Privacy law and practice
Published on 25 June 2006. Last modified on 4 October 2011.
This 28 month inquiry looked at the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. It resulted in the Final Report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108).
During the ALRC’s extensive consultations around the country, the overwhelming message was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections. At the same time, people appreciate that other interests often come into the balance—such as freedom of speech, child protection, law enforcement and national security. Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world. And, of course, businesses want to be able to market effectively to current and potential customers, and to process data efficiently—including offshore.
The central theme in For Your Information (ALRC Report 108) is that, as a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience. It is often the case, however, that privacy rights will clash with a range of other individual rights and collective interests, such as freedom of expression and national security. International instruments on human rights, and the growing international and domestic jurisprudence in this field, all recognise that privacy protection is not an absolute. Where circumstances require, the vindication of individual rights must be balanced carefully against other competing rights—the ALRC’s final recommendations in ALRC 108 endeavour to do so.
The ALRC found that the Privacy Act has worked well to date, but that it now needs a number of refinements to bring it up to date with the information age. These days, information privacy touches almost every aspect of people’s lives, including medical records and health status, finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.
This Inquiry resulted in a three volume final report, containing 74 chapters and 295 recommendations for reform.
Key recommendations
- Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.
- Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information.
- Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
- Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
- Improved complaint handling and stronger penalties: the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.
- More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that there should be some expansion of the categories of information held by credit reporting agencies (‘more comprehensive credit reporting’), to include: the type of each current credit account opened; the date on which each current credit account was opened; the credit limit of each current account; and the date on which each credit account was closed. The ALRC also recommends that the Australian Government only amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.
- Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important area. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research.
- Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues.
- Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach.
- Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.
Implementation
On 11 August 2008, Senator John Faulkner, the then Special Minister for State and Cabinet Secretary, announced that the Australian Government would respond to For Your Information: Australian Privacy Law and Practice (ALRC 108) in two stages.
The Australian Government issued the first stage of its response to For Your Information on 14 October 2009. The first stage of the response addresses 197 of the 295 recommendations in the ALRC report. These recommendations relate to:
- the name, structure, objects, definitions and scope of the Privacy Act 1988 (Cth);
- developing technology;
- interaction, inconsistency and fragmentation in the regulation of personal information in Australia;
- the privacy principles;
- the powers and functions of the Office of the Privacy Commissioner;
- credit reporting; and
- health services.
Exposure drafts of Australian privacy amendment legislation.
On 24th June 2010 the Senate referred an exposure draft of new Australian Privacy Principles (‘APPs’) to the Senate Finance and Public Administration Legislation Committee for inquiry and report. In January 2011, this was followed by exposure draft credit reporting provisions.
The Committee reported on the exposure draft APPs in June 2011.
These exposure drafts are the first in a series of exposure draft amendments to privacy legislation, anticipated to be referred to the Senate committee for consideration and public consultation. The legislation will then be consolidated in a revised Privacy Act.
The Government intends that the next exposure drafts released for public consultation will cover:
- provisions relating to the protection of health information, in particular improving health sector information flows, and giving individuals new rights to have their health record transferred between providers, and to be told what will happen to their health record if their provider sells the business or retires; and
- provisions strengthening the Privacy Commissioner’s powers to conduct investigations, resolve complaints and promote compliance with the Privacy Act.
The Government has stated that once the first stage reforms have been finalised, Stage Two of the response will consider the remaining 98 recommendations in the ALRC report that the Government has not yet accepted or rejected. This stage will deal with a number of significant and contentious issues, including:
- clarification or removal of exemptions (including the current employee records exemption);
- a scheme for compulsory data breach notification;
- a statutory cause of action for serious invasions of privacy;
- privacy and decision making issues for children and authorised representatives; and
- handling of personal information under the Telecommunications Act 1997 (Cth).
Healthcare Identifiers Act 2010 (Cth)
The Healthcare Identifiers Act 2010 received assent on 28 June 2010, and commenced on 29 June 2010. The Act provides that:
- Medicare Australia will be responsible for establishing and operating the health identifier system;
- collection, use and disclosure of an individual health identifier will be subject to the privacy and other laws applicable to that information; and
- unauthorised disclosure of an individual health identifier may be pursued as a breach of privacy under the Privacy Act and subject to criminal penalties set out in the Bill.
The privacy safeguards provided in the Act are generally consistent with the ALRC’s recommendation in relation to electronic health information systems in Chapter 61 of ALRC Report 108 (Recommendation 61–1).
Combating the Financing of People Smuggling and Other Measures Act 2011 (Cth)
The Combating the Financing of People Smuggling and Other Measures Act 2011 received assent on 28 June 2011. The verification of identity measures within this Act implement Recommendation 57–4 of For Your Information.
The Act also amends the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and the Privacy Act 1988 (Cth) to enable reporting entities to use credit reporting data to verify the identity of their customers. It introduces a number of privacy protections to ensure that information is used only for the purpose of verifying identity. It also establishes the offences of unauthorised access to verification information, obtaining access to verification information by false pretences and unauthorised use or disclosure of verification information.
Publications
- ALRC submission to the Standing Committee on Legal and Constitutional Affairs' inquiry into the Telecommunications Interception and Intelligence Services Legislation Amendment Bill 2010 – 28 October 2010
- ALRC submission to the inquiry into exposure drafts of Australian privacy amendment legislation – 23 July 2010
- ALRC submission to inquiry into the Telecommunications (Interception and Access) Amendment Bill 2009 – 16 October 2009
- For Your Information: Australian Privacy Law and Practice (ALRC Report 108) – 12 August 2008
- Review of Australian Privacy Law (DP 72) – 12 September 2007
- Review of Privacy—Credit Reporting Provisions (IP 32) – 15 December 2006
- Review of Privacy (IP 31) – 9 October 2006
Related Information
-
28 September 2011
-
14 August 2009
-
11 August 2008
-
11 August 2008
-
11 August 2008
-
11 August 2008
-
11 August 2008
-
11 August 2008
-
11 August 2008
-
20 April 2008