An intergovernmental agreement

A cooperative scheme: Discussion Paper proposals

3.92 In DP 72, the ALRC expressed the view that national consistency will be promoted if the federal, state and territory governments enter into an intergovernmental agreement in relation to the handling of personal information. The ALRC proposed that the intergovernmental agreement should establish an intergovernmental cooperative scheme. The scheme would provide that the states and territories should enact legislation that regulates the handling of personal information in the state and territory public sectors.[114]

3.93 The ALRC noted that a number of stakeholders supported the establishment of a cooperative scheme.[115] For example, the OPC submitted that ensuring that privacy protections in state and territory jurisdictions are consistent with, and at least equivalent to, the Privacy Act would help to ensure national consistency. It stated that a cooperative scheme was the best way to introduce uniform privacy principles across federal, state and territory public sectors.[116]

3.94 A major cause of inconsistency in Australian privacy laws is that the Privacy Act and state and territory privacy laws include similar, but not identical, privacy principles. The ALRC expressed the view that the most effective method of dealing with these inconsistencies was the adoption of identical privacy principles at the federal, and state and territory level. Noting the success of complementary applied law schemes in achieving national consistency, the ALRC proposed that state and territory legislation should apply the UPPs and the Privacy (Health Information) Regulations as in force under the Privacy Act from time to time.[117]

3.95 The ALRC also proposed that state and territory privacy legislation should apply other key elements of the Privacy Act. The ALRC proposed that state and territory privacy laws include, at a minimum:

  • relevant definitions used in the Privacy Act (including ‘personal information’, ‘sensitive information’ and ‘health information’);
  • provisions allowing public interest determinations (PIDs) and temporary public interest determinations (temporary PIDs);
  • provisions relating to state and territory incorporated bodies (including statutory corporations);
  • provisions relating to state and territory government contracts; and
  • provisions relating to data breach notification.[118]

3.96 In addition, the ALRC proposed that this legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in a state or territory’s public sector.[119] This aspect of the proposal is dealt with separately below.

Submissions and consultations

3.97 Many stakeholders were supportive of the ALRC’s proposal for a cooperative scheme.[120] The Australian Taxation Office noted that the proposal would reduce confusion, and increase continuity and confidence for the community.[121] PIAC supported the proposal, in particular the coverage of state-owned corporations and state government contractors, and the retention of state and territory privacy regulators.[122] The School of Public Health at the University of Sydney was particularly supportive of the adoption of relevant definitions used in the Privacy Act.[123]

3.98 Some state bodies with responsibility for the regulation of privacy in state public sectors also supported the proposal. For example, the Health Services Commissioner Victoria supported an ‘applied law’ model for achieving national consistency in the privacy principles.[124] The OVPC noted that the proposal would result in increased powers and jurisdiction for the OVPC, particularly in relation to PIDs and data breach notification.[125]

3.99 The Government of South Australia noted that, in South Australia, information privacy is regulated by an administrative instruction, not legislation. It submitted that some of the benefits of privacy legislation include the establishment of direct penalties; improved consistency between regimes; the establishment of an independent regulator with powers of investigation; improved fairness across sectoral boundaries for the management of complaints and appeals; and widening the scope of application to include local government and universities. It noted that the ALRC has not considered the benefits of an administrative instruction as opposed to a legislated instrument—in particular, the limits on the flexibility of legislation and resourcing for the management of complaints and appeals.[126]

3.100 The OPC supported the ALRC’s proposal, but noted that its preferred model of health privacy law reform is to incorporate a discrete number of specific provisions in the privacy principles themselves, rather than to create a separate regulatory instrument.[127] The OPC also submitted that, while the adoption of the UPPs and the same definitions is fundamental to consistency, the other elements in the proposal, while desirable, are not crucial to consistency. The OPC was concerned that achieving agreement on those elements could hold up agreement on the UPPs and definitions. The OPC also noted that the cooperative scheme procedures may, in practice, introduce complexities that may work against achieving national consistency.[128]

3.101 The NHMRC was concerned that, if the scheme is implemented, it will be difficult to ensure consistent and sustained compliance by all states and territories. The NHMRC also noted that most public health services in Australia are operated by state and territory governments directly, but in Victoria almost all public health services are incorporated state-owned bodies with independent boards of governance. The NHMRC submitted that it will be essential to ensure that state and territory legislation applies uniformly to public health services in all jurisdictions, regardless of their legal structure.

