Australian Privacy Law & Practice – Key Recommendations for Health Information Privacy Reform

Speech by Professor Rosalind Croucher* at the Managing Patient Confidentiality & Information Governance Forum, 22 August 2011, Melbourne.

1.  Introduction

To help focus my presentation today I thought it would be useful to reflect on an ‘information timeline’ to provide a backdrop for a consideration of the Australian Law Reform Commission’s work on privacy.

Information timeline

1982    Freedom of Information Act (Cth)

1983    Archives Act

1983    ALRC’s report, Privacy (ALRC 22)

1988    Privacy Act (Cth)—

  • Information Privacy Principles—based on OECD guidelines—providing safeguards for personal information handled by Cth and ACT government agencies
  • Privacy Commissioner established

2000    Privacy Amendment (Private Sector) Act (Cth)

  • Approved privacy codes
  • National Privacy Principles—based on voluntary guidelines for the private sector

2004    Attorney-General asked the Privacy Commissioner to review the operation of the private sector provisions of the Privacy Act—a trigger for the ALRC comprehensive review

2005    Senate Legal and Constitutional Affairs Committee inquiry into the Privacy Act—a further trigger for the ALRC review

2006    amendments to Privacy Act regarding ‘health information’ and ‘sensitive information’ expressly to include genetic information, to ensure that the collection, use and disclosure of genetic information would be given the additional protections of the Privacy Act. Better information exchange between federal agencies, state and territory authorities, private sector organisations, non-government organisations and others in an emergency or disaster situation.

2006    January, referral to ALRC (due date March 2008, extended to May)

2006    COAG agrees to a national approach

2008    For Your Information (ALRC 108)—295 recommendations for reform

2009    October, the Government provided a first stage response, including commitment to:

  • harmonise Privacy Principles—untangle red tape, introduce the first step to national consistency
  • improve health sector information flows and give individuals new rights to control their health records (contributing to better health service delivery)
  • strengthen the Privacy Commissioner’s powers

2009    December, COAG signed national partnership agreement for e-health

2010    1 November, the Office of the Privacy Commissioner (OPC) was integrated into the Office of the Australian Information Commissioner (OAIC).

2010–11          Department of Prime Minister and Cabinet conducted further consultations.

The ALRC Privacy Report

The report, For Your Information: Australian Privacy Law and Practice (ALRC Report 108, 2008) was the result of a 28 month inquiry into the effectiveness of the Privacy Act 1988 (Cth) and related laws. It was a mammoth undertaking, resulting in the three volume Report, containing 74 chapters and 295recommendations for reform.

The Terms of Reference asked the ALRC to review the effectiveness of privacy laws in Australia given:

  • rapid advances in information, communication, storage, surveillance and other technology
  • possible changing community perceptions around privacy
  • expansion of state and territory activity in this area

And to have regard to:

  • the need of individuals for privacy protection in an evolving technological environment
  • the desirability of minimising the regulatory burden on business in this area

Competing tensions

The Terms of Reference, against the backdrop of the information timeline, reveal competing tensions: between the idea, and role, of autonomy—the personal space—and the idea of public interests. The public interests include advancing public health outcomes and a fair distribution of Australia’s health budget. Although privacy is a recognised human right under international conventions—including the International Covenant on Civil and Political Rights (ICCPR)[1]—there is general community appreciation for the need to strike a common sense balance between privacy interests and practical concerns in a range of areas. For example, while personal health information is regarded as ‘sensitive’ and deserving of the highest level of protections, individuals understand that a premium may be placed on prompt access to, and disclosure of, such information in the case of a medical emergency.

Key messages heard during the inquiry were that: the Privacy Act has worked well, but needs to be brought up to date. Plus strong concerns were expressed about the complexity of law and the confusion about overlapping privacy laws at the federal, state and territory levels.

Personal information spectrum

Privacy, moreover, does not sit as an isolated concern, but is juxtaposed with a range of other information management issues. The management of information can be conceived overall as a spectrum, with openness of information and protection of information as opposite ends of that spectrum. Personal information has prompted specific responses, at times overlaid with secrecy obligations of those who handle the information. But personal information also requires responses that cover matters such as access, transfer and use of information. Personal information is protected, and regulated, across this spectrum.

Personal health information was traditionally protected by the ethical and legal duties of confidentiality. Such duties are owed by health service providers—such as doctors, dentists, nurses, physiotherapists and pharmacists. The duties prevent the use of personal health information for a purpose that is inconsistent with the purpose for which the information was provided.

On the privacy end of the information spectrum there are specific statutory obligations under the federal Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000 (Cth). Other federal legislation also regulates the handling of personal information. For example, the Freedom of Information Act 1982 (Cth) (FOI Act) both gives access to documents and also protects documents, including those that contain personal information.[2]

2    The federal interest in privacy

The Constitution

Any discussion about privacy law and practice in Australia has to begin with a consideration of how privacy is—or is not—a federal issue. The Australian Constitution establishes a federal system of government in which powers are distributed between the Commonwealth and the six states. The list of subjects about which the Australian Parliament may make laws makes no express mention of privacy, but this does not mean that the Australian Parliament has no power in relation to privacy. There are two principal federal laws concerning privacy: the Privacy Act 1988 and the Privacy Amendment (Private Sector) Act 2000. Further amendments in 2000 established the Office of the Privacy Commissioner as a statutory authority independent of HREOC (now the AHRC).

The Privacy Act was enacted on the basis of the Australian Parliament’s express power to make laws with respect to ‘external affairs’.[3] The external affairs power enables the Australian Parliament to make laws with respect to matters physically external to Australia;[4] and matters relating to Australia’s obligations under bona fide international treaties or agreements, or customary international law.[5] The external affairs power is not confined to meeting international obligations, but also extends to ‘matters of international concern’.[6]

The Preamble to the Privacy Act makes clear that the legislation was intended to implement, at least in part, Australia’s obligations relating to privacy under the ICCPR[7] and the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines).[8] The Second Reading Speech to the Privacy Bill also referred to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, though this instrument does not, of course, bind Australia.[9] Section 3 of the Privacy Amendment (Private Sector) Act makes clear that the private sector amendments were also intended to meet Australia’s international obligations relating to privacy.

In addition to the ‘external affairs’ power, the Commonwealth may rely on other constitutional heads of power as a basis for legislating on privacy, including: s 51(v)— postal, telegraphic, telephonic, and other like services; s 51(i)—trade and commerce with other countries, and among the States; ss 51(xiii) and (xiv)—banking and insurance, but not state banking or state insurance unless it extends beyond the limits of the state; and s 51(xx)—foreign corporations, and trading or financial corporations formed within the limits of the Commonwealth.

And where the Commonwealth can make laws and such laws are inconsistent with state laws, the Commonwealth ones overreach the states, to the extent of any inconsistency.[10] Commonwealth law may directly invalidate state law, where it is impossible to obey both the state law and the federal law,[11] or overreach it where the Australian Parliament’s legislative intent is to ‘cover the field’ in relation to a particular matter.[12]

Covering the field?

The federal Privacy Act of 1988 made it clear that it was not intended to ‘cover the field’, as is evident from s 3, which states that:

It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.

In some ways it would have been easier if it had sought to do so. Indeed, it has been observed that inconsistency in the regulation of personal information stems largely from the failure of federal law to ‘cover the field’.[13] But then the second stage of the federal laws, in 2000, sent a different message. Section 3(a) of the Privacy Amendment (Private Sector) Act 2000 (Cth), which states that one of the objects of the Act is

to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations.

It is not surprising to find, therefore, that, in reviewing the private sector provisions of the Privacy Act (OPC Review), the Office of the Privacy Commissioner recommended that the Australian Government should consider amending s 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.[14]

Coverage

As amended, the Privacy Act regulates the handling of personal information by the Australian Government, the ACT Government and the private sector. The Act contains a set of 11 Information Privacy Principles (IPPs) that apply to Australian Government and ACT Government agencies, and 10 National Privacy Principles (NPPs), introduced in the 2000 Act, that apply to the private sector. The IPPs apply to agencies; the NPPs to organisations.

State laws

Each Australian state and territory regulates the management of personal information. In some states and territories, personal information is regulated by legislative schemes, in others by administrative regimes. In addition to the federal laws relating to privacy, a number of the states and territories have enacted privacy legislation regulating the handling of personal information in the state and territory public sectors. These regimes are sometimes inconsistent with the Privacy Act and with each other. Further, New South Wales, Victoria and the ACT all have legislation that regulates the handling of personal health information in the public and private sectors. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation.[15]

Although the Information Privacy Principles (IPPs), the National Privacy Principles (NPPs) and privacy principles under state and territory privacy legislation are similar, they are not identical. The privacy regimes in some jurisdictions include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs.[16]

New South Wales (NSW), Victoria and the ACT all have legislation that regulates the handling of personal health information in the private sector. This means that health service providers and others in the private sector in those jurisdictions are required to comply with both federal and state or territory legislation in relation to personal health information.[17]

The ALRC’s recommendations

The ALRC’s recommendations included the following:

  • re-draft the Privacy Act and privacy principles to achieve greater consistency, clarity and simplicity
  • unify privacy principles for public and private sector into one set of principles
  • structure privacy regulation to follow a three-tiered approach:
    • high level principles of general application;
    • regulation and industry codes detailing the handling of personal information in certain specified contexts;
    • guidance by the Privacy Commissioner dealing with operational matters and providing explanations
  • promotion of national consistency in relation to health information
  • a bunch of other stuff, including the recommendation of a statutory cause of action for a serious breach of privacy—recently in the news.

The Government’s first stage response included 197 of the 295 recommendations:

  • accepted 141, in full or in principle
  • accepted 34, with qualification
  • did not accept 20
  • noted two
  • then … consider the rest ….

3 Privacy and health

Privacy is a fundamental principle underpinning quality health care. Without an assurance that personal health information will remain private, people may not seek the health care they need which may in turn increase the risks to their own health and the health of others. Indeed consumers regard health information as different to other types of information and consider it to be deeply personal.[18]

Privacy is a fundamental principle in health care. It is expressed in a range of ways, from duties of confidentiality through to legislative regimes. There are ethical and legal duties of confidentiality owed by health service providers—such as doctors, dentists, nurses, physiotherapists and pharmacists—that prevent the use of personal health information for a purpose that is inconsistent with the purpose for which the information was provided. A legal duty of confidentiality may arise in equity, at common law, or under contract. In addition, health service providers are often subject to confidentiality provisions in professional codes of conduct[19] and, if they are employed in the public sector, may be subject to legislative secrecy provisions, that impose penalties—often criminal—if information is disclosed.[20]

Duties of confidentiality recognise the dignity and autonomy of the individual,[21] as well as the public interest in fostering a relationship of trust between health service providers and health consumers to ensure both individual and public health outcomes.[22] Such duties are not absolute and there are circumstances in which the law permits, and sometimes requires, the disclosure of confidential personal health information.[23]

More recently, privacy legislation has been introduced in a number of Australian jurisdictions specifically to regulate the handling of personal health information.[24]

Health information

There is a strong view in the community—reflected in the Privacy Act—that personal health information requires a high level of protection. A very significant concern in this area is the complexity, fragmentation and inconsistency of legislation and regulation relating to health privacy. Complexity is a serious concern across the whole field of privacy protection, but is perhaps most compelling in the regulation of health information.

