On 12 March 2014, amendments to the Privacy Act 1988 (the Act) described by the Privacy Commissioner as “the most significant… in over 25 years…” took effect. But after over 12 months of frenzied re-drafting of privacy policies and privacy audits, has anything really changed?
The key aspects of the new regime are the introduction of the Australian Privacy Principles (APPs) and the expanded categories of entity required to comply with them. Historically, the Act applied only to government organisations. Then, in 2000 amendments were made to include a limited number of private sector organisations.
Another of the striking features of the new regime was the threat of substantial civil penalties for breach of the APPs. A 2,000 penalty unit maximum civil penalty applies for some breaches. At time of writing, a penalty unit is $170.00; so that’s a potential penalty of $340,000.00. The penalty for a corporate entity could be up to five times that figure.
Many thought the threat of these penalties might lead to a change in behaviour from all entities – natural and corporate – who deal with personal information.
So are we seeing the changes we expected?
In short: no. Not yet at least. The Privacy Commissioner’s most recent determination concerns a complaint made in August 2013, before the new regime took effect. Onlookers continue to wait for a determination made under the new regime.
Some recent determinations are discussed below. However, these only serve to illuminate how the old regime operated. Clarity eludes us.
‘EQ’ v Great Barrier Reef Marine Park Authority (2015) AICmr 11 (2 February 2015)
This determination considered a complaint by an employee of the Great Barrier Reef Marine Park Authority (GBRMPA), an authority established by the Great Barrier Reef Marine Park Act 1975 (Cth).
In March 2013, the GBRMPA employee used a GBRMPA vessel to fish in a marine park ‘green zone’. Fishing in a green zone is an offence. The employee was caught in the act by a fellow GBRMPA employee and photographed. In April 2013, GBRMPA disclosed to a NewsCorp journalist the name of the employee and the nature of the offence.
The Commissioner found that GBRMPA had interfered with the employee’s privacy by making an unauthorised disclosure of personal information.GBRMPA was required to:
1. apologise in writing;
2. improve its privacy training for employees;
3. advise the Commissioner of the results of the improved training; and
4. pay $5,000.00 to the employee.
‘EZ’ v ‘EY’ (2015) AICmr 23 (27 March 2015)
Mr Z was a patient of Dr Y. In 2006, Police contacted Dr Y and asked whether Mr Z was psychotic. Dr Y advised “it was possible…”
As a result of a freedom of information request made some years later, in or around 2013 Mr Z became aware of the 2006 exchange between Dr Y and the Police.
The Commissioner found that Dr Y had interfered with Mr Z’s privacy. Dr Y was required to:
1. apologise in writing; and
2. pay $6,500.00 to Mr Z.
Ben Grubb and Telstra Corporation Limited (2015) AICmr 35 (1 May 2015)
Mr Grubb entered into a mobile telephone contract with Telstra.
On 15 June 2013, Mr Grubb sought metadata stored by Telstra about him. Telstra provided some metadata and advised that Mr Grubb would need a subpoena for the balance of the information he had requested.
In a rigorous 172 paragraph determination, the Commissioner found Telstra had breached its privacy obligations to Mr Grubb. Telstra was required to provide Mr Grubb with the requested metadata within 30 days of the determination, and do so free of charge.
Since Mr Grubb’s complaint, the Commissioner noted that Telstra has improved its disclosure practices.
Implications of Recent Decisions
As we wait for a decision on a post-12 March 2014 complaint, we are left to wonder whether the penalties imposed under the old regime will be increased or whether the status quo will be maintained.
The Office of the Australian Information Commissioner (OAIC), an independent statutory agency established in 2010 with the power to exercise both privacy and freedom of information functions, has published its Guide to privacy regulatory action. Chapter 4 provides useful commentary, but no certainty, about how the APPs will be interpreted.
However, frustratingly, without any determinations to guide us, the future of Australia’s privacy regime remains unclear.
Associate | Makinson d’Apice Lawyers
Connect with James d’Apice on LinkedIn