Media Briefing – Simplifying and harmonising privacy law and practice

11 August 2008, Privacy Inquiry

A consolidated set of privacy principles

The Privacy Act provides different sets of Privacy Principles for the handling of personal information by government agencies and by private sector organisations. Contractors to the Australian Government, government business enterprises, and those involved in public-private partnerships may be bound to comply with both sets of principles.

ALRC President, Professor David Weisbrot, said “Individuals, businesses and government are concerned about the complexity, confusion and increased compliance costs resulting from the two sets of similar but inconsistent sets of privacy principles in the Privacy Act.

“There was overwhelming support for streamlining the principles. We recommend a consolidation of those principles to apply to both the public and private sectors, namely the principles covering: Anonymity and Pseudonymity, Collection, Notification, Openness, Use and Disclosure, Data Quality, Data Security, Access and Correction, and Cross-Border Data Flows. Some principles—such as those relating to direct marketing and identifiers—should remain only applicable to the private sector.

“Having a single set of principles will greatly ease the compliance burden, make it simpler for people to understand their rights, and foster needed national and international consistency in privacy regulation. In fact, this is probably the most important contribution we can make to the reform of Australian privacy laws.”

Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said that the ALRC adopted a pragmatic approach to privacy regulation. “We have drawn on the existing system of principles-based legislation, recognising that principles can be flexible, high-level and allow for a greater degree of ‘future-proofing’. In order to meet the exigencies of particularly important or challenging areas of privacy protection, however, we have recommended a rules-based approach in the form of regulations and industry codes in specified contexts, such as health privacy and credit reporting.”

Towards national consistency

The complexity of privacy regulation is compounded by the fact that each state and territory also has laws or administrative guidelines governing the handling of personal information. This creates confusion for individual consumers, who cannot always be expected to know whether an agency is a federal, state or territory body, or where to go for guidance on which privacy laws apply, or where to take concerns and complaints. It also creates increased compliance costs and confusion for organisations and agencies endeavouring to fulfil their obligations under the law.

Professor Weisbrot said “The current system leads to ludicrous outcomes. The same piece of personal information may be subject to two or more conflicting or different privacy laws at the same time. For example, the ALRC was told that some businesses have to comply with two sets of federal privacy principles as well as multiple sets of state privacy principles.

“To address these problems, the ALRC recommends that the Privacy Act should apply to the federal public sector and the whole of the private sector—to the exclusion of state and territory privacy laws.”

Professor McCrimmon said “In the interests of promoting national consistency and regulatory simplicity, the ALRC further recommends that state and territories should adopt the federal privacy principles and other key provisions of the Privacy Act, through an intergovernmental cooperative scheme.”

For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008),is available electronically from the ALRC website, For more information about the structural reform of the privacy principles and the substance of each of the privacy principles, see Part D of the Report. For more on regulatory models, see Chapter 4; for more on achieving national consistency, see Part C of the Report.