Chapter 62 of For Your Information examined the definitions in the Privacy Act relating to the handling of health information—the definitions of ‘health information’ and ‘health service’. The ALRC identified the differences in coverage in the IPPs and the NPPs. The IPPs do not distinguish between ‘personal information’, ‘sensitive information’ and ‘health information’; and public sector agencies are required to deal with all personal information, including health information, in the same way. The NPPs, however, provide a separate regime for ‘sensitive information’, including ‘health information’, and make specific provision for the handling of health information in some circumstances. The NPP regime applies to private sector organisations, including all organisations that hold health information and provide a health service that might otherwise be exempt from the provisions of the Privacy Act under the small business exemption.

The NPPs require ‘sensitive information’ to be given a higher level of protection than other personal information. For example, sensitive information must be collected with consent, except in a range of specified circumstances. It may be used or disclosed only for the purpose for which it was collected or a directly related secondary purpose—and only so long as the individual would reasonably expect the information to be used in this way. There is also special provision for the disclosure of health information in particular circumstances.[25] 

The ALRC proposed that the definition of ‘health information’ in the Privacy Act be amended to make express reference to information or opinion about the physical, mental or psychological health or disability of an individual.[26] This was strongly supported by stakeholders. The ALRC was concerned that the term ‘health’ is sometimes interpreted to mean ‘physical health’. Including the terms ‘physical, mental or psychological’ will not narrow the definition of health information, but make it clear that ‘health information’ is not intended to be restricted to personal information about an individual’s physical health. Further, although there is overlap between the terms ‘mental’ and ‘psychological’ health, there are also distinctions drawn between them.

The ALRC also suggested that the definition of ‘health service’ should be amended to overcome differences of definition and establish clear limits. It is important to ensure that the definition is appropriately limited to the provision of services intended, for example to assess or improve the individual’s health and does not extend to activities such as providing health insurance.  The ALRC recommended that ‘recording’ an individual’s health should be removed from the definition as it could lead to undesirable outcomes, such as in the health insurance context.

Government response

The recommendation to amend the definition of ‘health information’ in the Privacy Act was accepted by the Government. The Government also agreed that the definition of ‘health service’ should be amended, along the lines suggested by the ALRC.

The definition of ‘health service’ should also expressly exclude activities performed for reasons other than care or treatment, such as life, health or other forms of insurance.

The Privacy Act should also be amended to provide that the Governor-General may make regulations consistent with the Act, to exclude, whether specifically or by class, organisations or agencies from the definition of providing a ‘health service’, where it is not appropriate for those entities to be included in the definition.

These amendments will give further effect to the policy intent of the ‘health service’ definition proposed by the ALRC.[27]

Complexity and confusion

Businesses—not surprisingly—were concerned mainly with the overly complex and confusing web of privacy laws in Australia, citing the overlapping federal, state and territory laws; the separate privacy principles for government agencies (the Information Privacy Principles (IPPs)) and private sector organisations (the National Privacy Principles (NPPs)), and other relevant laws, including those covering the privacy of health information. This makes it very difficult—and expensive—for even the best-intentioned business to comply.

There are a number of significant exemptions from the Privacy Act that mean that some agencies and organisations holding health information may not be subject to the Act in relation to that information.[28] Perhaps the most significant is the exemption for small business operators. Section 6D of the Privacy Act defines a small business as one that has an annual turnover of $3 million or less in the previous financial year. Some small businesses are caught by the NPPs if, among other things, they:

  • provide a health service and hold health information, except where the information is held in an employee record;
  • disclose personal information for a benefit, service or advantage; or
  • provide a benefit, service or advantage to collect personal information.[PA s 6D(4)]

These concerns were expressed consistently and strongly in submissions and consultations throughout the Inquiry—making it clear to the ALRC that simplification and harmonisation of the law had to be one of the principal aims and outcomes of this Inquiry.

The ALRC recommended the removal of the small business exemption.[29] This is to be covered in the second tranche of the Government responses. The focus of the first stage response is ‘to establish the foundations for an enhanced privacy framework’. Some of this concerns health services and research.

National consistency problems

Both the federal Privacy Act and state or territory legislation regulate the handling of health information in the private sector in a number of jurisdictions. For example, the NSW Health Records and Information Privacy Act and the Victorian Health Records Act contain a set of Health Privacy Principles (HPPs). Private sector health service providers in these jurisdictions are therefore required to comply with two sets of principles: the NPPs in the Privacy Act and the relevant set of HPPs. There are also differences between them, so that information passing from one jurisdiction to the other may become subject to a different set of rules. This causes particular difficulty for health service providers and researchers operating across jurisdictional borders or nationally.

The review of private sector provisions of the Privacy Act conducted by the OPC concluded that the co-existence of provisions caused:

  • increased compliance costs
  • confusion about which regime regulates particular businesses
  • forum shopping
  • uncertainty.[30]

The ALRC concluded that national consistency should be one of the goals of privacy regulation in Australia and that personal information should attract similar protection, whether that personal information is being handled by an Australian Government agency, a state or territory government agency or a private sector organisation.

4 Achieving national consistency

National legislation

The problems associated with overlapping and inconsistent federal, state and territory laws that regulate the handling of personal information are documented throughout the Report. These problems include unjustified compliance burden and cost, impediments to information sharing and national initiatives and confusion about who to approach to make a privacy complaint.

The ALRC considered that the most appropriate way to respond to these problems is through:

  • the enactment of federal legislation to regulate the handling of personal information, to the exclusion of state and territory privacy laws operating in the private sector; and
  • an intergovernmental agreement that establishes an intergovernmental cooperative scheme. The scheme would provide that the states and territories should enact legislation to regulate the handling of personal information in the state and territory public sectors, applying key uniform elements such as a set of uniform privacy principles, any relevant regulations that modify the application of the principles, and relevant definitions.

Although there are a number of advantages to having a single, national privacy law administered by a single regulator, the ALRC considered that there was merit in the arguments put forward by state governments and others that the states and territories should be left to regulate the handling of personal information in their public sectors. In particular, the ALRC notes concerns relating to the need for state and territory privacy legislation to respond to local conditions, and to interact with existing state and territory information laws such as freedom of information and public records legislation. Further, the ALRC acknowledges the advantages of having state and territory privacy regulators deal with complaints, provide advice, and perform educational functions.[31]

While a single national privacy law could accommodate many of these concerns, the ALRC’s view is that, for the time being, the Australian Parliament should exercise its legislative power only in relation to the handling of personal information by the private sector and the Australian Government public sector. The ALRC recommends below an intergovernmental cooperative scheme in relation to state and territory public sectors.

Many stakeholders focused on inconsistency in the regulation of personal information in the private sector. In particular, it was suggested in submissions that various problems arise because the handling of health information in the private sector is regulated by the Privacy Act and state and territory legislation in NSW, Victoria and the ACT.

These issues would be dealt with effectively if organisations were required to comply with a single set of principles, and any relevant regulations that modify the application of those principles, in relation to the handling of health information. This view is consistent with the Report, Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), where the ALRC and the Australian Health Ethics Committee recommended that:

As a matter of high priority, the Commonwealth, States and Territories should pursue the harmonisation of information and health privacy legislation as it relates to human genetic information. This would be achieved most effectively by developing nationally consistent rules for handling all health information.[32]

The ALRC recommended that the Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by the private sector. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations: Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); and the Health Records (Privacy and Access) Act 1997 (ACT).[33]

While some stakeholders argued that state and territory laws—that apply key elements of the Privacy Act—should continue to regulate the handling of health information in the private sector, many private sector organisations that handle personal information and health information operate across more than one jurisdiction. These organisations should be subject to a single set of privacy principles. Greater national consistency will be achieved if the Privacy Act alone regulates the handling of health information in the private sector.

Other state and territory laws may be introduced that seek to regulate the handling of personal information in the private sector.[34] The Privacy Act should operate to exclude the operation of such laws. The ALRC therefore recommended that regulations made under the Privacy Act should operate to exclude future state and territory laws that purport to regulate the handling of personal information by organisations.[35] The ALRC also recommended that states and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it no longer applies to organisations.[36]

Government response

Both recommendations were accepted in principle. With respect to the amendment of the Privacy Act to operate to the exclusion of the states and territories, the Government recognised that there are clear benefits of nationally consistent privacy regulation in the private sector, including the health sector. The Government committed to work with state and territory counterparts to progress this matter through further discussions in appropriate forums. With respect to the amendment of state and territory laws, the Government said that this was a matter for state and territory governments, but that it would be the subject of further discussions with those governments at the appropriate time.

Australian Privacy Principles

The ALRC recommended that the Privacy Act be redrafted and restructured to achieve significantly greater consistency, clarity and simplicity.[37] A key element of this reform would be a rationalisation of the privacy principles, which address the handling of personal information by agencies and organisations covered by the Privacy Act. The ALRC recommended ‘Uniform Privacy Principles’ (UPPs).

Government response

The Government agreed that the Privacy Act should be redrafted to achieve greater logical consistency, simplicity and clarity and proposed the Australian Privacy Principles (rather than ‘UPPs’).

In June 2010 the Government released an exposure draft of the new Australian Privacy Principles which will be a key part of amendments to the Privacy Act. It has also published a companion guide. The Exposure Draft is one of four parts of the first stage response to the ALRC’s report. The new principles were referred to the Senate Finance and Public Administration Committee for consultation. The reporting date was 21 September 2010. The ALRC made a submission.

The new set of principles will replace the two existing sets of principles (one for government and for private organisations) governing dealings with personal information.

Health-specific reforms to the Privacy Principles 

Apart from the general recommendations made to promote national consistency, the ALRC recommended that the UPPs should be supplemented by power to make regulations to impose different or more specific requirements on agencies and organisations—such as in the area of health information. The ALRC recommended that new Privacy (Health Information) Regulations be drafted, containing those requirements that are different, or more specific, than provided for in the model UPPs—in Recommendation 5–1. Further, an intergovernmental agreement should be developed to ensure that the privacy regulation of health information (including relevant definitions) is harmonised across all Australian jurisdictions.[38]

The ALRC recommended those elements of the privacy principles that deal specifically with the handling of health information should be set out in new health specific privacy regulations. This was rejected in the Government response. However the Government supported in principle the need for greater clarity and consistency across the field. So while not accepting the recommendation for the regulations, the ideas were accepted in the main to be included in the primary legislation, ‘to ensure that Parliament has an express role in determining whether changes are made to fundamental privacy protections’. It was thought that this approach ‘would reduce any complexity and confusion that could result from having multi-layered regulation of privacy’—as the ALRC recommendation might entail.

The Government response with respect to Recommendation 5–1 had a consequential impact on Recommendation 60–1, concerning health privacy. The ALRC recommended that there should be Privacy (Health Information) Regulations, supplementing an amended Privacy Act. The proposal was that these regulations should be drafted to contain only those requirements that are different from or more specific than provided for in the model UPPs.

Given the Government’s response to Recommendation 5–1, the Government did not accept this recommendation, although the overall idea was accepted:

Where an ALRC recommendation refers to the Privacy (Health Information) Regulations and the Government accepts the recommendation’s intent, the Government will implement that recommendation in the primary legislation (the Privacy Act) unless otherwise stated.

The Government did accept in principle that the Office of the Privacy Commissioner should have a key role in developing and publishing guidelines on the handing of health information, in consultation with relevant stakeholders.[39]

The Government encourages the development and publication of appropriate guidance by the Office of the Privacy Commissioner, nothing that the decision to provide guidance is a matter for the Privacy Commissioner. …[S]uch guidance would be on the application of the Privacy Act and Privacy Principles to health information, rather than on the health privacy regulations (as proposed by the ALRC.[40]

Chapter 63 included detailed consideration of the various matters to be covered and these are picked up in principle through agreement to amend the principles in the Privacy Act. In particular, amendments are considered in relation to the ‘Collection’ principle, the ‘Use and Disclosure’ principle, the ‘Access and Correction’ principle.

