Identity theftIdentity theft is an ever-growing threat to Australians and the commodity which is traded, sought after and misused for criminal or financial gain by fraudsters is your personal information. In amendments to the Privacy Act 1988 (Cth) which occurred late last year and which will be implemented in March 2014, there will be some improvements in Privacy Law to do with requirements on organisations to keep your personal information safe. As identity theft can also go so far as to impact on your credit file, there are also improvements suggested within the Draft Credit Reporting Code of Conduct, aimed at protecting you and your credit file against identity theft. We look at these changes and the impact they may have on you.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and

PrivacyWeek-Banners-R1 - 2013-3

Personal Information in the Australian Privacy Principles

We look at the differences in the areas of requirements by organisations in regards to personal information collection and security of personal information, as provided by the OAIC, which are set out in new Australian Privacy Principles, set to replace the current National Privacy Principles.

Security of Personal Information

APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure (as required by NPP 4.1).

APP 11.1 imposes the same obligation as

[current] NPP 4 in relation to the protection of the personal information that an organisation holds. However, APP 11.1 now also requires organisations to protect personal information from interference.

APP 11.2 introduces new exceptions to the requirement that an organisation take reasonable steps to destroy or de-identify personal information, once it is no longer needed for any purpose for which it may be used or disclosed in accordance with the APPs: – if it is not contained in a Commonwealth record (APP 11.2(c))[6], and – if the organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information (APP 11.2(d)).[7]

Sensitive information

Summary of [current] NPP 10 An organisation must not collect an individual’s sensitive information unless a listed exception applies (NPP 10.1). Sensitive information is defined in s 6.

NPP 10.2 and 10.3 set out specific exceptions regarding the collection of health information.

Relevant APPs

APP 3 – collection of solicited personal information

Key differences

APP 3 clarifies that an organisation must only collect sensitive information about an individual if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies (APP 3.3).

The definition of sensitive information in s 6 has been extended to include: -biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.[14]

Sensitive information may also be collected about an individual: -if required or authorised by or under an Australian law or a court/tribunal order (APP 3.4(a))[15] when a permitted general situation or permitted health situation applies (APP 3.4(b)-(c), s 16A).

Permitted general situations include the collection of sensitive information where: -the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection (APP 3.4(b), permitted general situation 1 (s 16A item 1)).

This exception reflects the wording of NPP 10.1(c), but removes the requirement that the threat must be imminent. This exception also replaces the specific circumstances set out in NPP 10.1(c) in which an individual may be unable to consent, with the more general ‘unreasonable or impracticable’.

-the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and the entity reasonably believes that the collection is necessary for the entity to take appropriate action in relation to the matter (APP 3.4(b), permitted general situation 2 (s 16A item 2)).

This is a new exception in relation to the collection of sensitive information.

the entity reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing (APP 3.4(b), permitted general situation 3 (s 16A item 3)).

This is a new provision in relation to the collection of sensitive information.

The permitted health situations replicate the wording of NPP 10.2 and NPP 10.3, in relation to the collection of health information for the provision of a health service and for research.

APP 3.4(e) relates to non-profit organisations and replaces NPP 10.1(d). APP 3.4(e) permits the collection of an individual’s sensitive information by non-profit organisations where the information:

relates to the activities of the organisation, and relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.

The definition of ‘non-profit organisation’ is now included in s 6.[16] It states that a ‘non-profit organisation’ means an organisation that is a non-profit organisation, and engages in activities for cultural, recreational, political, religious, philosophical, professional, trade or trade union purposes. This definition replaces the terms ‘racial’ and ‘ethnic’ in the NPP 10.5 definition with the term ‘cultural’. In addition, it also includes in the definition organisations with a ‘recreational’ purpose.

Identity theft and credit file protection

The proposed new Credit Reporting Code of Conduct – currently in draft stage, has some significant new protections for victims of fraud.

The draft code sets out the opportunity for individuals who believe they may be likely to be or have been a victim of fraud, to request a ban be placed on the use or disclosure of their credit reporting information without the individual’s consent. This is intended to combat identity theft which involves the stealing of credit through impersonating the victim and taking credit out in their name.

Where a Credit Reporting Bureau (CRB) receives a request from a Credit Provider (CP) for credit reporting information about an individual in relation to whose credit reporting information a ban period is in effect, the CRB must inform the CP of the ban period and its effect.

The Code also intends to give a CRB powers in these cases to seek information relevant to the individual’s fraud allegations from a CP who may have also been affected by the alleged fraud in order to both determine whether the individual has been a victim of fraud, and to decide the length of the ban period.

Enhanced powers for the Privacy Commissioner

Whilst we are yet to have mandatory data breach notification laws, which would require individuals to be notified by an entity which holds their information of a data breach (currently it is just encouraged that this occurs), there are some areas where the Privacy Commissioner’s powers will be strengthened.

The Privacy Commissioner will have enhanced powers, in the areas of:

• Ability to accept enforceable undertakings

• Ability to seek civil penalties in the case of serious or repeated breaches of privacy

• Ability to conduct assessments of privacy performance for both Australian government agencies and businesses.

On 28 December 2012, section 4AA of the Crimes Act 1914 was amended to increase the amount of a penalty unit from $110 to $170.

This means that, under the reforms to the Privacy Act due to commence on 12 March 2014, the maximum penalty amount for a serious or repeated interference with the privacy of an individual will be $340,000 for individuals and $1.7 million for entities.

Identity theft test.

As part of Privacy Awareness Week, you can take an online identity theft test, via the OAIC website to see how vulnerable you may be to identity theft. It examines 11 ways you could become a victim of identity theft and offers advice on ways to reduce your risk.

Image: Salvatore Vuono/