Privacy law reform: what it means for lawyers
The Privacy Commissioner tells us about a significant set of reforms to the Privacy Act that will come into force in December and what it means for lawyers.
By John Edwards
In December of this year a significant set of reforms to the Privacy Act will come into force – the first major reforms since Parliament passed the Act in 1993. These reforms modernise the Act in response to the major technological progress that society has made between 1993 and today.
The fundamentals of the Act will largely remain the same. The Act will still be based on information privacy principles that set broad standards around how agencies can collect, use, store and share information. With just a few exceptions, these are the same as they have been since 1993.
But there will be significant changes to the enforcement side of the Privacy Act. In short, the Act will have more ‘teeth’. The Office of the Privacy Commissioner will have more powers to compel agencies to comply with the Act, there will be new criminal offences for not complying with the Act, there will be fines, and some behaviours that are currently optional will become mandatory.
With that in mind, this article works through the main changes that lawyers should know about – and what you and your clients can do now to prepare for these changes.
Our office will have the power to issue compliance notices to any agency not complying with the Act. These notices can compel agencies to do something or stop doing something in order to comply with the Act.
Agencies will be given the opportunity to comment on compliance notices before they are finalised, and once they are finalised, agencies can appeal to the Human Rights Review Tribunal. But agencies that lose their appeal and do not comply, or do not comply and do not appeal, can be fined up to $10,000.
The Privacy Act will create four new criminal offences. Agencies that commit these offences can face fines of up to $10,000. This means lawyers and their clients will have more financial risk when dealing with personal information.
The offences are:
To prepare for this, lawyers should educate clients about these offences, and explain how they raise the financial stakes for agencies handling personal information.
The most common type of privacy complaint is when someone asks to see information an agency holds about themselves, and the agency refuses to give it to them. This is called an access request.
Under the new Act, we will be able to require agencies to give people their personal information, rather than go through the process of referring complaints to the Director of Human Rights Proceedings.
This means that some individuals and agencies can expect faster resolution of privacy complaints that involve access to information. This is particularly relevant if you have clients seeking information about themselves in order to support other cases or complaints, because it can make the process faster and more efficient.
Mandatory breach notification creates new obligations for both you and your clients.
Right now, we encourage agencies to report privacy breaches to our office, and to the affected individuals, but it is not mandatory. This will change in December and reporting serious breaches will become mandatory. Any breaches that cause serious harm, or could possibly cause serious harm, need to be reported to our office and the affected individual. Agencies that fail to notify these privacy breaches can be fined up to $10,000.
To prepare for this, you and your clients should set clear internal definitions around ‘serious harm,’ so you know which breaches to notify in the future.
To make it as easy as possible, our NotifyUs tool will soon be available on our website. It will guide agencies through the criteria of a breach’s seriousness, and help you determine whether you should report it to our office.
Agencies that send information overseas will only be able to do so if that information is adequately protected. This means it must meet one (or more) of these criteria:
You can send information to overseas agencies that do not meet these requirements by getting them to agree to protect information in a way that is consistent with the Privacy Act. We are in the process of developing model contract clauses that you can use in these situations.
To prepare for this, lawyers and clients should review any information being sent overseas. Are you sending it to agencies that meet the above criteria? If not, you’ll need to either change agencies, or put together a new contract for your existing overseas agency.
There is one notable exception to this: it generally does not apply to cloud-based businesses. If you are sending information to an agency to hold or process on your behalf, then it will not be treated as a disclosure under principle 12 of the new Privacy Act.
With the new Act coming into force on 1 December, the next few months are an opportunity to get up to speed with the changes. Here’s what you can do today:
John Edwards is the Privacy Commissioner