Collection

NPP 10.1 provides that an organisation must not collect sensitive information without consent. In Oct 2002 the Privacy Commissioner made two public interest determinations (PIDs) in relation to health service providers. This included when health service providers could collect information about third parties without their consent. In addition, National Health Privacy Principle 1 (NHPP 1) of the draft National Health Privacy Code covers similar territory in relation to collection of a family medical history.

The ALRC proposed amendments to give effect to such principles on the basis that the collection of health information about family members and others is routine practice and essential to provide appropriate health care to individuals.

The Government agreed that amendment was needed so that the Privacy Commissioner did not need to continue to make PIDs. ‘Given the likelihood that there will remain a strong public interest in such collections being permitted, it is appropriate that a permanent authority be established for this practice’. What the ALRC had proposed in regs will be picked up in the Act, that:

A health service may collect health information from an individual, or a person responsible for the individual, about third parties, when:

(a)  the collection of the third party’s information is necessary to enable the health service provider to provide a health service directly to the individual; and

(b)  the third party’s information is relevant to the family, social or medical history of that individual.[41]

A further recommendation was accepted, that an agency or organisation that is a health service provider may collect health information about an individual if the information is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose.[42]

The kinds of situations in mind were where the sharing of information among a team of health service providers treating the individual is done on the basis of express or implied consent. The recommended provision was not unlimited, as it is restricted to the collection of health information in the health services context and is linked to the reasonable expectations of the individual. As explained in the report, the provision ‘is intended to ensure that health service providers are confident to collect information where necessary to provide a health service to the individual, in circumstances in which the individual would expect them to do so’.[43]

Use and disclosure principle

The problem at the moment is uncertainty about the extent of obligations under the Privacy Act. IPPs 10 and 11 and NPP 2 regulate the use and disclosure of personal information. IPP 10 applies to health information and provides that information may be used for the purpose it was collected or a directly related purpose.  Beyond such purposes, consent is required. NPP 2 allows use or disclosure for the primary purpose of collection or a secondary purpose which is directly related to the primary purpose and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose. There are exceptions including, for example, where the organisation reasonably believes that use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety.

Access and correction principle

Health consumers do not have a right under general law principles to have access to their medical records.[44] Hence health consumers must rely on legislation, including the Privacy Act, IPP 6, to give them a right of access to the health information held in medical records. Other rights of access and correction are contained in the Freedom of Information Act 1982 (Cth). And rights to refuse access. In the course of the OPC review, it was noted that access issues can cause a breakdown in the therapeutic relationship.[45]

In this Inquiry, the ALRC wanted to know whether the refusal of access provision was appropriate. Potential damage to the therapeutic relationship was not considered a solid basis on which to refuse access. The recommended approach was based on responding within a reasonable time and providing access to the information unless:

  • in the case of an agency, the agency is required or authorised to refuse by law (eg under the FOI Act)
  • in the case of an organisation, providing access would be reasonably likely to pose a serious threat to the life or health of any individual.[46]

The ALRC also considered the matter of refusal of access and who should adjudicate disputes. Complaints to the Privacy Commissioner are included in s 36. The FOI Act includes a procedure for refusing a request for information and to providing information to a nominee instead to receive health information.  The ALRC proposed that the ‘Access and Correction’ principle should provide stronger provisions on the use of intermediaries than the existing NPP 6.3.

The Government agreed with the gist of this recommendation, and that it be included in the Privacy Act. The nominated health service provider should be ‘suitably qualified and appropriate’. This was intended to avoid conflicts of interest where an intermediary is qualified, but not appropriate. The Government noted that the ALRC’s recommendations used the different terminology of the Privacy Act and FOI Act and indicated that ‘where practicable and appropriate the Government will emphasise ongoing consistency of phrasing’ in the two Acts.

Data security principle

The ALRC considered the complications with respect to data security when a health service is sold, transferred or closed. The ALRC proposed that in such circumstances a number of steps should follow, including making individual users of the health service aware and informing them about proposed arrangements for the transfer or storage of their information. The ALRC made a recommendation based on existing precedents using a ‘reasonable steps’ test.[47]

The ALRC also considered what happens when a health consumer changes health service provider, noting the difficulties that can arise in relation to the transfer of health information from provider to another. The ALRC considered that health consumers should have the right to have their health information transferred in these circumstances in a manner that ensures community of care.[48] Consequently, the ALRC recommended that an agency or organisation must respond within a reasonable time to transfer the information.

The Government considers that these obligations should also apply to health services where a partnership dissolves, or a practice otherwise de-merges or disaggregates, and that this recommendation would be implemented in the Privacy Act.[49] With respect to the moving of a health consumer, the Government accepted the recommendation.

5      Electronic health information systems

The Inquiry coincided with a number of major initiatives to develop an electronic record-keeping schemes by doctors and hospitals, aimed at providing better quality and safer health care—including the creation of a national shared electronic health information system, in which a summary of personal information is stored on a central database that can be accessed by a range of health service providers. For example, under this scheme, where an individual normally resident in Victoria falls seriously ill or is involved in an accident in New South Wales and is unable to communicate, local health authorities would be able to determine quickly whether the person suffered from any chronic medical conditions or allergies, and what medicines he or she had been prescribed.

Although there was widespread recognition of the obvious benefits of such a scheme, concerns were expressed about the architecture, security and privacy safeguards built into the system. In Chapter 61 of For Your Information, the ALRC made a number of recommendations about the structure of any prospective unique health identifier scheme (‘UHI scheme’). The chief ALRC recommendation was that any UHI scheme be established under specific enabling legislation, for the sake of clarity and appropriate public scrutiny. However, Recommendation 61–1 further advised that such enabling legislation should address, among other things:

(a)    the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b)   the eligibility criteria, rights and obligations for participation in the scheme by health consumers and health service providers, including consent requirements;

(c)    permitted and prohibited uses and linkages of personal information held in the systems;

(d)   permitted and prohibited uses of UHIs and sanctions for misuse

(e)    safeguards in relation to the use of UHIs, including the provision that a UHI is not necessary in order to access healthcare.

Government response

The Government accepted Rec 61–1 in principle. The Australian Health Ministers agreed in March 2009 that all Australian residents would be allocated an Individual Healthcare Identifier (IHI). A key commitment of the ministers is ‘to continuing consultations on privacy protections that will be necessary to underpin this important health initiative’.

The Government agrees with the necessity of privacy protections for any national Unique Healthcare Identifiers (UHIs) or national Shared Electronic Health Records (SEHR) scheme. The substance of these protections and details of matters to be addressed in legislation, such as those matters outlined by the ALRC … should be subject to specific future consultation as any UHI or SEHR scheme goes forward.[50]

The UHI scheme

The Government introduced the Healthcare Identifiers Act 2010 (Cth), the express purpose of which, as set out in s 3, is ‘to provide a way of ensuring that an entity that provides, or an individual who receives, healthcare is correctly matched to health information that is created when healthcare is provided’, to be achieved ‘by assigning a unique identifying number to each healthcare provider and healthcare recipient’. The Act commenced on 29 June 2010.

How does the Act follow ALRC recommendations?

The Act nominates the Chief Executive Officer of Medicare Australia as the ‘service operator’ of the scheme: s 5 (definition of ‘service operator’). Under s 9(2), ‘national registration authorities’ are empowered to issue UHIs to healthcare providers. Regulation 4 of the Healthcare Identifier Regulations 2010 establishes the National Health Practitioner Boards and the Australian Health Practitioner Regulation Agency, established under the ‘Health Practitioner Regulation National Law’, annexed as a schedule to the Health Practitioner Regulation National Law Act 2009 (Qld), which has been adopted as law by the states and territories.

The eligibility of healthcare recipients to be issued a UHI is self-explanatory: s 5 (definition of ‘healthcare recipient) of the Act. Sections 9 and 9A outline the eligibility of individual healthcare providers and healthcare organisations to be issued a UHI. Sections 7 and 9B and reg 5 set out what information must be given before a UHI is issued by the service operator.

Importantly, s 9(4) expressly states that consent of the healthcare recipient is not required for a UHI to be assigned.

Use and linkages of personal information held under the scheme

Part 3 Div 1 of the Act states the permitted and prohibited uses and linkages of personal information (styled ‘identifying information’) held under the UHI scheme:

  • healthcare operators are allowed to disclose identifying information to the service operator for the purpose of issuing a UHI;
  • Medicare and the Defence and Veterans departments are allowed to disclose identifying information to the service operator for the purpose of issuing a UHI;
  • national registration authorities are allowed to disclose UHIs and related information to the service operator for the purpose of maintaining the service operator’s record, as mandated by s 10 of the Act.

Section 15 provides for sanctions for breaches of this aspect of the Act.

Uses and linkages of UHIs and sanctions for misuse

Disclosure of UHIs by service operator is provided for in Part 3 Div 2(B). The service operator may disclose a UHI to:

  • a participating healthcare provider (and its authorised employees and contractors) for ‘the purpose of communicating or managing health information, as part of the provision of healthcare to a healthcare recipient … or for certain other purposes’: s 17;
  • a healthcare recipient or person responsible for them—the service operator is obliged to provide the UHI and any related information and information held on the operator’s record on the request of the healthcare recipient: s 18;
  • a registration authority—the service operator may disclose a healthcare provider’s UHI to a registration authority for the purpose of registering that provider: s 19;
  • to an ‘entity’, defined in s 5 as including a person, partnership, unincorporated association or body, trust or part of another entity. The service operator may disclose a healthcare provider’s UHI to the entity in order to authenticate the provider’s identity in electronic transmissions: s 20.

Disclosure of UHIs by healthcare providers is provided for in Part 3 Div 3. A healthcare provider may disclose a UHI to:

  • the relevant healthcare recipient or the person responsible for them: s 23.
  • an entity (see above). The healthcare provider may disclose a UHI to an entity for the purpose of communicating or managing health information as part of the provision of healthcare to the recipient; the management, funding, monitoring or evaluation of healthcare; the provision of indemnity cover for a provider; or the conduct of approved research: s 24(1)(a); or where the provider reasonably believes the disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or a serious threat to public health or public safety: s 24(1)(b)

Sanctions for misuse

If a person uses or discloses a UHI otherwise than in accordance with the Act, an offence is committed. Max penalty is 2 yrs imprisonment or 120 penalty units or both (600 units for corporate persons): s 26—which is on par with the general approach to secrecy offences.

Safeguards

Although the information provided by Medicare to the public on its website indicates that a UHI is not required to access medical services, there is no provision in the Act to this effect.

Section 27 obliges ‘entities’ to take reasonable steps to protect UHIs in their possession from misuse, loss, unauthorised access, modification or disclosure. The Regs also provide rules and machinery provisions for the various allowable disclosures, and sanctions for breach of these provisions. 

6     Greater facilitation of research

Chapter 65 focused on research. The Privacy Act allows researchers to obtain and use personal information for health or medical research, without the consent of the individuals concerned, where approved by a Human Research Ethics Committee.

The ALRC heard many concerns, however, from researchers in the health and medical field—as well as social scientists, criminologists and others—that an overly cautious approach to the application of the Privacy Act was inhibiting the conduct of research, even where the threat to individual privacy was limited or non-existent and the potential value of the research was very high. For example, epidemiological research can play a very valuable role in planning and promoting public health campaigns and in allocating scarce resources. In such cases, researchers are not concerned with the identity or information of individuals within the sample, but rather are seeking to identify broad trends and patterns in the population.

