Scrutinising Privacy - ALRC Discussion Paper
Justice Berna Collier, Part-time Commissisoner, Australian Law Reform Commission, QLS Government Lawyers Conference, Brisbane, Thursday 17 April 2008.
On 30 January 2006 the then federal Attorney-General, Philip Ruddock, referred a review of the Privacy Act 1988 (Cth) to the Australian Law Reform Commission for inquiry and report. The task of the ALRC was to consider the extent to which the Privacy Act and related laws continued to provide an effective framework for the protection of privacy in Australia, having regard to:
- the rapid advances in information, communication, storage, surveillance and other relevant technologies;
- possible changing community perceptions of privacy and the extent to which it should be protected by legislation;
- the expansion of State and Territory legislative activity in relevant areas; and
- emerging areas that may require privacy protection.
The Commission was asked to provide a final report in the inquiry to the Attorney-General by 31 March 2008. The Commission initially published two issues papers: Review of Privacy (Information Paper 31) and Review of Privacy - Credit Reporting Provisions (Information Paper 32), and subsequently a concise overview of issues raised in those issue papers, namely Reviewing Australia’s Privacy Law - is Privacy Passé?
In September 2007 the ALRC circulated a three volume discussion paper “Review of Australian Privacy Law” inviting submissions or comments. However earlier this year the ALRC formally requested that the Terms of Reference be amended to extend the reporting date by two months, because of the size and complexity of the inquiry, and the difficulty stakeholders had experienced in providing submissions to the ALRC in a timely fashion (in relation to submissions of public sector agencies - caused partly by the 7 December 2008 federal election). On 11 February 2a008 the federal Attorney-General, Robert McClelland, agreed to extend the reporting date for the inquiry to 30 May 2008.
Today I have been asked to provide a short presentation on the topic “scrutinising privacy” in relation to the ALRC Discussion Paper. Giving a short presentation on this topic is a challenge in itself - as the Commission points out in the Discussion Paper, the inquiry is one of the largest projects ever undertaken by the Commission, and in the three volumes of the Discussion Paper approximately 300 proposals for reform are advanced for consideration. The size and complexity of the Discussion Paper means that, in the time available, it will only be possible to skim the surface of the Discussion Paper. In doing so I will draw heavily on the contents of the Discussion Paper, with a view to emphasising issues which the ALRC considers to be of particular importance, and keeping in mind the likely interests of the audience of government lawyers here today and the background to the review itself. I emphasise in giving this paper that it is only a snapshot of some of the contents of the Discussion Paper - reference should be made to the Discussion Paper for more detailed explanation and analysis of the background to the inquiry, the submissions to the Commission and its proposals.
It is well known that, traditionally, the common law did not inherently protect the right to privacy. In Australia, this was reflected in the High Court decision in Victoria Park Racing Grounds v Taylor (1937) 58 CLR 479. In ABC v Lenah Game Meats Pty Ltd (2001) 208 CLR 199 however the High Court specifically did not rule out the development of a cause of action for invasion of privacy. Subsequently there have been two Australian cases in which courts have awarded damages against a defendant for breach of privacy, which I discuss later in this paper.
In 1988 the Commonwealth Government enacted the Privacy Act 1988, designed to protect individual Australians (who are not deceased) against the misuse of their personal information. In addition to the Privacy Act, legislation relevant to the regulation of personal information in Australia includes the Commonwealth Freedom of Information Act 1982 (Cth) and Part 13 Telecommunications Act 1997 (Cth); State and Territory freedom of information legislation; and specific legislation in New South Wales, Victoria and the ACT regulating the handling of personal health information in the private sector.
In Queensland the Invasion of Privacy Act 1971 (Qld) regulates use of listening devices to overhear, record, monitor or listen to private conversations, and creates offences for improper use of such devices (section 43(1)) and, interestingly, unlawful entry into dwelling houses (section 48A).
Statutory approach in the Privacy Act
The regulatory approach adopted in the Privacy Act to protect personal information is principles-based rather than in the form of prescriptive legislation. This approach derives originally from proposals of the OECD in 1980 in eight Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Under the Privacy Act there are currently two sets of privacy principles.
