Outline of the Report
For Your Information: Australian Privacy Law and Practice (ALRC 108) represents the culmination of a 28 month inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia. This Inquiry resulted in a three volume Report, containing 74 chapters and 295 recommendations for reform.
During the ALRC’s extensive consultations around the country, the overwhelming message was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections. At the same time, people appreciate that other interests often come into the balance—such as freedom of speech, child protection, law enforcement and national security. Australians also want the considerable benefits of the information age, such as shopping and banking online, and communicating instantaneously with friends and family around the world. And, of course, businesses want to be able to market effectively to current and potential customers, and to process data efficiently—including offshore.
The central theme in For Your Information is that, as a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience. It is often the case, however, that privacy rights will clash with a range of other individual rights and collective interests, such as freedom of expression and national security. International instruments on human rights, and the growing international and domestic jurisprudence in this field, all recognise that privacy protection is not an absolute. Where circumstances require, the vindication of individual rights must be balanced carefully against other competing rights—the ALRC’s final recommendations in ALRC 108 endeavour to do so.
Although the federal Privacy Act is only 20 years old, it was introduced before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge the capacity to safeguard personal information.
The ALRC found that the Privacy Act has worked well to date, but that it now needs a number of refinements to bring it up to date with the information age. These days, information privacy touches almost every aspect of people’s lives, including medical records and health status, finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.
The ALRC was given many examples of the Privacy Act being used inappropriately as a reason for failing to provide information or assistance. Privacy regulators refer to this as the ‘BOTPA’ (‘Because of the Privacy Act’) excuse. This underlines the pressing need for simplification and harmonisation of law and practice, as well as more education about what the law does—and does not—require.
In For Your Information, the ALRC provides a clear framework for establishing world’s best practice in privacy protection. The ALRC concluded that a one-size-fits-all approach could never work and therefore developed solutions to the various problems. These different approaches include the Privacy Commissioner providing education and guidance to individuals, businesses and government agencies, and in other circumstances, stronger action and sanctions.
This Report is divided into 11 parts and 74 chapters. The key findings and recommendations in this Report are summarised in the Executive Summary and at Main Recommendations. A brief description of the material covered in each part follows below.
Part A–Introduction
Part A deals with introductory matters, the definition of the word ‘privacy’, an overview of privacy regulation in Australia and of the Privacy Act. Models for achieving national consistency, the regulatory model underpinning the recommendations in the Report, privacy beyond the individual—in particular Indigenous groups—and privacy of deceased individuals, are also discussed.
Part B–Developing Technology
Part B considers the impact on privacy of rapid advances in information, communication, storage, surveillance and other relevant technologies, and considers how best to accommodate developing technology in a regulatory framework. The impact of the internet, including how the internet has changed the nature of a ‘public’ space, and the prevalence of identity theft in an electronic environment, are also considered.
Part C–Interaction, Inconsistency and Fragmentation
Part C considers how the Privacy Act interacts with other federal, state and territory laws, and identifies areas of fragmentation and inconsistency in the regulation of personal information.
Part D–The Privacy Principles
Part D outlines the recommended reform of the privacy principles in the Privacy Act. Chapter 18 discusses the operation of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs), and focuses on how the structure of the privacy principles should be reformed. Chapter 19 considers the issue of consent as it applies to the privacy principles. Thereafter, the chapters are arranged thematically according to the 11 model Unified Privacy Principles (UPPs). In each chapter, there is a brief explanation of how the IPPs and NPPs currently apply, followed by recommendations for reform of the specific principle. A draft of the model UPPs, which is intended to illustrate for the statutory drafters the ALRC’s approach to reform of the principles, is set out at the beginning of the Report.
Part E–Exemptions
In Part E, exemptions and partial exemptions to the Privacy Act are discussed. An exemption applies where a specified entity or a class of entity is not required to comply with any requirements in the Privacy Act. A partial exemption applies where a specified entity or a class of entity is required to comply with either some, but not all, of the provisions of the Privacy Act; or some or all of the provisions of the Privacy Act, but only in relation to certain of its activities. Of particular note are the ALRC’s recommendations to remove the exemptions for small business, employee records, political parties and political acts and practices.
Part F–Office of the Privacy Commissioner
Part F provides an overview of the Privacy Commissioner’s powers and examines the accountability mechanisms to which the Commissioner is subject under the Privacy Act. The Privacy Commissioner’s functions of overseeing and monitoring compliance with the Privacy Act are considered; and the Commissioner’s powers to issue Public Interest Determinations are discussed. Part F also includes recommendations for streamlining and increasing the effectiveness of complaint handling under the Privacy Act, and for the introduction of data breach notification provisions.
Part G–Credit Reporting Provisions
Part G examines the credit reporting provisions contained in Part IIIA of the Privacy Act. The legislative history of these provisions is outlined, followed by a discussion of the ALRC’s recommendations for a system of more comprehensive credit reporting. This part also addresses specific aspects of the credit reporting system, such as collection, use and disclosure of credit reporting information, data quality and security, and rights of access, complaint handling and penalties.
Part H–Health Services and Research
Part H considers health information and research, including the need for greater national consistency in health privacy regulation as well as nationwide developments in relation to electronic health information systems. Relevant definitions—such as the definitions of ‘health information’ and ‘health service’—and the additions and exceptions in the privacy principles that relate specifically to health information, are considered. The use of health information in the health services context, including the provision of health care and the management, funding and monitoring of health services, are also discussed. The special arrangements in place under the Privacy Act to allow for the use of personal information in health and medical research are examined, and a recommendation is made to extend these arrangements to include the use of personal information in areas of human research more generally.
Part I–Children, Young People and Adults Requiring Assistance
Part I focuses on children, young people and adults requiring assistance. The attitudes to privacy of children and young people are considered, and major challenges, such as online privacy and the taking and uploading of photographs, are discussed. The issue of decision making by individuals under the age of 18 is explored, and recommendations are made concerning age of presumed capacity, consent, and handling of personal information of persons under the age of 18. A recommendation to introduce into the Privacy Act the concept of ‘nominee’ is made, and other issues concerning third party assistance with decision making are discussed.
Part J–Telecommunications
The focus of Part J is on telecommunications, and in particular the interaction between Part 13 of the Telecommunications Act 1997 (Cth) and the Privacy Act. Whether telecommunications-specific privacy legislation is required, and whether Part 13 provides adequate protection of personal information, is explored. The role of the Office of the Privacy Commissioner and the Australian Communications and Media Authority under the Telecommunications Act also is considered. The interaction between the Telecommunications Act and other legislation—in particular the Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)—is discussed.
Part K–Protection of a Right to Personal Privacy
Part K addresses the protection of a right to personal privacy. This part includes a discussion of developments towards recognising a right to personal privacy in Australia, and the ALRC’s recommendation for a statutory cause of action for a serious invasion of privacy.