Big changes are coming for Australian privacy rights and laws governing the use of personal information. The Australian Government has announced it will make the first set of changes to the Privacy Act 1988 in the Winter sitting of Parliament. The announcement came yesterday from Attorney-General Nicola Roxon, who intentionally announced the changes to coincide with Australia’s Privacy Awareness Week.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.
The Attorney-General said in her statement that Australia’s privacy laws will be reformed to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.
The Attorney explained that key changes to benefit consumers are:
• clearer and tighter regulation of the use of personal information for direct marketing
• extending privacy protections to unsolicited information
• making it easier for consumers to access and correct information held about them
• tightening the rules on sending personal information outside Australia
• enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance
These changes are part of a long consultation process coming out of recommendations made within the Australian Law Reform Commission’s report For your information: Australian Privacy Law and Practice.
The changes will include new powers for the Privacy Commissioner to enforce privacy laws. Commissioner Timothy Pilgrim said in a statement to the media these changes were a significant step forward and will allow him to better resolve privacy investigations more effectively.
“The strengthening of these powers also sends a strong message to government agencies and businesses covered by the Act that there can be significant consequences when personal information is not given an appropriate level of protection.”
“These changes give me more options when undertaking an investigation on my initiative. At the moment I can only make a determination when I am investigating a complaint made by an individual,” Mr Pilgrim said.
The powers of the Privacy Commissioner to investigate Privacy complaints has previously come under criticism, particularly following the well-publicised global Sony Data Breach in April 2011 which seemed to showcase the gaping hole in Australian Privacy Law at the time. The data breach left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.
Criticism was sparked by the Commissioner’s lack of powers to make determinations following any investigation, and also Australia’s absence of mandatory data breach notification law. It was well publicised that Sony took over a week to notify it’s customers of the data breach, in the process potentially exposing customers to identity theft and credit file fraud.
A recent survey conducted by the University of Canberra and eBay Australia found that Australian internet users were highly concerned about identity theft and wanted government to order businesses to notify users of online data breaches.
The survey, reported in CIO Magazine Call for mandatory data breach notification grows: Survey found 85 per cent of 700 Australian participants want data breach notifications to become mandatory. Here is an excerpt from that story:
In addition, 86 per cent of respondents cited identity theft as their greatest privacy concern, while 83 per cent mentioned financial data loss as their biggest concern.
The survey also found that the financial sector was the most trusted when it came to privacy (42 per cent).
Social media was the least trusted industry on privacy with only 1 per cent of respondents saying they trusted websites such as Facebook. Sixty-one per cent of Australians surveyed nominated the social media industry as having the worst privacy practices.
Privacy Commissioner, Timothy Pilgrim, said that the high level of support for mandatory data breach notifications is not surprising given significant data breaches over the past year such as the Sony PlayStation Network compromise.
“Incidents are on the rise as weaknesses become apparent in business systems at the same time as hackers become more sophisticated,” he said in a statement.
“I encourage businesses to look at our guide which not only outlines how to respond to a breach, but also how to avoid a breach in the first place by focusing on the security of their systems,” Pilgrim said.
Other privacy law reform changes will include the introduction of a set of Australian Privacy Principles, and importantly, changes to credit reporting law.
Some changes Attorney-General Nicola Roxon chose to highlight in her statement yesterday include:
• making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
• making it easier for individuals to access and correct their credit reporting information
• prohibiting the collection of credit reporting information about children
• simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.
We will be watching with intense interest at how the whole barrage of changes around credit reporting could possibly impact consumers and their credit files. The above four recommendations would be a great improvement as currently consumers can experience difficulty when disputing entries on their credit reports.