The 11 Information Privacy Principles (IPPs), included in the original version of the Act. IPPs restrict the handling and collection of personal information by the Commonwealth public sector (generally referred to as “agencies” for the purposes of the Privacy Act - section 6(1)). The IPPs also apply to ACT agencies since the introduction of the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth). The IPPs require, among other things, that:
- in particular cases, Government agencies have a lawful purpose, related to the functions or activities of the agencies, for collecting personal information
- individuals are generally aware of that purpose
- agencies ensure that information is relevant, up-to-date, and complete (including correcting information where necessary)
- the information is stored securely, and
- agencies seek an individual’s permission to use or disclose information for a purpose that is not directly related to the purpose for which it was collected.
- The 10 National Privacy Principles (NPPs) introduced to the Act in 2000. The NPPs extended the application of the Act to health service providers and the private sector (generally referred to as “organisations” for the purposes of the Privacy Act - section 6C), and require that organisations collect personal information by lawful and fair means and not in an unreasonably intrusive manner.
The Act also established the Office of the Privacy Commissioner to oversee the implementation of the Privacy Act and, among other things, monitor the storage, collection and use of personal tax file numbers, audit the handling of personal information by agencies and investigate acts or practices that may breach the IPPs and the NPPs.
Key proposals for reform
Three hundred proposals for reform have been put forward for discussion in the Paper. In the interests of time today I will focus on only nine major proposals, namely:
- redefining the Privacy Act.
- redefining the privacy principles.
- ensuring national consistency in privacy laws.
- updating key definitions.
- reducing the number of exemptions in the Act.
- restructuring the Office of the Privacy Commissioner.
- data breach notifications.
- reform of the health information provisions of the Act.
- introduction of a statutory cause of action for invasion of privacy.
Other significant proposals include reform of the credit reporting provisions in Part IIIA of the Act, streamlining complaint handling procedures, presumption of capacity, and reform of part 13 Telecommunications Act 1997 (Cth). In light of the composition of the audience here today I do not intend to discuss these proposals in any detail, but refer for further detail to the Discussion Paper.
1. Redefining the Privacy Act
ALRC proposals in relation to this issue include the following:
1. Name and structure: in relation to the name of the Act, the ALRC has proposed that either the Act retain its current name Privacy Act, or in the event that a statutory cause of action for invasion of privacy is not introduced, the Act be renamed the Privacy and Personal Information Act (the rationale for this proposal being that the current focus of the Act is on the protection of personal information rather than, for example, protection of personal or family privacy). Further, because the Act has been substantially amended on a number of occasions, the numbering and structuring of the Act has become confusing and difficult to navigate, and the Act should be simplified.
2. Objects clause: the Act should contain an objects clause, to assist the courts and others in interpreting the Act. The Commission noted that this is of particular importance in principles-based legislation (paragraph 3.86). The objects clause should include, among other things, that the objects of the Act include implementing Australia’s obligations at international law in relation to privacy, and promoting the protection of individual privacy.
3. Deceased persons: the Act does not protect the personal information of deceased individuals other than in relation to declared disasters and emergencies under Part VIA. (The aim of Part VIA is to enhance information exchange between Australian Government agencies, State and Territory authorities, organisations, non-government organisations, and others in emergencies and disasters). In the Discussion Paper the ALRC noted that, while there was significant support among stakeholders for extending the Act to cover the personal information of deceased individuals, submissions and consultations did not indicate that there were widespread problems caused by the current lack of coverage. The ALRC considers that it is not appropriate to simply extend the definition of “personal information” in the Act to include the personal information of deceased individuals. Instead, the Commission considers that the Act should be amended to include a new Part setting out provisions dealing specifically with handling personal information of deceased individuals. The Commission considers that the new Part should apply ONLY to organisations, and to individuals who have been deceased for 30 years or less. In relation to agencies, access to personal information of deceased individuals should continue to be regulated by the FOI Act and the Archives Act 1983 (Cth). In relation to organisations, the ALRC proposes that organisations should be required to consider whether a proposed use or disclosure of the personal information or a deceased individual would involve an unreasonable use or disclosure of personal information about any person, including the deceased person (paragraph 3.225).
