Main recommendations
Having listened carefully to the views, concerns and feedback expressed during the extensive community consultation exercise, and conducted its own research and deliberations, the ALRC has developed and presents in
For Your Information: Australian Privacy Law and Practice (ALRC 108) a large set of policy recommendations for improving privacy protection in Australia. The Report contains 295 recommendations for reform. Some of the key recommendations are outlined below.
- Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.
- Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information.
- Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
- Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
- Improved complaint handling and stronger penalties: the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.
- More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that there should be some expansion of the categories of information held by credit reporting agencies (‘more comprehensive credit reporting’), to include: the type of each current credit account opened; the date on which each current credit account was opened; the credit limit of each current account; and the date on which each credit account was closed. The ALRC also recommends that the Australian Government only amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.
- Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important area. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research.
- Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues.
- Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach.
- Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.
For a full list of the recommendations in For Your Information: Australian Privacy Law and Practice (ALRC 108) click here.