Organisation of this Report

1.94 This Report is divided into 11 parts and 74 chapters. The size of the Report reflects the breadth and complexity of this area of law. The structure adopted in this Report is designed to enable those with an interest in a particular area to refer directly to the part of the Report that deals with that area. Through reference to the Contents, part headings, chapter titles and index, relevant information can be found quickly.

1.95 The key findings and recommendations in this Report are summarised in the preceding Executive Summary. For ease of reference, a brief description of the material covered in each part follows below.

Part A–Introduction

1.96 Part A deals with introductory matters, the definition of the word ‘privacy’, an overview of privacy regulation in Australia and of the Privacy Act. Models for achieving national consistency, the regulatory model underpinning the recommendations in this Report, privacy beyond the individual—in particular Indigenous groups—and privacy of deceased individuals, are also discussed.

Part B–Developing Technology

1.97 Part B considers the impact on privacy of rapid advances in information, communication, storage, surveillance and other relevant technologies, and considers how best to accommodate developing technology in a regulatory framework. The impact of the internet, including how the internet has changed the nature of a ‘public’ space, and the prevalence of identity theft in an electronic environment, are also considered.

Part C–Interaction, Inconsistency and Fragmentation

1.98 Part C considers how the Privacy Act interacts with other federal, state and territory laws, and identifies areas of fragmentation and inconsistency in the regulation of personal information.

Part D–The Privacy Principles

1.99 Part D outlines the recommended reform of the privacy principles in the Privacy Act. Chapter 18 discusses the operation of the existing IPPs and NPPs, and focuses on how the structure of the privacy principles should be reformed. Chapter 19 considers the issue of consent as it applies to the privacy principles. Thereafter, the chapters are arranged thematically according to the 11 model Unified Privacy Principles (UPPs). In each chapter, there is a brief explanation of how the IPPs and NPPs currently apply, followed by recommendations for reform of the specific principle. A draft of the model UPPs, which is intended to illustrate for the statutory drafters the ALRC’s approach to reform of the principles, is set out at the beginning of this Report.

Part E–Exemptions

1.100 In Part E, exemptions and partial exemptions to the Privacy Act are discussed.[101] Of particular note are the ALRC’s recommendations to remove the exemptions for small business, employee records, political parties and political acts and practices.

Part F–Office of the Privacy Commissioner

1.101 Part F provides an overview of the Privacy Commissioner’s powers and examines the accountability mechanisms to which the Commissioner is subject under the Privacy Act. The Privacy Commissioner’s functions of overseeing and monitoring compliance with the Privacy Act are considered; and the Commissioner’s powers to issue Public Interest Determinations are discussed. Part F also includes recommendations for streamlining and increasing the effectiveness of complaint handling under the Privacy Act, and for the introduction of data breach notification provisions.

Part G–Credit Reporting Provisions

1.102 Part G examines the credit reporting provisions contained in Part IIIA of the Privacy Act. The legislative history of these provisions is outlined, followed by a discussion of the ALRC’s recommendations for a system of more comprehensive credit reporting. This part also addresses specific aspects of the credit reporting system, such as collection, use and disclosure of credit reporting information, data quality and security, and rights of access, complaint handling and penalties.

Part H–Health Services and Research

1.103 Part H considers health information and research, including the need for greater national consistency in health privacy regulation as well as nationwide developments in relation to electronic health information systems. Relevant definitions—such as the definitions of ‘health information’ and ‘health service’—and the additions and exceptions in the privacy principles that relate specifically to health information, are considered. The use of health information in the health services context, including the provision of health care and the management, funding and monitoring of health services, are also discussed. The special arrangements in place under the Privacy Act to allow for the use of personal information in health and medical research are examined, and a recommendation is made to extend these arrangements to include the use of personal information in areas of human research more generally.

Part I–Children, Young People and Adults Requiring Assistance

1.104 Part I focuses on children, young people and adults requiring assistance. The attitudes to privacy of children and young people are considered, and major challenges, such as online privacy and the taking and uploading of photographs, are discussed. The issue of decision making by individuals under the age of 18 is explored, and recommendations are made concerning age of the presumed capacity, consent, and handling of personal information of persons under the age of 18. A recommendation to introduce into the Privacy Act the concept of ‘nominee’ is made, and other issues concerning third party assistance with decision making are discussed.

Part J–Telecommunications

1.105 The focus of Part J is on telecommunications, and in particular the interaction between Part 13 of the Telecommunications Act 1997 (Cth) and the Privacy Act. Whether telecommunications-specific privacy legislation is required, and whether Part 13 provides adequate protection of personal information, is explored. The role of the OPC and the Australian Communications and Media Authority under the Telecommunications Act also is considered. The interaction between the Telecommunications Act and other legislation—in particular the Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth)—is discussed.

Part K–Protection of a Right to Personal Privacy

1.106 Part K addresses the protection of a right to personal privacy. This part includes a discussion of developments towards recognising a right to personal privacy in Australia, and the ALRC’s recommendation for a statutory cause of action for a serious invasion of privacy.

[101] An exemption applies where a specified entity or a class of entity is not required to comply with any requirements in the Privacy Act. A partial exemption applies where a specified entity or a class of entity is required to comply with either: some, but not all, of the provisions of the Privacy Act; or some or all of the provisions of the Privacy Act, but only in relation to certain of its activities.