2. Redefining privacy principles
While the ALRC supports the current principles-based regulatory approach, the ALRC also considers that, in some areas, more prescriptive rules should be used, for example in the form of subordinate legislation or legislative instruments.
Further, the ALRC proposes that the distinction between IPPs and NPPs be dispensed with, and that Unified Privacy Principles (UPPs) be substituted, with exemptions clarified and grouped together in a separate part of the Act. Under the current regime, there are circumstances where an organisation or agency is subject to both the IPPs and the NPPs (one example was in respect of Australia Post, a business enterprise which is both an agency in respect of its non-commercial activities and an organisation in respect of its commercial activities). The ALRC considers that, at a minimum, the UPPs should cover the same aspects of privacy as currently covered by the IPPs and the NPPs, and more particularly that the drafting and structural model for the UPPs should be the NPPs (rather than the IPPs).
A potentially more prescriptive approach in some respects could be reflected in the UPPs, some of which could be fairly detailed (for example, in relation to use of personal information) while others could be more high-level.
3. Ensuring national consistency in privacy laws
It is clear that there is substantial multi-layering and fragmentation in relation to Australian privacy laws. Indeed section 3 of the Privacy Act specifically states that it is not the intention of Parliament that the Act affect the operation of a law of a State or Territory that makes provision with respect to personal information and is capable of operating concurrently with the Act. Accordingly a number of States and Territories have enacted privacy regimes, however there is some inconsistency between these statutes inter se as well as inconsistency with the Privacy Act itself (eg in comparison with the privacy principles found under the State Acts).
The ALRC considers that national consistency is important and should be one of the goals of privacy regulation. Inconsistency and fragmentation in privacy regulation cause a number of problems including unjustified compliance burden and cost, and confusion about who to approach to make a privacy complaint. Further, the ALRC considers that a nationally consistent privacy regime would ensure that personal information will receive similar protection irrespective of who is handling it, or how it is recorded.
The Discussion Paper analyses possible constitutional heads of power for the Federal Government, and considers an alternative to national privacy legislation being a Commonwealth-State co-operative scheme. On balance, in the Discussion Paper the ALRC expressed the view that the most appropriate approach was:
- In relation to the handling of personal information generally: the enactment of federal legislation to the exclusion of State and Territory privacy laws.
However in relation to the handling of personal information in a State or Territory’s public sector the ALRC considers that national consistency will be promoted if the Commonwealth, State and Territory governments enter into an intergovernmental agreement which provides that the States and territories enact legislation regulating the handling of personal information in that State or Territory’s public sector. So, for example:
- identical privacy principles should be adopted at Commonwealth, State and Territory levels, specifically the proposed UPPs and the proposed Privacy (Health Information) Regulations as in force under the Privacy Act from time to time
- the definitions used in the Privacy Act should be used in the State and Territory legislation
- the State and Territory legislation should provide for public interest determinations
- the State and Territory legislation should include provisions relating to State and Territory incorporated bodies, including statutory corporations.
The ALRC also proposes that the Standing Committee of Attorneys-General (SCAG) constitute a permanent standing body to ensure national consistency in the regulation of personal information, in particular the approval of any changes to the UPPs or the Privacy (Health Information) Regulations, and that SCAG be assisted by an expert advisory committee.
However the ALRC does not propose that the Privacy Commissioner regulates State and Territory public sectors. This has been opposed by a number of stakeholders for reasons including impact on enforcement, and minimising the ability to conduct audits into privacy sensitive acts and practices. In the Discussion Paper the ALRC states that there are advantages to having a number of agencies and bodies with responsibility for information privacy, including the pooling of resources, peer review, and the ability of individuals to approach a local regulator for advice and to make a complaint. The Commission has, however, proposed that the Privacy Commissioner be given power to delegate all or any of the powers in relation to complaint handling conferred by the Privacy Act on to the State or Territory authorities, and memoranda of understanding between the Privacy Commissioner and each of the bodies charged with responsibility for information privacy in Australia.
