Major privacy law reforms proposed

Monday’s Australian Law Reform Commission (ALRC) report, ‘For Your Information: Australian Privacy Law and Practice’ (report), is the product of the most comprehensive review of Australian privacy law ever conducted. The report is 2,700 pages long and includes 295 recommendations for reform over 74 chapters, covering 10 different broad topic areas, including:

• national harmonisation of privacy law
• the limits of exemption from regulation
• the effect of emerging information technology
• credit reporting
• privacy and health services
• telecommunications, and
• youth.

The report also recommends the introduction of a wholly new right of action for invasion of privacy, and a requirement that serious privacy breaches be notified.

Background

The Federal Attorney General instructed the ALRC in January 2006 to inquire and report on the extent to which the Privacy Act 1988 (Cth) (Privacy Act) and related laws provide an effective framework for the protection of privacy in Australia. The ALRC’s 28-month review involved a wide-ranging discussion of privacy issues identified in two issues papers, with more than 300 individual submissions and 170 meetings and public consultations with stakeholders throughout Australia. A comprehensive three-volume discussion paper¹ was then published in September 2007 which attracted a further 585 submissions from the public. The final report was delivered to the Federal Attorney General on 31 May 2008 and published on 11 August 2008.

Key recommendations

Creating consistency in regulation

The ALRC recommends that the Privacy Act should be amended to specifically apply to the federal public sector and the private sector to the exclusion of state and territory laws. The Commonwealth, state and territory governments should also establish an intergovernmental harmonisation scheme under which all Australian governments would agree to consistently adopt the key elements of the amended Privacy Act, including the new recommended Unified Privacy Principles² (UPPs) and definitions. This agreement would also create a mechanism by which future amendments to the harmonised regime would be suggested and effected. Further summary information on this aspect is available in ALRC Briefing Note 1: Simplifying and harmonising privacy law and practice.³

Enhanced credit reporting

The ALRC’s suggested credit reporting reforms include the introduction of a form of ‘positive credit reporting’ permitting the collection and disclosure of the dates and types of credit accounts opened and closed and their limits and, subject to appropriate additional regulation, an individual’s repayment history. Strict limits would apply to the use and disclosure of this information, including a prohibition on using this information for marketing purposes. For more information see ALRC Briefing Note 7: Reform of the credit reporting system.⁴

Clarifying health services privacy

The ALRC recommends that the privacy of health information be regulated under the general provisions of the Privacy Act. Privacy (Health Information) Regulations should be drafted to contain only those requirements that are different or more specific than provided for in the model UPPs.

Unique healthcare identifiers or a national Shared Electronic Health Records scheme should be established under specific enabling legislation if the scheme goes forward. For more information see ALRC Briefing Note 8: Protecting Health Information in the Digital Age.⁵

Emerging technologies

Education and guidance should be developed by the Privacy Commission (commission) and others about the effect of emerging technologies (such as RFID tags and social networking sites) on individuals’ privacy. For more information see ALRC Briefing Note 2: Technology-neutral privacy principles should govern rapidly developing ICT.⁶

New privacy right

A wholly new privacy right should be introduced by statute that allows individuals to obtain remedies where their privacy is invaded in a highly offensive way. The right would require both a real expectation of privacy and a highly offensive interference with that expectation. Where the public interest in maintaining the right to privacy was outweighed by other public interests (such as freedom of expression, or the interest in informing the public about matters of public concern) no remedy would be available. For further details see ALRC Briefing Note 10: A statutory clause of action for serious invasions of privacy: getting the balance right.⁷

Notifying data breaches

The ALRC recommends that organisations and agencies should be obliged to notify affected individuals and the Privacy Commissioner if they believe that an unauthorised acquisition of information held by them will result in a real risk of serious harm to any individual. For further details see ALRC Briefing Note 6: Introducing a mandatory data breach notification scheme.⁸

Exemptions from regulation

The commission recommends that the existing exemptions in the Privacy Act relating to employee records, political parties and small business be abolished. Exempt journalism should be limited to that relating to news, current affairs and documentaries and commentary or opinion and analysis of this material. Other material in respect of which the public interest in disclosure outweighed the public interest in maintaining privacy protection would also continue to be exempted. For further details see ALRC Briefing Note 4: Rationalisation and clarification of exemptions to the Privacy Act. ⁹

The ‘Australian Privacy Commission’

The Privacy Act should be amended to change the name of the ‘Office of the Privacy Commissioner’ to the ‘Australian Privacy Commission’. The Australian Privacy Commission should be given enhanced powers to direct those in breach to take specified actions, and to commence proceedings to enforce those directions. The Privacy Commissioner should also be permitted to seek civil penalties where serious or repeated breaches occur. For further details see ALRC Briefing Note 5: Improved complaint handling and enforcement.¹⁰

Youth

The report provides guidance on the circumstances in which young people may be presumed to be capable of giving consent, making a request or exercising a right of access concerning their personal information. Schools should clarify how information about students will be handled, including when it will be disclosed to, or withheld from parents. For further details see ALRC Briefing Note 9: Children, young people and privacy.¹¹

Telecommunications and privacy

The ALRC recommends that Part 13 of the Telecommunications Act 1997 (Cth) (relating to the privacy of telecommunications information) should be simplified. The regulation of telecommunications interception and access and telecommunications regulation generally should be reviewed to ensure it is effective in light of technological change and public perceptions. The Australian Communications and Media Authority (ACMA) should also provide guidance on the privacy issues raised by new technologies such as location-based services, Voice over Internet Protocol (VoIP) and electronic number mapping.

Cross-border transfer requirements

Privacy laws should provide that organisations and agencies that transfer personal information outside Australia remain responsible for the protection of that information unless:

• the agency or organisation believes that the recipient is subject to privacy protections that are of a similar standard to Australia’s
• the individual consents to the transfer, or
• the agency or organisation is required or authorised by law to transfer the personal information.

For further details see ALRC Briefing Note 3: New cross-border privacy laws-greater certainty for all Australians.¹²

Government response

On 11 August 2008, Special Minister of State Senator John Faulkner announced that the Federal Government would consider the report in two stages.

In the first stage, for which the government planned to legislate as necessary within 12 to 18 months, the government would consider the recommendations relating to the Unified Privacy Principles, health privacy, credit reporting and education about emerging technologies. To the extent that the commission’s recommendations about harmonisation and reforms to the Office of the Federal Privacy Commissioner related to these areas, they would also be considered in the first stage.

The second stage of the government’s consideration of the report, for which no time frame was given, would involve the consideration of the remaining proposals, including the reform of the exemptions from the Act, and the proposed regime for breach notification.

In the week before the public release of the report, the government had also asked the ALRC to commence a new review into secrecy laws¹³ in federal legislation. As more than a hundred secrecy and confidentiality obligations are currently found dispersed across a wide array of acts and regulations, it appears likely that—as with privacy—the ALRC will look for a way to harmonise these. For the new review, the ALRC again intends to prepare one or more discussion documents and consult with the community, with a view to providing its final report to the Attorney General by 31 October 2009.

Further information

This article was written by Duncan Giles, Special Counsel, Sydney.

Endnotes

More information

For information regarding possible implications for your business, contact