The ALRC also recognised that there are other forms of research that provide benefits to the community that require access to personal information in situations where it is difficult to obtain consent—such as research on child protection or factors associated with criminal behaviour.

The ALRC recommended that the research exception to the ‘Collection’ and ‘Use and Disclosure’ principles in the model UPPs allow information to be collected, used and disclosed for research purposes—including in areas other than health and medical research—where a number of conditions are met, including approval by a Human Research Ethics Committee.[51]

Government response

The Government agreed that one set of research rules should be issues by the NHMRC in conjunction with other appropriate bodies, such as the ARC and Universities Australia, rather than by the Privacy Commissioner. The Government also agreed that the Privacy Act should permit the collection, use and disclosure of personal information without consent for the purpose of important human research in certain circumstances.

The Government’s response supports two central proposals to facilitate research in the public interest, simplify regulation, and protection community expectations of privacy:

  • harmonised set of rules for Government and private sector researchers will replace the two sets of binding guidelines on non-consensual handling of personal information; and
  • the research provisions will be expanded to allow such handling for any research in the public interest, not just for health and medical research.

Two important parameters of the current regime will also be maintained:

  • the public interest in research must ‘substantially outweigh’ the protection of privacy—requiring a clear choice in favour of the research; and
  • the National Health & Medical Research Council and the Privacy Commissioner will retain primary responsibility for issuing and approving the research rules.[52]

7      What next

The government indicated that it would respond in two tranches.[53] The first stage response addressed 197 of the recommendations. Most of these (141) were accepted in full or in principle; 34 were accepted ‘with qualification’. Many of these will require amendments to the Privacy Act. The focus of the first stage response is ‘to establish the foundations for an enhanced privacy framework’. Some of this concerns health services and research, as discussed in this paper.

The new set of privacy principles will replace the two existing sets of principles (one for government and for private organisations) governing dealings with personal information. Further reforms to the Privacy Act will be released for public consultation in stages, including provisions relating to:

  • more comprehensive credit reporting to improve individual credit assessments, alongside privacy protections and responsible lending practices;
  • the protection of health information, in particular improving health sector information flows; and
  • strengthening the Privacy Commissioner powers to conduct investigations, resolve complaints and promote compliance with the Privacy Act and integrating the Privacy Commissioner into the newly-created Office of the Australian Information Commissioner.

The ALRC will contribute to discussions on these developments as they arise.


**          President, Australian Law Reform Commission; Professor of Law, Macquarie University (on leave for the duration of the appointment at the ALRC). This paper is drawn from the ALRC’s report, For Your Information—Australian Privacy Law and Practice (ALRC 108, 2008). Professor Les McCrimmon was the Commissioner in charge of the inquiry.

[1]           International Covenant on Civil and Political Rights, 16 December 1966, [1980] ATS 23 (entered into force on 23 March 1976), art 17. See discussion in Ch 3.

[2]           Following amendments made in 2010, the personal privacy exemption provides that a document is ‘conditionally exempt’ if its disclosure would involve the unreasonable disclosure of personal information about any person: Freedom of Information Act 1982 (Cth) s 47F. A person may gain access to his or her own personal information provided ‘by a qualified person acting in his or her capacity as a qualified person’—which includes a medical practitioner, psychiatrist, psychologist, counsellor and a social worker—unless the disclosure ‘might be detrimental to the applicant’s physical or mental health, or well-being’. In the latter case, the document may be given to another qualified person. The Archives Act 1983 (Cth) provides a similar exemption.

[3]           Australian Constitution s 51(xxix). See Privacy Act 1988 (Cth) Preamble.

[4]           Horta v Commonwealth (1994) 181 CLR 183.

[5]           Commonwealth v Tasmania (1983) 158 CLR 1; Polyukhovich v Commonwealth (1991) 172 CLR 501; Horta v Commonwealth (1994) 181 CLR 183.

[6]           Koowarta v Bjelke-Petersen (1982) 153 CLR 168.

[7]           International Covenant on Civil and Political Rights, 16 December 1966, [1980] ATS 23 (entered into force on 23 March 1976), art 17. See discussion in Ch 3.

[8]           Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). The OECD Guidelines are discussed further in Part D. Section 3 of the Privacy Amendment (Private Sector) Act 2000 (Cth) makes clear that the private sector amendments were also intended to meet Australia’s international obligations, as well as international concerns, relating to privacy.

[9]        Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981, Council of Europe, CETS No 108 (entered into force on 1 October 1985).

[10]         Australian Constitution s 109.

[11]         Australian Boot Trade Employees Federation v Whybrow & Co (1910) 10 CLR 266; R v Licensing Court of Brisbane; Ex parte Daniell (1920) 28 CLR 23.

[12]         Clyde Engineering Co Ltd v Cowburn (1926) 37 CLR 466. See the discussion in Ch 3 of the Report.

[13]         See, eg, Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.21].

[14]         Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 2.

[15]         For further discussion of national consistency in the regulation of health information, see Part H of the Report.

[16]         See discussion in Chs 2, 17 of the Report.

[17]         See Ch 2.

[18]         Australian Government Department of Health and Ageing, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004.

[19]         See, eg, Australian Medical Association, Code of Ethics (2004), s 1.1(l). Confidentiality is also discussed in Chs 8, 15 and 16 of the Report.

[20]         See, eg, National Health Act 1953 (Cth) s 135A; Health Insurance Act 1973 (Cth) s 130; Health Administration Act 1982 (NSW) s 22; Health Services Act 1988 (Vic) s 141.

[21]         M McMahon, ‘Re-thinking Confidentiality’ in I Freckelton and K Petersen (eds), Disputes & Dilemmas in Health Law (2006) 563, 579.

[22]         P Finn, ‘Confidentiality and the “Public Interest”’ (1984) 58 Australian Law Journal 497, 502.

[23]         See, eg, Public Health Act 1991 (NSW) s 14; Health Act 1958 (Vic) s 138 in relation to notifiable diseases. See also the discussion of professional confidential relationship privilege in Australian Law Reform Commission, New South Wales Law Reform Commission and Victorian Law Reform Commission, Uniform Evidence Law, ALRC 102 (2005), [15.3]–[15.14], [15.31]–[15.44].

[24]         Privacy Act 1988 (Cth); Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Personal Information Protection Act 2004 (Tas); Health Records (Privacy and Access) Act 1997 (ACT); Information Act 2002 (NT).

[25]         For Your Information—Australian Privacy Law and Practice (ALRC 108, 2008), 2058.

[26]         Proposal 57–1.

[27]         Response, p 132.

[28]         Exemptions from the Privacy Act are considered in Part E of the Report.

[29]         Rec 39–1.

[30]         Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 66–68. The costs of legislative inconsistency and regulatory fragmentation are considered in detail in Ch 14.

[31]         See Ch 14 of the Report.

[32]         Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), Rec 7–1.

[33]         Rec 3–1.

[34]         For example, the Information Privacy Bill 2007 (WA) proposes to regulate the handling of health information by the private sector in Western Australia. Further, the Information Privacy Act 2000 (Vic) could potentially regulate the handling of personal information by private sector organisations that are declared to be ‘organisations’ for the purposes of the Act: Information Privacy Act 2000 (Vic) s 9.

[35]         Rec 3–1.

[36]         Rec 3–2.

[37]         Rec 5–2.

[38]         See Ch 3.

[39]         Rec 60–3.

[40]         Response 129–130.

[41]         Rec 63–1. Response, 133.

[42]         Rec 63–2.

[43]         For Your Information—Australian Privacy Law and Practice (ALRC 108, 2008), [63.60].

[44]         Breen v Williams (1996) 186 CLR 71.

[45]         [63.113].

[46]         Recs 29–2, 29–3.

[47]         Rec 63–7.

[48]         [63.170].

[49]         Response, 136.

[50]         Response, 131.

[51]         See Chs 65, 66.

[52]         Response, 13.

[53]         Add reference.

The Australian Law Reform Commission has welcomed today’s announcement by the federal Government that it will implement a large portion of the recommendations of the ALRC’s review of Australian privacy laws.The first stage of the Australian Government’s formal response to For Your Information: Australian Privacy Law and Practice (ALRC 108) considers 197 of the 295 recommendations made by the ALRC—and accepts about 90 percent of them.

ALRC President, Emeritus Professor David Weisbrot AM, said 141 of the 197 recommendations have been accepted in full or in principle, with another 34 recommendations accepted with qualification and two further recommendations noted (but not requiring action).

The ALRC report—released in August last year—was the product of two years of extensive research and international benchmarking, and included the largest community consultation exercise in ALRC history.

Releasing the Government’s response, Cabinet Secretary and Special Minister of State, Senator Joe Ludwig, said the implementation of the ALRC’s recommendations would be the most significant reform of privacy laws since the inception of the Commonwealth Privacy Act more than 20 years ago.

Senator Ludwig said the first stage response focuses on the foundations: a clear and simple framework for privacy rights and obligations, including a harmonised set of Privacy Principles; a redrafting of the Privacy Act to make it more accessible; a new comprehensive credit reporting framework; improvements in health sector information flows; and enhanced powers for the Privacy Commissioner.

As recommended by the ALRC, these reforms will be technology neutral—but technologically aware—providing protection for personal information held in any medium.

Professor Weisbrot said the Privacy Act was introduced “before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge our capacity to safeguard our sensitive personal information”.

“These days, information privacy touches almost every aspect of our daily lives, including our medical records and health status, our finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.”

Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said that the ALRC’s reforms were carefully crafted to streamline complex and costly privacy laws and practice, and to make the law much easier to understand and to comply with. In particular, the move to a unified set of Privacy Principles, covering both the public and private sectors, will make an important contribution in this area.

“The overwhelming message from our report was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections. We’re confident our recommendations will achieve this, and so we are delighted with the Government’s very positive response.”

An exposure draft of the new legislation is expected in early 2010. The remaining 98 recommendations made by the ALRC— which consider such important matters as the removal of exemptions, a scheme for compulsory data breach notification, and the creation of a cause of action for serious invasions of personal privacy—will be considered in Stage 2 of the Australian Government response.

11 August 2008, Privacy Inquiry

A consolidated set of privacy principles

The Privacy Act provides different sets of Privacy Principles for the handling of personal information by government agencies and by private sector organisations. Contractors to the Australian Government, government business enterprises, and those involved in public-private partnerships may be bound to comply with both sets of principles.

ALRC President, Professor David Weisbrot, said “Individuals, businesses and government are concerned about the complexity, confusion and increased compliance costs resulting from the two sets of similar but inconsistent sets of privacy principles in the Privacy Act.

“There was overwhelming support for streamlining the principles. We recommend a consolidation of those principles to apply to both the public and private sectors, namely the principles covering: Anonymity and Pseudonymity, Collection, Notification, Openness, Use and Disclosure, Data Quality, Data Security, Access and Correction, and Cross-Border Data Flows. Some principles—such as those relating to direct marketing and identifiers—should remain only applicable to the private sector.

“Having a single set of principles will greatly ease the compliance burden, make it simpler for people to understand their rights, and foster needed national and international consistency in privacy regulation. In fact, this is probably the most important contribution we can make to the reform of Australian privacy laws.”

Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said that the ALRC adopted a pragmatic approach to privacy regulation. “We have drawn on the existing system of principles-based legislation, recognising that principles can be flexible, high-level and allow for a greater degree of ‘future-proofing’. In order to meet the exigencies of particularly important or challenging areas of privacy protection, however, we have recommended a rules-based approach in the form of regulations and industry codes in specified contexts, such as health privacy and credit reporting.”

Towards national consistency

The complexity of privacy regulation is compounded by the fact that each state and territory also has laws or administrative guidelines governing the handling of personal information. This creates confusion for individual consumers, who cannot always be expected to know whether an agency is a federal, state or territory body, or where to go for guidance on which privacy laws apply, or where to take concerns and complaints. It also creates increased compliance costs and confusion for organisations and agencies endeavouring to fulfil their obligations under the law.

Professor Weisbrot said “The current system leads to ludicrous outcomes. The same piece of personal information may be subject to two or more conflicting or different privacy laws at the same time. For example, the ALRC was told that some businesses have to comply with two sets of federal privacy principles as well as multiple sets of state privacy principles.

“To address these problems, the ALRC recommends that the Privacy Act should apply to the federal public sector and the whole of the private sector—to the exclusion of state and territory privacy laws.”

Professor McCrimmon said “In the interests of promoting national consistency and regulatory simplicity, the ALRC further recommends that state and territories should adopt the federal privacy principles and other key provisions of the Privacy Act, through an intergovernmental cooperative scheme.”

For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008),is available electronically from the ALRC website, www.alrc.gov.au. For more information about the structural reform of the privacy principles and the substance of each of the privacy principles, see Part D of the Report. For more on regulatory models, see Chapter 4; for more on achieving national consistency, see Part C of the Report.

The Australian Law Reform Commission’s landmark report For Your Information: Australian Privacy Law and Practice (ALRC 108), was launched today in Sydney by the Cabinet Secretary, the Hon Senator John Faulkner, and the Attorney-General, the Hon Robert McClelland MP.The three-volume, 2700 page report is the culmination of a massive research and consultation exercise conducted over two years, and recommends 295 changes to privacy laws and practices.

ALRC President, Professor David Weisbrot, said that “Although the federal Privacy Act is only 20 years old, it was introduced before the advent of supercomputers, the Internet, mobile phones, digital cameras, e-commerce, sophisticated surveillance devices and social networking websites—all of which challenge our capacity to safeguard our sensitive personal information. 

“The Privacy Act has worked pretty well to date, but it now needs a host of refinements to help us navigate the Information Superhighway. These days, information privacy touches almost every aspect of our daily lives, including our medical records and health status, our finances and creditworthiness, the personal details collected and stored on a multiplicity of public and corporate databases, and even the ability to control the display and distribution of our own images.”

Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, added that “During our extensive consultations around the country, the overwhelming message we heard was that Australians do care about privacy, and they want a simple, workable system that provides effective solutions and protections.

At the same time, people appreciate that other interests often come into the balance—such as freedom of speech, child protection, law enforcement and national security. Australians also want the considerable benefits of the Information Age, such as shopping and banking online, and communicating instantaneously with friends and family around the world. And, of course, businesses want to be able to market effectively to current and potential customers, and to process data efficiently—including offshore.

Professor Weisbrot noted that “the ALRC was given many examples of the Privacy Act being used inappropriately as a reason for failing to provide information or assistance. Privacy regulators refer to this as ‘the BOTPA’ excuse, for ‘Because of the Privacy Act’. This underlines the pressing need for simplification and harmonisation of law and practice, as well as more education about what the law does—and does not—require.

“In For Your Information, the ALRC provides a clear framework for establishing world’s best practice in privacy protection. The massive range of issues has resulted in a huge report—but really this report comprises eight or nine substantial inquiries in one.

“A one-size-fits-all approach could never work, so we have endeavoured to craft sensible solutions to the various particular problems. In many cases, this will involve the Privacy Commissioner providing education and guidance to individuals, businesses and government agencies, but in other circumstances, stronger action and sanctions may be required.” 

The key recommendations in the For Your Information report include:

  • Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.  
  • Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information. 
  • Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances. 
  • Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
  • Improved complaint handling and stronger penalties:the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act
  • More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that some additional categories of ‘positive’ information should be allowed to be added to an individual’s credit file, in order to facilitate better risk management practices by credit suppliers and lenders.
  • Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important field. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research. 
  • Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues. 
  • Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach. 
  • Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.  

The Privacy Final Report and detailed Briefing Notes on 10 key areas—including children, credit reporting, health, data breach notification (fraud and identity theft), emerging technologies and creating an action for serious invasion of privacy—can be found at www.alrc.gov.au.

 

11 August 2008

Electronic health records

In recent years, there have been increasing pressures, particularly from government, to move from paper to electronic health records. The ALRC’s Privacy Inquiry coincided with a number of major initiatives to develop electronic medical records—including the proposed national Shared Electronic Health Records system, in which a summary of personal information would be stored on a central database. A range of health service providers would be able to access the information on the database, with the consent of the individual health consumer.

The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said that “Health information is highly sensitive and personal. Although people recognise that new ‘e-health’ systems can provide benefits in terms of better health care—and in coping with emergencies—many are concerned about the security and privacy of electronic health records. We recommend that any such system should be established under its specific legislation, which expressly addresses the key privacy issues and includes appropriate safeguards.”

Access to medical records

Another area of concern, both in relation to electronic health records and traditional paper-based files, is access. “We heard loud and clear that people want access to, and control, over their own health information,” said ALRC President, Professor David Weisbrot. “We heard many stories from patients who had experienced frustration in this regard. For example, we heard about health records being found in rubbish bins, garages or on the footpath after their family doctor had sold the practice, retired or passed away. One of our key recommendations in this area is that patients must be contacted and informed of the arrangements for the transfer or storage of their medical records.

“We also recommend that where a patient shifts from one medical practice to another, the old practice should be required to transfer the patient’s medical records to the new one, upon request.” 

Greater facilitation of research in the public interest

The Privacy Act already recognises that, in some circumstances, researchers may be allowed to use personal information for health or medical research—such as epidemiological research on health trends—without the need to obtain the consent of every individual concerned. This kind of research only may proceed where: (a) it conforms to the Privacy Commissioner’s rules; (b) a Human Research Ethics Committee (HREC) decides that the public interest in the research substantially outweighs the interest in enforcing the privacy principles; and (c) obtaining the consent of every individual would be impractical.

However, Professor Weisbrot said that “Medical research isn’t the only form of research that can provide significant benefits to the community. For example, research on child protection or the causes of crime—which require access to personal information in situations where it is difficult to obtain consent—is also extremely important.

“The ALRC recommends that the research exception in the Privacy Act be extended to these other forms of socially worthwhile research—but under the same strict conditions that apply to medical research. Secondly, it should be sufficient for the HREC to conclude that the public interest in the research simply outweighs the competing privacy interests.”

For more information on health information and electronic health information systems, see Chapters 60–63 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008). Research is considered in Chapters 64–66.

11 August 2008

The ALRC’s national consultation exercise clearly indicates that Australians are concerned about their personal information being sent or held overseas without their knowledge and consent. ALRC President, Professor David Weisbrot, said “This unease appears to reflect a general feeling by people that they are losing control over something deeply personal, with little ability to do anything about it, and few remedies if anything goes wrong overseas.”

It is now commonplace for major companies that deal with personal information, such as banks and credit card companies, to conduct their ‘back office’ processing of data overseas. Similarly, individuals increasingly purchase goods and services over the internet on sites based overseas, paying with a credit card.

“A seemingly simple purchase of a book or DVD from a popular website, such as Amazon.com, actually may involve personal information flowing across many jurisdictions, with identity and credit verification, data processing, stock checking and shipping all handled in different countries,” Professor Weisbrot said.

Professor Les McCrimmon, Commissioner in charge of the Privacy Inquiry, said that “While the Privacy Act provides some protection for personal information transferred to another country by businesses, it does not apply to government agencies—and there are general concerns about whether the law currently provides an adequate level of protection.”

For their part, business organisations told the ALRC they want to continue to be able to choose the most effective and efficient means of storing and processing customer data—and suggest this often means doing so overseas. Businesses wish to develop these practices further, without the time, trouble and cost of seeking regular customer consent to what they regard as routine cross-border data flows.

“Businesses and governments promoting the economic benefits of efficient information handling and increasing access to global markets for trade and labour need a framework that can facilitate cross-border data flows, while providing individuals with a level of assurance that this will not compromise the security or privacy of their personal information,” Professor McCrimmon said.

In For Your Information: Australian Privacy Law and Practice the ALRC recommends a new approach to cross-border data flows aimed at creating greater certainty for Australian businesses and individuals, and which balances the need to transfer information with the protection of an individual’s privacy.

The ALRC recommends that privacy laws should provide that an agency or organisation that transfers personal information about an individual outside Australia will remain responsible for the protection of that information. This will ensure that an individual has the ability to approach a local privacy regulator and seek redress from someone in Australia if the overseas recipient breaches the individual’s privacy.

There are three specific circumstances, however, when an agency or organisation should not remain responsible. These are when:

  • the agency or organisation reasonably believes that the recipient of the information is subject to privacy protections that are of a similar standard to Australia’s;
  • the individual consents to the transfer, after being expressly advised that the consequence of providing consent is that the agency or organisation will no longer be responsible; or
  • the agency or organisation is ‘required or authorised by law’ to transfer the personal information.

These qualifications will allow, for example, agencies and organisations to deal with any liability through contracts with the recipient of the personal information. Similarly, agencies and organisations will be allowed to transfer information overseas when they are required to do so by law—for example, during extradition proceedings or public health emergencies.  

For more information about cross-border data flow see Chapter 31 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).

11 August 2008

Do the technologically savvy, confident and optimistic members of Generation Y have radically different attitudes to privacy from their Baby Boomer parents and their grandparents?

ALRC President, Professor David Weisbrot, stated that, “During our Inquiry, we used a number of strategies to obtain the views of children and young people—for example, we conducted a series of dedicated youth workshops, and we designed a special ‘Talking Privacy’ website to provide information and allow kids to give us their views directly.

“Not surprisingly, it was clear from our discussions with kids, and supported by all the research, that young people are more likely than older people to disclose personal information about themselves on the internet. They enter online competitions, fill in registration pages to join websites, and post photographs of themselves on blogs and social networking sites, such as MySpace and Facebook. However, they also have a strong desire to exercise control over the access to some of their personal information. For example, they want the information they disclose to doctors and school counsellors to remain confidential.

“While young people clearly understand the technology, and in particular the internet, it was clear that they did not have a good understanding of what happens to their information once it is posted. For example, many thought that deleting the profile, or even a particular item, meant that the information is removed completely from the on-line environment—which often is not the case at all.

Professor Weisbrot stated that “For these reasons, the ALRC recommends that the Privacy Commissioner, industry associations and educational authorities provide children and young people with more information on privacy issues, so that they can better protect their own privacy and respect the privacy of others.”

Decision making by children and young people

The Privacy Act is silent on the age at which children and young people can make decisions about the handling of their personal information. Research suggests that decision-making capacity evolves throughout childhood and adolescence, and is dependent on a number of factors, such as the nature of the decision in question and the context in which it is to be made. As a general matter, therefore, the ALRC recommends that agencies and organisations assess the capacity of children and young people to make decisions under the Privacy Act on a case-by-case basis.

The ALRC recognises, however, that this may not always be possible. The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, notes that, “It is not always possible to make individual enquiries. For example, the business or agency might be transacting with the young person online. When making an assessment of capacity is not possible, a person 15 years of age and over should be presumed to have the capacity to make decisions about their personal information. This is the age at which a person can obtain a Medicare card without parental permission, so it seems sensible to use that age as the default.”