4. Updating key definitions
In the Discussion Paper the ALRC proposed updating the following key definitions:
“personal information” - This is a key definition because the privacy principles apply only to personal information. The current definition in section 6(1) is:
“information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from information or opinion.”
It is debatable whether the definition needs to deal with new technologies and methods of collecting information. There was some support for keeping the definition technologically neutral. It is also questionable whether the definition should include information that allows an individual to be contacted.
With respect to the definition, the ALRC considers that:
- The reference in the definition to information or an opinion, whether true or not, and whether recorded or not, should remain unchanged.
- Reference to the information being “about” an individual should remain unchanged.
- The reference to the information “including information or an opinion forming part of a database” is unnecessary and should be deleted, because this is no longer an issue of uncertainty.
- The words “an individual whose identity is apparent, or can reasonably be ascertained” should be amended and personal information should be defined as information about “an identified or reasonably identifiable individual.” These words are consistent with those used in the international arena (e.g. the OECD Guidelines and the EU Directive). The ALRC considers that an element of reasonableness is necessary. So, for example, a person is not “reasonably identifiable” if practically it is not possible for an agency to identify an individual from information it holds, because for logistical or legislative reasons, it cannot link its information with that held by another agency.
- Information which simply allows an individual to be contacted, for example a phone number, street address or email address is not “personal information” within the proposed definition. The Commission observes in the paper that the Act is not intended to implement an unqualified “right to be let alone.” (paragraph 3.139).
- The legislation should, overall, remain technologically neutral.
“sensitive information” - This is a type of personal information and given a higher level of protection under the NPPs than under the IPPs (for example, it may only be collected with consent except in specified circumstances [NPP 2.1(a)], it cannot be used for direct marketing [NPP 2.1(c)], and it cannot be shared by related bodies corporate (section 13B of the Act). It is defined as meaning information or an opinion about an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual preferences or practices;
- criminal record;
- genetic information,
The ALRC notes that personal information can become more or less sensitive because of its context (for example, the names and addresses of subscribers to a news magazine would not generally be considered sensitive information, but the names and addresses of subscribers to some special interest magazines might be considered sensitive) however on balance the ALRC considers that the definition of “sensitive information” should not be amended to include information made sensitive by context.
Financial information should not be included in the definition of sensitive information - in the Commission’s view, although it is sensitive in some respects and requires appropriate handling, it does not relate to the physical attributes or personal beliefs of the individual in the same way as other information currently defined as sensitive. Further, a third party may legitimately have an interest in an individual’s financial information, for example in relation to providing credit.
However the ALRC does consider that certain biometric information should be included in the definition of sensitive information. Biometric technology involves the storage and use of unique personal information to verify an individual’s identity - for example fingerprints, DNA, and iris. The ALRC proposes that sensitive information only include biometric information collected for use in automated biometric authentication and identification systems and biometric template information.
The ALRC also proposes that the UPPs dealing with sensitive information apply to both agencies and organisations, although the Commission also proposes to broaden the circumstances where sensitive information could be collected without consent to include collection “required or specifically authorised by or under law” to meet the concerns of agencies.
“record” - This is an important definition because the privacy legislation only applies to personal information that is held, or collected for inclusion, in a “record”. Section 6(1) Privacy Act defines “record” as:
- a document; or
- a database (however kept); or
a photograph or other pictorial representation of a person;
But does not include:
- a generally available publication; or
- anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
- Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or records (as defined in the Archives Act) in the custody of the Archives (as defined in that Act) in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or
- documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
- letters or other articles in the course of transmission by post.
The Commission notes in the Discussion Paper that there appeared little concern about the exemptions to the definition. The Commission proposed however that the definition be amended to include a document or information stored in electronic or other forms.
