consideration of some principles to ensure that privacy protections are not diminished; relocation of agency specific matters included in the draft to portfolio legislation; and re-examination of and/or elaboration on a range of general (the proposed definition of personal information, the meaning of consent in the context of the legislation) and specific issues arising from the 13 draft principles. More than just some simple drafting, I expect. Exemptions for small business, political parties etc don't feature and are firmly parked for consideration in phase two, to commence when phase one is complete.  My gloomy observations about the pace of reform haven't changed.
The Committee's recommendations are:

Chapter 3 General issues
Recommendation 1
3.30 The committee recommends that the Department of the Prime Minister and Cabinet re-assess the draft Australian Privacy Principles with a view to improving clarity through the use of simpler and more concise terms and to avoid the repetition of requirements that are substantially similar.
Recommendation 2
3.32 The committee recommends that reconsideration be given to the inclusion of agency specific provisions in the Australian Privacy Principles in the light of the Office of the Privacy Commissioner's suggestion that agency specific matters should, in the first instance, be dealt with in portfolio legislation.
Recommendation 3
3.73 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the interpretation of 'personal information' as a matter of priority.
Recommendation 4
3.90 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the meaning of 'consent' in the context of the new Privacy Act as a matter of priority.
Recommendation 5
3.114 The committee recommends that the Government, in consultation with the Office of the Australian Information Commissioner, give consideration to the provision of a transition period for entities to fully comply with the implementation of the new Privacy Act.


Chapter 4 Australian Privacy Principle 1–open and transparent management of personal information
Recommendation 6
4.45 The committee recommends that a note be added at the end of APP 1(5) which indicates that the form of an entity's privacy policy 'as is appropriate' will usually be an online privacy policy.


Chapter 5 Australian Privacy Principle 2–anonymity and pseudonymity
Recommendation 7
5.37 The committee recommends that the wording of APP 2(2)(a) be reconsidered to ensure that the exception to the anonymity and pseudonymity principle cannot be applied inappropriately.


Chapter 6 Australian Privacy Principle 3–collection of solicited personal information
Recommendation 8
6.35 The committee recommends that in relation to the collection of solicited information principle (APP 3), further consideration be given to:
• whether the addition of the word 'reasonably' in the 'necessary' test weakens the principle; and
• excluding organisations from the application of the 'directly related to' test to ensure that privacy protections are not compromised.


Chapter 7 Australian Privacy Principle 4–receiving unsolicited information
Recommendation 9
7.44 The committee recommends that the term 'no longer personal information' contained in APP 4(4)(b) be clarified.


Chapter 10 Australian Privacy Principle 7–direct marketing
Recommendation 10
10.46 The committee recommends that the drafting of APP 7 be reconsidered with the aim of improving structure and clarity to ensure that the intent of the principle is not undermined.
Recommendation 11
10.60 The committee recommends that the note to APP 7(1) be redrafted to better reflect the position outlined in the Government response.
Recommendation 12
10.66 The committee recommends that the Australian Information Commissioner develop guidance in relation to direct marketing to vulnerable people.
Recommendation 13
10.81 The committee recommends that the structure of APP 7(2) and APP 7(3) in relation to APP 7(3)(a)(i) be reconsidered.


Chapter 11 Australian Privacy Principle 8–cross-border disclosure of personal information and sections 19 and 20
Recommendation 14
11.41 The committee recommends that a note be added to the end of APP 8 making reference to section 20 of the new Privacy Act.
Recommendation 15
11.53 The committee recommends that the Department of the Prime Minister and Cabinet develop explanatory material to clarify the application of the term 'disclosure' in Australian Privacy Principle 8.

Recommendation 16
11.64 The committee recommends that the Office of the Australian Information Commissioner develop guidance on the types of contractual arrangements required to comply with APP 8 and that guidance be available concurrently with the new Privacy Act.
Recommendation 17
11.103 The committee recommends that, when the Australian Government enters into an international agreement relating to information sharing which will constitute an exception under APP 8(2)(d), the agency or the relevant minister table in the Parliament, as soon as practicable following the commencement of that agreement, a statement indicating:
• the terms under which personal information will be disclosed pursuant to the agreement; and
• the effect of the agreement on the privacy rights of individuals.
Recommendation 18
11.105 The committee recommends that further consideration be given to the wording of the law enforcement exception in APP 8(2)(g) to ensure that the intention of the provision is clear.
Recommendation 19
11.120 The committee recommends that section 19, relating to the extraterritorial application of the Act, be reconsidered to provide clarity as to the policy intent of the provision.
Recommendation 20
11.133 The committee recommends that the Department of the Prime Minister and Cabinet develop explanatory material in relation to the application of the accountability provisions of section 20.


Chapter 12 Australian Privacy Principle 9–adoption, use or disclosure of government related identifiers
Recommendation 21
12.33 The committee recommends that the term 'reasonably necessary' be replaced with 'necessary' in APP 9(2)(a), (b) and (f).
Recommendation 22
12.38 The committee recommends that the Office of the Australian Information Commissioner undertake a review of agency voluntary data-matching guidelines, including emerging issues with the use of government identifiers, and that the outcome inform further consideration of the extension of APP 9 to agencies.


Chapter 13 Australian Privacy Principle 10–quality of personal information
Recommendation 23
13.35 The committee recommends that proposed APP 10(2), pertaining to the quality of personal information disclosed by an entity, be re-drafted to make clear the intended use of the term 'relevant'.


Chapter 14 Australian Privacy Principle 11–security of personal information
Recommendation 24
14.36 The committee recommends that a definition of the term 'interference' used in proposed APP 11(1)(a), pertaining the security of personal information, be provided or a note included in the legislation to explain its meaning in this context.
Recommendation 25
14.38 The committee recommends that the Australian Information Commissioner provide guidance on the meaning of 'destruction' in relation to personal information no longer required and the appropriate methods of destruction of that information.


Chapter 15 Australian Privacy Principle 12–access to personal information
Recommendation 26
15.43 The committee recommends that, in relation to the proposed exceptions provided for in APP 12(3):
• the Australian Information Commissioner provide guidance in relation to the application of the 'frivolous and vexatious' exception (APP 12(3)(c));
• clarity be provided as to the stage at which the negotiations exception in APP 12(3)(e) may be invoked; and
• further consideration be given to the exception in APP 12(3)(j) in relation to commercially sensitive decisions to ensure that the rights currently provided for in the Privacy Act 1988 are not diminished.
Recommendation 27
15.46 The committee recommends that a note be added to proposed APP 12(4)(a) to clarify that a reasonable period of time in which an organisation must respond to a request for access would not usually be longer than 30 days.
Recommendation 28
15.47 The committee recommends that APP 12(8) be amended so that it is made clear that access charges imposed by organisations should only be charged at a level reasonably necessary to recoup costs incurred by the entity.


Chapter 16 Australian Privacy Principle 13–correction of personal information
Recommendation 29
16.34 That the decision to omit the term 'misleading' in APP 13, relating to the correction of personal information, be reconsidered.

No comments:

Post a Comment