Photographs or other images of children and young people

To date, privacy laws have not addressed the taking of photographs or other images of children and young people without their consent, or the consent of their parent or guardian.

Professor McCrimmon stated that, “The taking of photographs without consent, particularly of children, is a difficult issue. It raises very serious issues of child protection, freedom of expression and need to safeguard the privacy of children. While blanket bans tend not to work, the introduction of a statutory cause of action for a serious invasion of privacy, as recommended by the ALRC, should provide a significant degree of protection. Of course, the proper focus should be on serious invasions of privacy and highly offensive conduct, not on innocent family snaps by the pool”.

For more information about privacy issues related to children and young people, see Chapters 67–70 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).

The impact on privacy of rapidly developing information and communications technology is a central consideration for the Australian Law Reform Commission (ALRC) in its report For Your Information: Australian Privacy Law and Practice, released publicly today. The ALRC addresses privacy concerns by recommending the implementation of technology-neutral privacy principles, which should be supported by a technology-aware regulatory framework.

“Recent advances in information, communication and surveillance technologies have created and intensified a range of privacy issues. The internet, biometrics, digital phones and cameras, powerful computers and radio-frequency identification have all contributed to making it easier, cheaper and faster for government agencies and business organisations to collect, store and aggregate large amounts of personal and sensitive information” said ALRC President, Professor David Weisbrot.

“Because these and other technologies are developing so rapidly, trying to regulate their use or development through specifically targeted provisions in the Privacy Act would make the Act outdated fairly quickly. We need privacy principles that are flexible enough to be adapted over time as the technology continues to evolve. That’s why we keep saying the system needs to be technology neutral, but technology aware.

“Establishing broad outcomes for the handling of personal information, rather than setting out detailed rules for each particular technology, is also consistent with the ‘light-touch’ approach to privacy regulation that has characterised the Australian system.”

Professor Les McCrimmon, the Commissioner in charge of the Inquiry, said that the Office of the Privacy Commissioner (OPC) has a key role in a technology-aware privacy regulatory framework.

“OPC education and guidance is essential for government agencies and private sector organisations to understand their obligations under the Privacy Act when using emerging technology to collect and handle personal information.

“Another important task for the OPC is to inform individuals how privacy-enhancing technologies can be used to protect their own privacy, and advise agencies and organisations how to design and deploy new and developing technologies in a privacy-enhancing way.”

Other key ALRC recommendations include:

  • federal legislative instruments establishing public registers should set out clearly any restrictions on the electronic publication of personal information;
  • the OPC should provide guidance that sets out the factors that agencies and organisations should consider before publishing personal information on the internet; and
  • the OPC should provide guidance for organisations on the privacy implications of data-matching.

For more information on developing technology and privacy, see Part B (Chapters 9–12) of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).

The Privacy Act regulates the system of credit reporting, allowing information about an individual’s credit-worthiness to be collected and disclosed to credit providers, such as banks, finance companies, mortgage companies, and mobile phone service providers. In Australia, this information is collected by a small number of specialist credit reporting companies from credit providers and from publicly available records.

The ALRC recommends that the existing credit reporting provisions of the Privacy Act be repealed. Instead, credit reporting should be regulated under the general provisions of the Act and new credit reporting regulations, incorporating significant recommended changes to the current rules.

More comprehensive credit reporting

The Australian credit reporting regime is currently more restrictive than in most comparable countries in relation to the types of information that may be collected and disclosed.

ALRC President, Professor David Weisbrot said that “At the moment, the Privacy Act generally allows credit files to include only ‘negative’ information, such as previous defaults. Unlike the position almost everywhere else, this makes it difficult for Australians to build up a positive record of responsible borrowing behaviour over time.”

Professor Les McCrimmon, Commissioner in charge of the Inquiry, stated that “The credit industry argued strongly for a wider range of information—such as current credit balances and loan repayment histories—to be collected and disclosed in reports to lenders, on the basis that such information is required for credit providers to make sound decisions about an applicant’s ability to repay.

“The industry supplied the ALRC with the results of studies, surveys, reports and economic modelling suggesting that an increase in information available to lenders would facilitate better risk management practices—which in turn would open up the field to greater competition and drive down the cost of credit, especially for low risk and responsible borrowers.

“On the other hand, consumer groups were not convinced that more information would be used to assist responsible lending—rather than to advance more credit and contribute to higher levels of indebtedness. Privacy and consumer advocates also argued strongly that allowing more personal information on the financial position and credit behaviour of individuals to be collected in private sector databases would pose greater risks to security and privacy.”

The ALRC’s recommended approach

After extensive consultation, research and consideration, the ALRC recommends that there should be some expansion of the categories of personal information that can be included in credit reporting information held by credit reporting agencies. The four additional items should be:

  • the type of each current credit account opened (eg, mortgage, credit card, personal loan);
  • the date on which each current credit account was opened;
  • the credit limit of each current account; and
  • the date on which each credit account was closed.

Professor David Weisbrot stated that “It is hard to justify the present, artificial limitations, which do not accord with standard practice in the rest of the industrial world. The recommended moderate expansion in the types of information that may be recorded on a credit file falls short of the more open US or UK regimes advocated by some credit providers, but that is because the ALRC recognises that there are competing interests at play, and we have sought to place an appropriately high premium on the privacy and security of sensitive personal information.”

The ALRC recognises that there are strong arguments in favour of also including an individual’s repayment history in the categories of personal information that may be held by credit reporting agencies. Questions remain, however, about whether more responsible lending would result from this change, in the absence of new obligations on credit providers.

Professor Weisbrot explained, “That good risk management and responsible lending practices do not inevitably flow out of fully comprehensive credit reporting is borne out by the notorious ‘sub-prime loan crisis’ in the US and the UK.

“In those jurisdictions, lenders who have had access to more comprehensive information about prospective borrowers nevertheless made conspicuously poor decisions for years, based on the pursuit of market share and short-term incentives.

“Consequently, the ALRC recommends that the Australian Government only amend the Privacy Act to allow credit reporting to include information about an individual’s repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.”

Dispute resolution

The ALRC also identified a number of improvements that should be made to the credit reporting regime in relation to dispute resolution.

“We recommend a greater role for external dispute resolution, by requiring that any credit provider who lists debt defaults on credit information files be part of an external dispute resolution scheme. This will provide a fast, simple process for consumers who wish to dispute a default listing,” said Professor McCrimmon.

For more information on the ALRC’s recommendations for reform of the credit reporting provisions of the Privacy Act, see Part G (Chapters 52–59) of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).

Justice Berna Collier, Part-time Commissisoner, Australian Law Reform Commission, QLS Government Lawyers Conference, Brisbane, Thursday 17 April 2008.

On 30 January 2006 the then federal Attorney-General, Philip Ruddock, referred a review of the Privacy Act 1988 (Cth) to the Australian Law Reform Commission for inquiry and report. The task of the ALRC was to consider the extent to which the Privacy Act and related laws continued to provide an effective framework for the protection of privacy in Australia, having regard to:

  • the rapid advances in information, communication, storage, surveillance and other relevant technologies;
  • possible changing community perceptions of privacy and the extent to which it should be protected by legislation;
  • the expansion of State and Territory legislative activity in relevant areas; and
  • emerging areas that may require privacy protection.

The Commission was asked to provide a final report in the inquiry to the Attorney-General by 31 March 2008. The Commission initially published two issues papers: Review of Privacy (Information Paper 31) and Review of Privacy – Credit Reporting Provisions (Information Paper 32), and subsequently a concise overview of issues raised in those issue papers, namely Reviewing Australia’s Privacy Law – is Privacy Passé?

In September 2007 the ALRC circulated a three volume discussion paper “Review of Australian Privacy Law” inviting submissions or comments. However earlier this year the ALRC formally requested that the Terms of Reference be amended to extend the reporting date by two months, because of the size and complexity of the inquiry, and the difficulty stakeholders had experienced in providing submissions to the ALRC in a timely fashion (in relation to submissions of public sector agencies – caused partly by the 7 December 2008 federal election). On 11 February 2a008 the federal Attorney-General, Robert McClelland, agreed to extend the reporting date for the inquiry to 30 May 2008.

Today I have been asked to provide a short presentation on the topic “scrutinising privacy” in relation to the ALRC Discussion Paper. Giving a short presentation on this topic is a challenge in itself – as the Commission points out in the Discussion Paper, the inquiry is one of the largest projects ever undertaken by the Commission, and in the three volumes of the Discussion Paper approximately 300 proposals for reform are advanced for consideration. The size and complexity of the Discussion Paper means that, in the time available, it will only be possible to skim the surface of the Discussion Paper. In doing so I will draw heavily on the contents of the Discussion Paper, with a view to emphasising issues which the ALRC considers to be of particular importance, and keeping in mind the likely interests of the audience of government lawyers here today and the background to the review itself. I emphasise in giving this paper that it is only a snapshot of some of the contents of the Discussion Paper – reference should be made to the Discussion Paper for more detailed explanation and analysis of the background to the inquiry, the submissions to the Commission and its proposals.

Background

It is well known that, traditionally, the common law did not inherently protect the right to privacy. In Australia, this was reflected in the High Court decision in Victoria Park Racing Grounds v Taylor (1937) 58 CLR 479. In ABC v Lenah Game Meats Pty Ltd (2001) 208 CLR 199 however the High Court specifically did not rule out the development of a cause of action for invasion of privacy. Subsequently there have been two Australian cases in which courts have awarded damages against a defendant for breach of privacy, which I discuss later in this paper.

In 1988 the Commonwealth Government enacted the Privacy Act 1988, designed to protect individual Australians (who are not deceased) against the misuse of their personal information. In addition to the Privacy Act, legislation relevant to the regulation of personal information in Australia includes the Commonwealth Freedom of Information Act 1982 (Cth) and Part 13 Telecommunications Act 1997 (Cth); State and Territory freedom of information legislation; and specific legislation in New South Wales, Victoria and the ACT regulating the handling of personal health information in the private sector.

In Queensland the Invasion of Privacy Act 1971 (Qld) regulates use of listening devices to overhear, record, monitor or listen to private conversations, and creates offences for improper use of such devices (section 43(1)) and, interestingly, unlawful entry into dwelling houses (section 48A).

Statutory approach in the Privacy Act

The regulatory approach adopted in the Privacy Act to protect personal information is principles-based rather than in the form of prescriptive legislation. This approach derives originally from proposals of the OECD in 1980 in eight Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Under the Privacy Act there are currently two sets of privacy principles.

  • The 11 Information Privacy Principles (IPPs), included in the original version of the Act. IPPs restrict the handling and collection of personal information by the Commonwealth public sector (generally referred to as “agencies” for the purposes of the Privacy Act – section 6(1)). The IPPs also apply to ACT agencies since the introduction of the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth). The IPPs require, among other things, that:
    • in particular cases, Government agencies have a lawful purpose, related to the functions or activities of the agencies, for collecting personal information
    •  individuals are generally aware of that purpose
    •  agencies ensure that information is relevant, up-to-date, and complete (including correcting information where necessary)
    •  the information is stored securely, and
    •  agencies seek an individual’s permission to use or disclose information for a purpose that is not directly related to the purpose for which it was collected.
  • The 10 National Privacy Principles (NPPs) introduced to the Act in 2000. The NPPs extended the application of the Act to health service providers and the private sector (generally referred to as “organisations” for the purposes of the Privacy Act – section 6C), and require that organisations collect personal information by lawful and fair means and not in an unreasonably intrusive manner.