5. Reducing the number of exemptions in the Act
The Discussion Paper deals in detail with exemptions from the Act, and observes in paragraph 30.1 that the Act contemplates:
- Exemptions, which apply where a specified entity or a class of entity is not required to comply with the privacy principles that would otherwise be applicable to it (for example small business operators).
- Partial exemptions, where a specified entity or class of entity is required to comply with some of the privacy principles, or alternatively where a specified entity or class of entity is required to comply with some or all of the privacy principles but only in relation to certain activities (for example, the federal courts are only required to comply with the Act in relation to their administrative activities).
- Exceptions, where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct (for example, there is a general prohibition to an organisation using or disclosing personal information for a secondary purpose - an exception to this prohibition is where an individual gives consent).
In the public sector context, agencies including the Australian Crime Commission, royal commissions and the intelligence agencies are completely exempt from compliance with the Act. In the private sector, entities specifically excluded from the definition of “organisation” and therefore exempt from compliance with the NPPs include small business operators, registered political parties, State and Territory authorities and prescribed State and Territory instrumentalities. The Discussion Paper at paragraph 30.43 notes that it has been estimated that approximately 94% of businesses may therefore be exempt from the private sector provisions of the Act.
The analysis of exemptions in the Discussion Paper is too extensive to attempt to summarise in this paper. Key proposals include the following:
- Intelligence agencies: while acknowledging that many of the requirements under the privacy principles would be incompatible with the functions of the intelligence agencies, the ALRC considers that, for example, the privacy rules and guidelines applicable to the intelligence agencies should be updated to include consistent rules and guidelines relating to incidents involving the incorrect use and disclosure of personal information, the accuracy of personal information, and the storage and security of personal information.
- Commonwealth government departments: the ALRC cannot identify policy justifications for the exemption of the parliamentary departments from the Privacy Act, and proposes that the rationale for exempting (or partially exempting) departments be clarified in the Act.
- State and Territory authorities and instrumentalities, and statutory corporations: State and Territory authorities fall outside the definition of an “agency” and are specifically excluded from the definition of “organisation” under the Act (sections 6(1) and 6C). State and Territory statutory corporations are similarly excluded: section 6C(3)(c). State and Territory instrumentalities - including companies, societies or associations under the Corporations Act 2001 (Cth) - fall outside the definition of “agency” but are considered “organisations” and therefore subject to the private sector provisions of the Act. The ALRC notes the inconsistent coverage of State and Territory authorities under State and Territory laws. The Discussion Paper proposes that the States and territories enact legislation applying the proposed UPPs and the proposed Privacy (Health Information) Regulations to the State and Territory public sector agencies. Further the Commission considers that the exemption of State-owned statutory corporations from the Privacy Act is not justified where they are in competition with organisations, and proposes that the Act should be amended to apply to such bodies.
- Small business: the ALRC does not consider that an exemption for small business is necessary or justifiable. Small businesses are defined as those businesses the annual turnover of which in the previous financial year was $3million or less: section 6D. The cost of compliance alone is not a sufficient policy basis to support the exemption; further there is no comparable overseas jurisdiction which has a similar exemption. The Commission notes that the risks to privacy posed by small businesses are determined by the amount and nature of personal information held, rather than by the size of the business (for example, some small businesses such as internet service providers and debt collectors hold large amounts of personal information). The costs of compliance can be reduced if the Act is amended to reduce its current complexity. Accordingly, the ALRC proposes that this exemption be removed.
- Other exemptions: in summary, the ALRC considers that a number of current exemptions, such as those relating to registered political parties and employee records, be removed subject to specific qualifications.
6. Restructuring the Office of the Privacy Commissioner
In summary the ALRC proposes that the Office of the Privacy Commissioner be renamed, restructured, and given increased powers. In particular, the ALRC proposes that the office be renamed “Australian Privacy Commission” and that, for example, the number of statutory appointments to the office be expanded, including through the appointment of one or more Deputy Privacy Commissioners.
Under the Act the powers of the Privacy Commissioner currently include:
- oversight powers with respect to the operation of the Act including advice to Ministers, providing research and monitoring of technological developments, and conducting education.