3.102 The NHMRC also noted that the issuing of PIDs and temporary PIDs by individual jurisdictions may result in different compliance obligations which may, over time, impact on the consistency of the regulatory regime nationally. The NHMRC strongly prefers a regulatory regime which provides for the uniform adoption in all jurisdictions of PIDs and temporary PIDs that impact on the health care and health and medical research sectors, following an appropriate process of inter-jurisdictional consultation.[129]

3.103 Other stakeholders did not agree with the ALRC’s proposals for a cooperative scheme. The Australian Direct Marketing Association submitted that the best way to establish national consistency would be the development of harmonised legislation through the Council of Australian Governments (COAG) and the Standing Committee of Attorneys-General (SCAG) processes, or the use of the Commonwealth’s constitutional head of power to extend the Privacy Act to ‘cover the field’.[130]

ALRC’s view

3.104 National consistency will be promoted if the federal, state and territory governments enter into an intergovernmental agreement in relation to the handling of personal information. The intergovernmental agreement should establish an intergovernmental cooperative scheme that provides that the states and territories should enact legislation that regulates the handling of personal information in the state and territory public sectors.

3.105 The most effective method of dealing with inconsistencies between privacy principles at the federal, state and territory level is to apply key elements of the Privacy Act across the jurisdictions. These elements are:

  • the model UPPs and any regulations that modify the application of the UPPs (for example, the Privacy (Health Information) Regulations) as in force under the Privacy Act; and
  • relevant definitions used in the Privacy Act (including ‘personal information’, ‘sensitive information’ and ‘health information’).

3.106 It is important to note that not all the UPPs should be applied in state and territory legislation regulating the handling of personal information in state and territory public sectors. Some of the UPPs will not be relevant to state and territory public sectors, for example UPPs—such as UPP 6 (the ‘Direct Marketing’ principle)—that only apply to organisations. Further, rules relating to access and correction of personal information will need to interact with state and territory freedom of information and archives legislation. Other principles will require minor modifications to make them relevant in the context of state and territory public sectors.

3.107 The various problems caused by the use of inconsistent terms and definitions across federal information laws are outlined in Chapter 17. As noted in Chapter 17, definitions of key terms used in state and territory privacy laws generally conform to those used under the Privacy Act. There are however some differences. Relevant definitions of key terms used in the Privacy Act (including ‘personal information’, ‘sensitive information’ and ‘health information’) should be applied in state and territory laws that regulate the handling of personal information in the public sector.[131]

3.108 To promote and maintain uniformity, the ALRC recommends that the Standing Committee of Attorneys-General should adopt an intergovernmental agreement which provides that any proposed changes to key elements must be approved by an intergovernmental ministerial council.[132]

3.109 State and territory privacy laws should also include, at a minimum, a number of other important elements of the Privacy Act. While these provisions should be as consistent as possible to promote national consistency, absolute uniformity is not essential. The provisions are those:

  • allowing PIDs and temporary PIDs;
  • regulating state and territory incorporated bodies (including statutory corporations);
  • regulating state and territory government contracts;
  • regulating data breach notification; and
  • regulating decision making by individuals under the age of 18.

3.110 To promote consistency, the ALRC has suggested below that the intergovernmental agreement could provide for a procedure that requires the states and territories to consult before amending these provisions in their own privacy legislation.

3.111 Each of these provisions is the subject of recommendations in another chapter of this Report. For example, Chapter 14 examines how inconsistency in federal, state and territory privacy law acts as an impediment to appropriate information sharing across state borders. Rather than preventing appropriate information sharing, privacy laws and regulators should encourage public sector agencies and private sector organisations to design information sharing schemes that comply with privacy laws. An effective way to facilitate information sharing between Australian Government agencies, state and territory agencies and the private sector is the adoption of the Privacy Act provisions that allow PIDs and temporary PIDs in state and territory laws regulating the public sectors.

3.112 Inconsistencies between the Privacy Act and state and territory privacy laws have resulted in regulatory gaps in relation to state and territory incorporated bodies (including statutory corporations) in some jurisdictions.[133] It is essential to ensure that state and territory legislation applies uniformly to public health services in all jurisdictions, regardless of their legal structure. State and territory laws that regulate the handling of personal information in the state and territory public sectors should, therefore, include provisions relating to state and territory incorporated bodies (including statutory corporations).

3.113 In Chapter 14, the ALRC notes that some state and territory privacy regimes require organisations that provide contracted services to a state or territory government agency to be bound by the relevant state or territory privacy principles for the purposes of the contract. Other state regimes provide that compliance with the state privacy regime is subject to any outsourcing arrangements, or are silent on this issue. A number of concerns were raised by stakeholders that organisations that contracted with state governments, in particular, small businesses, remain unregulated by privacy legislation. The ALRC therefore recommends that state and territory legislation regulating the handling of personal information in a state or territory’s public sector should include provisions relating to state and territory government contracts.