The Act also established the Office of the Privacy Commissioner to oversee the implementation of the Privacy Act and, among other things, monitor the storage, collection and use of personal tax file numbers, audit the handling of personal information by agencies and investigate acts or practices that may breach the IPPs and the NPPs.

Key proposals for reform

Three hundred proposals for reform have been put forward for discussion in the Paper. In the interests of time today I will focus on only nine major proposals, namely:

  1. redefining the Privacy Act.
  2. redefining the privacy principles.
  3. ensuring national consistency in privacy laws.
  4. updating key definitions.
  5. reducing the number of exemptions in the Act.
  6. restructuring the Office of the Privacy Commissioner.
  7. data breach notifications.
  8. reform of the health information provisions of the Act.
  9. introduction of a statutory cause of action for invasion of privacy.

Other significant proposals include reform of the credit reporting provisions in Part IIIA of the Act, streamlining complaint handling procedures, presumption of capacity, and reform of part 13 Telecommunications Act 1997 (Cth). In light of the composition of the audience here today I do not intend to discuss these proposals in any detail, but refer for further detail to the Discussion Paper.

1. Redefining the Privacy Act

ALRC proposals in relation to this issue include the following:

1.     Name and structure: in relation to the name of the Act, the ALRC has proposed that either the Act retain its current name Privacy Act, or in the event that a statutory cause of action for invasion of privacy is not introduced, the Act be renamed the Privacy and Personal Information Act (the rationale for this proposal being that the current focus of the Act is on the protection of personal information rather than, for example, protection of personal or family privacy). Further, because the Act has been substantially amended on a number of occasions, the numbering and structuring of the Act has become confusing and difficult to navigate, and the Act should be simplified.

2.     Objects clause: the Act should contain an objects clause, to assist the courts and others in interpreting the Act. The Commission noted that this is of particular importance in principles-based legislation (paragraph 3.86). The objects clause should include, among other things, that the objects of the Act include implementing Australia’s obligations at international law in relation to privacy, and promoting the protection of individual privacy.

3.     Deceased persons: the Act does not protect the personal information of deceased individuals other than in relation to declared disasters and emergencies under Part VIA. (The aim of Part VIA is to enhance information exchange between Australian Government agencies, State and Territory authorities, organisations, non-government organisations, and others in emergencies and disasters). In the Discussion Paper the ALRC noted that, while there was significant support among stakeholders for extending the Act to cover the personal information of deceased individuals, submissions and consultations did not indicate that there were widespread problems caused by the current lack of coverage. The ALRC considers that it is not appropriate to simply extend the definition of “personal information” in the Act to include the personal information of deceased individuals. Instead, the Commission considers that the Act should be amended to include a new Part setting out provisions dealing specifically with handling personal information of deceased individuals. The Commission considers that the new Part should apply ONLY to organisations, and to individuals who have been deceased for 30 years or less. In relation to agencies, access to personal information of deceased individuals should continue to be regulated by the FOI Act and the Archives Act 1983 (Cth). In relation to organisations, the ALRC proposes that organisations should be required to consider whether a proposed use or disclosure of the personal information or a deceased individual would involve an unreasonable use or disclosure of personal information about any person, including the deceased person (paragraph 3.225).

2. Redefining privacy principles

While the ALRC supports the current principles-based regulatory approach, the ALRC also considers that, in some areas, more prescriptive rules should be used, for example in the form of subordinate legislation or legislative instruments.

Further, the ALRC proposes that the distinction between IPPs and NPPs be dispensed with, and that Unified Privacy Principles (UPPs) be substituted, with exemptions clarified and grouped together in a separate part of the Act. Under the current regime, there are circumstances where an organisation or agency is subject to both the IPPs and the NPPs (one example was in respect of Australia Post, a business enterprise which is both an agency in respect of its non-commercial activities and an organisation in respect of its commercial activities). The ALRC considers that, at a minimum, the UPPs should cover the same aspects of privacy as currently covered by the IPPs and the NPPs, and more particularly that the drafting and structural model for the UPPs should be the NPPs (rather than the IPPs).

A potentially more prescriptive approach in some respects could be reflected in the UPPs, some of which could be fairly detailed (for example, in relation to use of personal information) while others could be more high-level.

3. Ensuring national consistency in privacy laws

It is clear that there is substantial multi-layering and fragmentation in relation to Australian privacy laws. Indeed section 3 of the Privacy Act specifically states that it is not the intention of Parliament that the Act affect the operation of a law of a State or Territory that makes provision with respect to personal information and is capable of operating concurrently with the Act. Accordingly a number of States and Territories have enacted privacy regimes, however there is some inconsistency between these statutes inter se as well as inconsistency with the Privacy Act itself (eg in comparison with the privacy principles found under the State Acts).

The ALRC considers that national consistency is important and should be one of the goals of privacy regulation. Inconsistency and fragmentation in privacy regulation cause a number of problems including unjustified compliance burden and cost, and confusion about who to approach to make a privacy complaint. Further, the ALRC considers that a nationally consistent privacy regime would ensure that personal information will receive similar protection irrespective of who is handling it, or how it is recorded.

The Discussion Paper analyses possible constitutional heads of power for the Federal Government, and considers an alternative to national privacy legislation being a Commonwealth-State co-operative scheme. On balance, in the Discussion Paper the ALRC expressed the view that the most appropriate approach was:

  • In relation to the handling of personal information generally: the enactment of federal legislation to the exclusion of State and Territory privacy laws.
  • However in relation to the handling of personal information in a State or Territory’s public sector the ALRC considers that national consistency will be promoted if the Commonwealth, State and Territory governments enter into an intergovernmental agreement which provides that the States and territories enact legislation regulating the handling of personal information in that State or Territory’s public sector. So, for example:
    • identical privacy principles should be adopted at Commonwealth, State and Territory levels, specifically the proposed UPPs and the proposed Privacy (Health Information) Regulations as in force under the Privacy Act from time to time
    • the definitions used in the Privacy Act should be used in the State and Territory legislation
    • the State and Territory legislation should provide for public interest determinations
    • the State and Territory legislation should include provisions relating to State and Territory incorporated bodies, including statutory corporations.

The ALRC also proposes that the Standing Committee of Attorneys-General (SCAG) constitute a permanent standing body to ensure national consistency in the regulation of personal information, in particular the approval of any changes to the UPPs or the Privacy (Health Information) Regulations, and that SCAG be assisted by an expert advisory committee.

However the ALRC does not propose that the Privacy Commissioner regulates State and Territory public sectors. This has been opposed by a number of stakeholders for reasons including impact on enforcement, and minimising the ability to conduct audits into privacy sensitive acts and practices. In the Discussion Paper the ALRC states that there are advantages to having a number of agencies and bodies with responsibility for information privacy, including the pooling of resources, peer review, and the ability of individuals to approach a local regulator for advice and to make a complaint. The Commission has, however, proposed that the Privacy Commissioner be given power to delegate all or any of the powers in relation to complaint handling conferred by the Privacy Act on to the State or Territory authorities, and memoranda of understanding between the Privacy Commissioner and each of the bodies charged with responsibility for information privacy in Australia.

4. Updating key definitions

In the Discussion Paper the ALRC proposed updating the following key definitions:

“personal information” – This is a key definition because the privacy principles apply only to personal information. The current definition in section 6(1) is:

“information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from information or opinion.”

It is debatable whether the definition needs to deal with new technologies and methods of collecting information. There was some support for keeping the definition technologically neutral. It is also questionable whether the definition should include information that allows an individual to be contacted.

With respect to the definition, the ALRC considers that:

  • The reference in the definition to information or an opinion, whether true or not, and whether recorded or not, should remain unchanged.
  • Reference to the information being “about” an individual should remain unchanged.
  • The reference to the information “including information or an opinion forming part of a database” is unnecessary and should be deleted, because this is no longer an issue of uncertainty.
  • The words “an individual whose identity is apparent, or can reasonably be ascertained” should be amended and personal information should be defined as information about “an identified or reasonably identifiable individual.” These words are consistent with those used in the international arena (e.g. the OECD Guidelines and the EU Directive). The ALRC considers that an element of reasonableness is necessary. So, for example, a person is not “reasonably identifiable” if practically it is not possible for an agency to identify an individual from information it holds, because for logistical or legislative reasons, it cannot link its information with that held by another agency.
  • Information which simply allows an individual to be contacted, for example a phone number, street address or email address is not “personal information” within the proposed definition. The Commission observes in the paper that the Act is not intended to implement an unqualified “right to be let alone.” (paragraph 3.139).
  • The legislation should, overall, remain technologically neutral.

 

“sensitive information” – This is a type of personal information and given a higher level of protection under the NPPs than under the IPPs (for example, it may only be collected with consent except in specified circumstances [NPP 2.1(a)], it cannot be used for direct marketing [NPP 2.1(c)], and it cannot be shared by related bodies corporate (section 13B of the Act). It is defined as meaning information or an opinion about an individual’s:

  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual preferences or practices;
  • criminal record;
  • health;
  • genetic information,

The ALRC notes that personal information can become more or less sensitive because of its context (for example, the names and addresses of subscribers to a news magazine would not generally be considered sensitive information, but the names and addresses of subscribers to some special interest magazines might be considered sensitive) however on balance the ALRC considers that the definition of “sensitive information” should not be amended to include information made sensitive by context.

Financial information should not be included in the definition of sensitive information – in the Commission’s view, although it is sensitive in some respects and requires appropriate handling, it does not relate to the physical attributes or personal beliefs of the individual in the same way as other information currently defined as sensitive. Further, a third party may legitimately have an interest in an individual’s financial information, for example in relation to providing credit.

However the ALRC does consider that certain biometric information should be included in the definition of sensitive information. Biometric technology involves the storage and use of unique personal information to verify an individual’s identity – for example fingerprints, DNA, and iris. The ALRC proposes that sensitive information only include biometric information collected for use in automated biometric authentication and identification systems and biometric template information.

The ALRC also proposes that the UPPs dealing with sensitive information apply to both agencies and organisations, although the Commission also proposes to broaden the circumstances where sensitive information could be collected without consent to include collection “required or specifically authorised by or under law” to meet the concerns of agencies.

“record” – This is an important definition because the privacy legislation only applies to personal information that is held, or collected for inclusion, in a “record”. Section 6(1) Privacy Act defines “record” as:

  1. a document; or
  2. a database (however kept); or
  3. a photograph or other pictorial representation of a person;

    But does not include:
     
  4.  a generally available publication; or
  5.  anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
  6. Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or records (as defined in the Archives Act) in the custody of the Archives (as defined in that Act) in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or
  7. documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
  8. letters or other articles in the course of transmission by post.

The Commission notes in the Discussion Paper that there appeared little concern about the exemptions to the definition. The Commission proposed however that the definition be amended to include a document or information stored in electronic or other forms.

5. Reducing the number of exemptions in the Act

The Discussion Paper deals in detail with exemptions from the Act, and observes in paragraph 30.1 that the Act contemplates:

  • Exemptions, which apply where a specified entity or a class of entity is not required to comply with the privacy principles that  would otherwise be applicable to it (for example small business operators).
  • Partial exemptions, where a specified entity or class of entity is required to comply with some of the privacy principles, or alternatively where a specified entity or class of entity is required to comply with some or all of the privacy principles but only in relation to certain activities (for example, the federal courts are only required to comply with the Act in relation to their administrative activities).
  • Exceptions, where a requirement in the privacy principles does not apply to any entity in a specified situation or in respect of certain conduct (for example, there is a general prohibition to an organisation using or disclosing personal information for a secondary purpose – an exception to this prohibition is where an individual gives consent).