- power to issue non-binding guidelines to assist agencies and organisations avoid acts or practices that may interfere with the privacy of individuals; and binding guidelines pursuant to section 17 of the Act with respect to tax file number information, and in relation to NHMRC guidelines concerning medical research and genetic information under sections 95, 95A and 95AA of the Act.
- power to investigate an act or practice of an agency or an organisation that may breach an IPP and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation.
- audit powers in relation to agencies generally, and in relation to organisations under functions associated with the tax file number and credit reporting provisions.
- investigative powers concerning complaints of a breach of the IPPs and the NPPs.
- enforcement powers including prescription of remedies for non-compliance with the Act.
ALRC proposals in relation to the powers of the Privacy Commissioner include the following:
- The ALRC considers that issuing guidance is an important part of regulating the regime, and proposes that the Act be amended to clarify distinctions between guidance and rules.
- The Commission considers that the Privacy Commissioner should have the power to direct the preparation of a Privacy Impact Assessment by both agencies and organisations in circumstances where the Privacy Commissioner considers that a new project is likely to have a significant impact on the handling of personal information, and that the Privacy Commissioner should produce a Privacy Impact Assessment guide tailored to the needs of organisations.
- In respect of the audit powers of the Privacy Commissioner, the view of the ALRC is that the real value of such powers lies in their proactive nature, and in that they encourage organisations to take compliance with the privacy principles seriously. Accordingly, the ALRC considers that the Privacy Commissioner should have power to spot-audit levels of compliance in organisations more generally, as currently applies in relation to agencies.
- The ALRC has proposed that the Act be amended to allow the Privacy Commissioner to request the development of a code and to develop and impose binding privacy codes in addition to the proposed UPPs where the industry does not develop a code itself (one example given in the Discussion Paper is the residential tenancy database industry, where there has been a high level of complaints). The ALRC considers that an appropriate model for a binding code power is in the Telecommunications Act 1997 (Cth).
- In relation to investigation of complaints, the ALRC does not propose any reform to the requirement that complainants first complain to the relevant respondent. Further, the Discussion Paper proposes that the power of the Privacy Commissioner not to investigate a complaint be clarified to include, for example, stale complaints or where a complaint is being handled by an approved external dispute resolution scheme. In order to facilitate transparency in relation to the complaints procedure, the Discussion Paper proposes that the Privacy Commissioner prepare and publish a document setting out its complaint-handling policies and procedures. Perhaps controversially, the Paper also proposes that section 46(1) of the Act be amended to empower the Privacy Commissioner to compel parties to a complaint, and any other relevant person, to attend a compulsory conference.
- In relation to enforcement, the ALRC proposes that the Privacy Commissioner have power to enforce remedies following an own-motion investigation by the Privacy Commissioner, for example in the form of a notice to comply to an agency or organisation. This power currently does not exist in the absence of a willing complainant or co-operative respondent. Further, the ALRC recommended that the range of remedies available to enforce rights and obligations under the Act be enhanced, in particular by empowering the Courts to impose a civil penalty where there has been serious or repeated interference with the privacy of an individual.
7. Data breach notification
Paragraph 47.1 of the Discussion Paper explains that data breach notification is essentially a legal requirement on agencies and organisations to notify individuals when a breach of security leads to disclosure of personal information. Section 14 Privacy Act requires that agencies and organisations take reasonable steps to maintain the security of the personal information they hold; otherwise there is no requirement in the IPPs or the NPPs to impose an obligation on agencies and organisations to notify individuals whose personal information has been compromised.
The model for legislative provisions requiring notification of individuals in the event of a data breach is California, which was the first US state to require the reporting of data breaches involving personal information. Rationales for requiring legislative intervention include:
- concerns about identity theft;
- the potential cost of notification is a deterrent to voluntary notification of individuals by market operators;
- an increasing number of data breaches;
- requiring notification motivates market operators to take adequate steps in the first place to secure data.
