[current] NPP 4 in relation to the protection of the personal information that an organisation holds. However, APP 11.1 now also requires organisations to protect personal information from interference.
APP 11.2 introduces new exceptions to the requirement that an organisation take reasonable steps to destroy or de-identify personal information, once it is no longer needed for any purpose for which it may be used or disclosed in accordance with the APPs: – if it is not contained in a Commonwealth record (APP 11.2(c)), and – if the organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information (APP 11.2(d)).
Summary of [current] NPP 10 An organisation must not collect an individual’s sensitive information unless a listed exception applies (NPP 10.1). Sensitive information is defined in s 6.
NPP 10.2 and 10.3 set out specific exceptions regarding the collection of health information.
APP 3 – collection of solicited personal information
APP 3 clarifies that an organisation must only collect sensitive information about an individual if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies (APP 3.3).
The definition of sensitive information in s 6 has been extended to include: -biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.
Sensitive information may also be collected about an individual: -if required or authorised by or under an Australian law or a court/tribunal order (APP 3.4(a)) when a permitted general situation or permitted health situation applies (APP 3.4(b)-(c), s 16A).
Permitted general situations include the collection of sensitive information where: -the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection (APP 3.4(b), permitted general situation 1 (s 16A item 1)).
This exception reflects the wording of NPP 10.1(c), but removes the requirement that the threat must be imminent. This exception also replaces the specific circumstances set out in NPP 10.1(c) in which an individual may be unable to consent, with the more general ‘unreasonable or impracticable’.
-the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and the entity reasonably believes that the collection is necessary for the entity to take appropriate action in relation to the matter (APP 3.4(b), permitted general situation 2 (s 16A item 2)).
This is a new exception in relation to the collection of sensitive information.
the entity reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing (APP 3.4(b), permitted general situation 3 (s 16A item 3)).
This is a new provision in relation to the collection of sensitive information.
The permitted health situations replicate the wording of NPP 10.2 and NPP 10.3, in relation to the collection of health information for the provision of a health service and for research.
APP 3.4(e) relates to non-profit organisations and replaces NPP 10.1(d). APP 3.4(e) permits the collection of an individual’s sensitive information by non-profit organisations where the information:
relates to the activities of the organisation, and relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.
The definition of ‘non-profit organisation’ is now included in s 6. It states that a ‘non-profit organisation’ means an organisation that is a non-profit organisation, and engages in activities for cultural, recreational, political, religious, philosophical, professional, trade or trade union purposes. This definition replaces the terms ‘racial’ and ‘ethnic’ in the NPP 10.5 definition with the term ‘cultural’. In addition, it also includes in the definition organisations with a ‘recreational’ purpose.
Identity theft and credit file protection
The proposed new Credit Reporting Code of Conduct – currently in draft stage, has some significant new protections for victims of fraud.
The draft code sets out the opportunity for individuals who believe they may be likely to be or have been a victim of fraud, to request a ban be placed on the use or disclosure of their credit reporting information without the individual’s consent. This is intended to combat identity theft which involves the stealing of credit through impersonating the victim and taking credit out in their name.
Where a Credit Reporting Bureau (CRB) receives a request from a Credit Provider (CP) for credit reporting information about an individual in relation to whose credit reporting information a ban period is in effect, the CRB must inform the CP of the ban period and its effect.
The Code also intends to give a CRB powers in these cases to seek information relevant to the individual’s fraud allegations from a CP who may have also been affected by the alleged fraud in order to both determine whether the individual has been a victim of fraud, and to decide the length of the ban period.
Enhanced powers for the Privacy Commissioner
Whilst we are yet to have mandatory data breach notification laws, which would require individuals to be notified by an entity which holds their information of a data breach (currently it is just encouraged that this occurs), there are some areas where the Privacy Commissioner’s powers will be strengthened.
The Privacy Commissioner will have enhanced powers, in the areas of:
• Ability to accept enforceable undertakings
• Ability to seek civil penalties in the case of serious or repeated breaches of privacy
• Ability to conduct assessments of privacy performance for both Australian government agencies and businesses.
On 28 December 2012, section 4AA of the Crimes Act 1914 was amended to increase the amount of a penalty unit from $110 to $170.
This means that, under the reforms to the Privacy Act due to commence on 12 March 2014, the maximum penalty amount for a serious or repeated interference with the privacy of an individual will be $340,000 for individuals and $1.7 million for entities.
Identity theft test.
As part of Privacy Awareness Week, you can take an online identity theft test, via the OAIC website to see how vulnerable you may be to identity theft. It examines 11 ways you could become a victim of identity theft and offers advice on ways to reduce your risk.
Image: Salvatore Vuono/ www.FreeDigitalPhotos.net