In the public sector context, agencies including the Australian Crime Commission, royal commissions and the intelligence agencies are completely exempt from compliance with the Act. In the private sector, entities specifically excluded from the definition of “organisation” and therefore exempt from compliance with the NPPs include small business operators, registered political parties, State and Territory authorities and prescribed State and Territory instrumentalities. The Discussion Paper at paragraph 30.43 notes that it has been estimated that approximately 94% of businesses may therefore be exempt from the private sector provisions of the Act.

The analysis of exemptions in the Discussion Paper is too extensive to attempt to summarise in this paper. Key proposals include the following:

  • Intelligence agencies: while acknowledging that many of the requirements under the privacy principles would be incompatible with the functions of the intelligence agencies, the ALRC considers that, for example, the privacy rules and guidelines applicable to the intelligence agencies should be updated to include consistent rules and guidelines relating to incidents involving the incorrect use and disclosure of personal information, the accuracy of personal information, and the storage and security of personal information.
  • Commonwealth government departments: the ALRC cannot identify policy justifications for the exemption of the parliamentary departments from the Privacy Act, and proposes that the rationale for exempting (or partially exempting) departments be clarified in the Act.
  • State and Territory authorities and instrumentalities, and statutory corporations: State and Territory authorities fall outside the definition of an “agency” and are specifically excluded from the definition of “organisation” under the Act (sections 6(1) and 6C). State and Territory statutory corporations are similarly excluded: section 6C(3)(c). State and Territory instrumentalities – including companies, societies or associations under the Corporations Act 2001 (Cth) – fall outside the definition of “agency” but are considered “organisations” and therefore subject to the private sector provisions of the Act. The ALRC notes the inconsistent coverage of State and Territory authorities under State and Territory laws. The Discussion Paper proposes that the States and territories enact legislation applying the proposed UPPs and the proposed Privacy (Health Information) Regulations to the State and Territory public sector agencies. Further the Commission considers that the exemption of State-owned statutory corporations from the Privacy Act is not justified where they are in competition with organisations, and proposes that the Act should be amended to apply to such bodies.
  • Small business: the ALRC does not consider that an exemption for small business is necessary or justifiable. Small businesses are defined as those businesses the annual turnover of which in the previous financial year was $3million or less: section 6D.  The cost of compliance alone is not a sufficient policy basis to support the exemption; further there is no comparable overseas jurisdiction which has a similar exemption. The Commission notes that the risks to privacy posed by small businesses are determined by the amount and nature of personal information held, rather than by the size of the business (for example, some small businesses such as internet service providers and debt collectors hold large amounts of personal information). The costs of compliance can be reduced if the Act is amended to reduce its current complexity. Accordingly, the ALRC proposes that this exemption be removed.
  • Other exemptions: in summary, the ALRC considers that a number of current exemptions, such as those relating to registered political parties and employee records, be removed subject to specific qualifications.

6. Restructuring the Office of the Privacy Commissioner

In summary the ALRC proposes that the Office of the Privacy Commissioner be renamed, restructured, and given increased powers. In particular, the ALRC proposes that the office be renamed “Australian Privacy Commission” and that, for example, the number of statutory appointments to the office be expanded, including through the appointment of one or more Deputy Privacy Commissioners.

Under the Act the powers of the Privacy Commissioner currently include:

  • oversight powers with respect to the operation of the Act including advice to Ministers, providing research and monitoring of technological developments, and conducting education.
  • power to issue non-binding guidelines to assist agencies and organisations avoid acts or practices that may interfere with the privacy of individuals; and binding guidelines pursuant to section 17 of the Act with respect to tax file number information, and in relation to NHMRC guidelines concerning medical research and genetic information under sections 95, 95A and 95AA of the Act.
  • power to investigate an act or practice of an agency or an organisation that may breach an IPP and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation.
  • audit powers in relation to agencies generally, and in relation to organisations under functions associated with the tax file number and credit reporting provisions.
  • investigative powers concerning complaints of a breach of the IPPs and the NPPs.
  • enforcement powers including prescription of remedies for non-compliance with the Act.

ALRC proposals in relation to the powers of the Privacy Commissioner include the following:

  • The ALRC considers that issuing guidance is an important part of regulating the regime, and proposes that the Act be amended to clarify distinctions between guidance and rules.
  • The Commission considers that the Privacy Commissioner should have the power to direct the preparation of a Privacy Impact Assessment by both agencies and organisations in circumstances where the Privacy Commissioner considers that a new project is likely to have a significant impact on the handling of personal information, and that the Privacy Commissioner should produce a Privacy Impact Assessment guide tailored to the needs of organisations.
  • In respect of the audit powers of the Privacy Commissioner, the view of the ALRC is that the real value of such powers lies in their proactive nature, and in that they encourage organisations to take compliance with the privacy principles seriously. Accordingly, the ALRC considers that the Privacy Commissioner should have power to spot-audit levels of compliance in organisations more generally, as currently applies in relation to agencies.
  • The ALRC has proposed that the Act be amended to allow the Privacy Commissioner to request the development of a code and to develop and impose binding privacy codes in addition to the proposed UPPs where the industry does not develop a code itself (one example given in the Discussion Paper is the residential tenancy database industry, where there has been a high level of complaints). The ALRC considers that an appropriate model for a binding code power is in the Telecommunications Act 1997 (Cth).
  • In relation to investigation of complaints, the ALRC does not propose any reform to the requirement that complainants first complain to the relevant respondent. Further, the Discussion Paper proposes that the power of the Privacy Commissioner not to investigate a complaint be clarified to include, for example, stale complaints or where a complaint is being handled by an approved external dispute resolution scheme. In order to facilitate transparency in relation to the complaints procedure, the Discussion Paper proposes that the Privacy Commissioner prepare and publish a document setting out its complaint-handling policies and procedures. Perhaps controversially, the Paper also proposes that section 46(1) of the Act be amended to empower the Privacy Commissioner to compel parties to a complaint, and any other relevant person, to attend a compulsory conference.
  • In relation to enforcement, the ALRC proposes that the Privacy Commissioner have power to enforce remedies following an own-motion investigation by the Privacy Commissioner, for example in the form of a notice to comply to an agency or organisation. This power currently does not exist in the absence of a willing complainant or co-operative respondent. Further, the ALRC recommended that the range of remedies available to enforce rights and obligations under the Act be enhanced, in particular by empowering the Courts to impose a civil penalty where there has been serious or repeated interference with the privacy of an individual.

7. Data breach notification

Paragraph 47.1 of the Discussion Paper explains that data breach notification is essentially a legal requirement on agencies and organisations to notify individuals when a breach of security leads to disclosure of personal information. Section 14 Privacy Act requires that agencies and organisations take reasonable steps to maintain the security of the personal information they hold; otherwise there is no requirement in the IPPs or the NPPs to impose an obligation on agencies and organisations to notify individuals whose personal information has been compromised.

The model for legislative provisions requiring notification of individuals in the event of a data breach is California, which was the first US state to require the reporting of data breaches involving personal information. Rationales for requiring legislative intervention include:

  • concerns about identity theft;
  • the potential cost of notification is a deterrent to voluntary notification of individuals by market operators;
  • an increasing number of data breaches;
  • requiring notification motivates market operators to take adequate steps in the first place to secure data.

The ALRC proposes that the Privacy Act should be amended to include a new Part on data breach notification. This Part would require both agencies and organisations to notify the Privacy Commissioner and affected individuals when:

  1. specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person, and
  2. the agency, organisation or Privacy Commissioner believed that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

The ALRC also proposes that failure to notify the Privacy Commissioner in such circumstances could attract a civil penalty.

8. Reform of the health information provisions of the Act

In relation to health information, a key ALRC proposal is that privacy principles and exceptions dealing specifically with the handling of health information be set out in proposed Privacy (Health Information) Regulations. The rationale for segregation of provisions dealing specifically with health is that, for agencies and organisations that do not handle health information, it is important to keep the UPPs shorter and more accessible (paragraph 57.76). The ALRC proposes that these new regulations include:

  • Existing privacy principles and exceptions dealing with handling of health information.
  • A provision permitting collection of health information about family members and other third parties without consent when the collection of the third party’s information into a health consumer’s social, family or medical history is both relevant, and necessary to enable health service providers to provide a health service directly to the consumer. These principles are currently found in two public interest determinations of the Privacy Commissioner made October 2002 (paragraph 57.79). Genetic samples would not be contemplated by this provision.
  • A provision that, if an organisation denies an individual access to his or her own health information on the ground that providing access would be reasonably likely to pose a serious threat to the life or health of any individual, then inter alia the organisation must provide access to the health information to a registered medical practitioner nominated by the individual.
  • A provision that a health service provider must transfer the individual’s health information to another health service provider if requested by the individual.
  • Express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, improvement or evaluation of a health service in strictly defined circumstances (paragraph 57.227).

9. Statutory cause of action for breach of privacy

Traditionally in Australia there was no such cause of action, although in the Queensland District Court decision Grosse v Purvis (2003) Aust Torts Reports 81-706 and the Victorian County Court decision Doe v ABC [2007] VCC 113 the defendants were both found liable in tort for invasion of privacy. The tort of invasion of privacy was recognised by the New Zealand Court of Appeal in Hosking v Runting [2005] 1 NZLR 1.

The majority of submissions to the ALRC prior to the Discussion Paper supported recognition of a cause of action for breach of privacy, although a significant minority had serious reservations.

The ALRC proposes a statutory cause of action for breach of privacy, including a non-exhaustive list of acts or conduct which would constitute invasion of privacy. Such acts would include an interference with an individual’s home or family life, subjecting an individual to unauthorised surveillance, interference with an individual’s correspondence or private written, oral or electronic communications, or disclosing sensitive facts relating to an individual’s private life.

In the ALRC’s view this would not include, for example, an unlawful attack on a person’s honour and reputation – this falls more appropriately within the scope of defamation law. The ALRC considers that, in determining what is considered “private” for the purpose of establishing liability under a statutory cause of action, there must be both:

  • a reasonable expectation of privacy in all the circumstances; and
  • The act complained of must satisfy an objective test of seriousness. The ALRC notes that an appropriate test of seriousness may be where the act complained of is, in all the circumstances, sufficiently serious to cause substantial offence to a person of ordinary sensibilities (paragraph 5.80).

The Discussion Paper also contemplates however that consent to conduct, which allegedly gave rise to a breach of privacy, would be an answer to a cause of action. Further, the Discussion Paper proposes that any legislation should provide for defences including, for example, public interest, fair comment, privilege, act or conduct authorised or required by or under law, and act or conduct incidental to the exercise of a lawful right of defence of person or property.

Conclusion

Developing technologies and changing community attitudes are but two factors which impinge on the ability of individuals to maintain privacy in 2008. Privacy is clearly an issue upon which strong views proliferate in the community – the list of submissions in Appendix 1 to the Discussion Paper, reflective of the number of interested stakeholders, runs to almost thirty pages. As I indicated at the beginning of this paper, the points I have raised throughout this paper merely skim the surface of what is a detailed review of a complex issue, and reference should be made to the complete ALRC Discussion Paper for further information.

I also note that any last minute feedback in relation to the Discussion Paper from those of you who are here today is welcome. It is very much the eleventh hour, but not too late for me to hear and pass on any views to the Commission. I now invite questions and/or comments from the floor.