The ALRC proposes that the Privacy Act should be amended to include a new Part on data breach notification. This Part would require both agencies and organisations to notify the Privacy Commissioner and affected individuals when:
- specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person, and
- the agency, organisation or Privacy Commissioner believed that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.
The ALRC also proposes that failure to notify the Privacy Commissioner in such circumstances could attract a civil penalty.
8. Reform of the health information provisions of the Act
In relation to health information, a key ALRC proposal is that privacy principles and exceptions dealing specifically with the handling of health information be set out in proposed Privacy (Health Information) Regulations. The rationale for segregation of provisions dealing specifically with health is that, for agencies and organisations that do not handle health information, it is important to keep the UPPs shorter and more accessible (paragraph 57.76). The ALRC proposes that these new regulations include:
- Existing privacy principles and exceptions dealing with handling of health information.
- A provision permitting collection of health information about family members and other third parties without consent when the collection of the third party’s information into a health consumer’s social, family or medical history is both relevant, and necessary to enable health service providers to provide a health service directly to the consumer. These principles are currently found in two public interest determinations of the Privacy Commissioner made October 2002 (paragraph 57.79). Genetic samples would not be contemplated by this provision.
- A provision that, if an organisation denies an individual access to his or her own health information on the ground that providing access would be reasonably likely to pose a serious threat to the life or health of any individual, then inter alia the organisation must provide access to the health information to a registered medical practitioner nominated by the individual.
- A provision that a health service provider must transfer the individual’s health information to another health service provider if requested by the individual.
- Express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, improvement or evaluation of a health service in strictly defined circumstances (paragraph 57.227).
9. Statutory cause of action for breach of privacy
Traditionally in Australia there was no such cause of action, although in the Queensland District Court decision Grosse v Purvis (2003) Aust Torts Reports 81-706 and the Victorian County Court decision Doe v ABC  VCC 113 the defendants were both found liable in tort for invasion of privacy. The tort of invasion of privacy was recognised by the New Zealand Court of Appeal in Hosking v Runting  1 NZLR 1.
The majority of submissions to the ALRC prior to the Discussion Paper supported recognition of a cause of action for breach of privacy, although a significant minority had serious reservations.
The ALRC proposes a statutory cause of action for breach of privacy, including a non-exhaustive list of acts or conduct which would constitute invasion of privacy. Such acts would include an interference with an individual’s home or family life, subjecting an individual to unauthorised surveillance, interference with an individual’s correspondence or private written, oral or electronic communications, or disclosing sensitive facts relating to an individual’s private life.
In the ALRC’s view this would not include, for example, an unlawful attack on a person’s honour and reputation - this falls more appropriately within the scope of defamation law. The ALRC considers that, in determining what is considered “private” for the purpose of establishing liability under a statutory cause of action, there must be both:
- a reasonable expectation of privacy in all the circumstances; and
- The act complained of must satisfy an objective test of seriousness. The ALRC notes that an appropriate test of seriousness may be where the act complained of is, in all the circumstances, sufficiently serious to cause substantial offence to a person of ordinary sensibilities (paragraph 5.80).
The Discussion Paper also contemplates however that consent to conduct, which allegedly gave rise to a breach of privacy, would be an answer to a cause of action. Further, the Discussion Paper proposes that any legislation should provide for defences including, for example, public interest, fair comment, privilege, act or conduct authorised or required by or under law, and act or conduct incidental to the exercise of a lawful right of defence of person or property.
Developing technologies and changing community attitudes are but two factors which impinge on the ability of individuals to maintain privacy in 2008. Privacy is clearly an issue upon which strong views proliferate in the community - the list of submissions in Appendix 1 to the Discussion Paper, reflective of the number of interested stakeholders, runs to almost thirty pages. As I indicated at the beginning of this paper, the points I have raised throughout this paper merely skim the surface of what is a detailed review of a complex issue, and reference should be made to the complete ALRC Discussion Paper for further information.
I also note that any last minute feedback in relation to the Discussion Paper from those of you who are here today is welcome. It is very much the eleventh hour, but not too late for me to hear and pass on any views to the Commission. I now invite questions and/or comments from the floor.