3.114 In Chapter 51, the ALRC recommends the adoption of a data breach notification requirement. An agency (including a state or territory agency) should be required to notify the relevant regulator and any affected individual when a data breach poses a real risk of serious harm to any affected individual.[134] The ALRC notes the various benefits of this requirement, and the problems caused by an inconsistent approach to this requirement in the United States.[135] In the ALRC’s view, a data breach notification requirement, based on the requirement under the Privacy Act, should be included in all state and territory legislation that regulates the handling of personal information.

3.115 In Chapter 68, the ALRC recommends that the Privacy Act be amended to make provision for determining who can make a decision on behalf of an individual under the age of 18.[136] The recommendation requires an assessment of capacity to be made, and where it is not practicable to make an assessment, apply a presumption that an individual aged 15 or over has capacity. Where an individual under the age of 18 is assessed or presumed as having capacity, he or she may make decisions under the Privacy Act.

3.116 The determination of capacity differs across jurisdictions and between legislative schemes. Provisions relating to determining decision-making capacity in relation to decisions regarding personal information should be the same when an individual is dealing with an organisation, or a federal, state or territory agency. State and territory privacy laws should include provisions regulating decision making by individuals under the age of 18, based on the recommended provisions in the Privacy Act.[137]

3.117 There are advantages in having a number of agencies and bodies with responsibility for information privacy. In Chapter 17, the ALRC recommends that state and territory privacy legislation should provide for the resolution of complaints by state and territory privacy regulators and agencies with responsibility for privacy regulation in a state or territory’s public sector.

3.118 The ALRC has recommended in Chapter 17 that the OPC and state and territory privacy regulators and agencies with responsibility for privacy regulation should develop and publish memoranda of understanding.[138] The issuing of PIDs and temporary PIDs by individual jurisdictions may impact on the national consistency of the regulatory regime. These memoranda of understanding should set out a process for consultation between the relevant privacy regulators and agencies when issuing PIDs and temporary PIDs, and in other circumstances such as when issuing codes and when developing and publishing joint guidance.

Recommendation 3-4 The Australian Government and state and territory governments, should develop and adopt an intergovernmental agreement in relation to the handling of personal information. This agreement should establish an intergovernmental cooperative scheme that provides that the states and territories should enact legislation regulating the handling of personal information in the state and territory public sectors that:

(a) applies the model Unified Privacy Principles (UPPs), any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act as in force from time to time; and

(b) contains provisions that are consistent with the Privacy Act, including at a minimum provisions:

(i) allowing Public Interest Determinations and Temporary Public Interest Determinations;

(ii) regulating state and territory incorporated bodies (including statutory corporations);

(iii) regulating state and territory government contracts;

(iv) regulating data breach notification; and

(v) regulating decision making by individuals under the age of 18.

A ministerial council

3.119 The OPC Review suggested that, if national consistency is to be achieved, there needs to be greater cooperation between the Australian and state and territory governments in developing legislation that has privacy implications.[139]

3.120 One option for consideration is the establishment of a permanent standing body to ensure national consistency in the regulation of personal information. Such a proposal raises a number of issues including: the membership of such a body, its functions and powers, reporting requirements, ministerial responsibility, and resourcing.

3.121 In DP 72, the ALRC considered a number of options for reform, including broadening the membership and functions of the Privacy Advisory Committee established under the Privacy Act.[140] The ALRC also considered a ministerial council to perform such a function. A ministerial council is generally made up of relevant ministers from the Australian Government and the states and territories who meet to discuss matters of mutual interest.

3.122 COAG is the peak intergovernmental forum in Australia. COAG comprises the Prime Minister, state premiers, territory chief ministers and the President of the Australian Local Government Association (ALGA). The COAG Secretariat is located within the Department of the Prime Minister and Cabinet. The role of COAG is to initiate, develop and monitor the implementation of policy reforms that are of national significance and which require cooperative action by Australian governments.

3.123 SCAG is a national ministerial council. Its members are the Australian Attorney-General and Minister for Justice and Customs, the state and territory attorneys-general and the New Zealand Attorney-General. Norfolk Island has observer status at SCAG meetings. SCAG seeks to achieve uniform or harmonised action within the portfolio responsibilities of its members. The types of issues that SCAG considers can be quite varied. An item is likely to be appropriate for SCAG if it:

  • requires joint action from the Australian, state and territory governments;
  • involves the development of model or uniform model legislation; or
  • is of relevance to attorneys-general.[141]

3.124 SCAG has considered privacy issues related to residential tenancy databases,[142] and is currently working on workplace privacy.[143] SCAG also has oversight of a cooperative scheme—the National Classification Scheme for film and video and for printed material. The Intergovernmental Agreement on Censorship requires that certain changes to the National Classification Scheme must be considered and agreed to by all SCAG ministers.

3.125 Another example of a ministerial council model is the Gene Technology Ministerial Council (GTMC). The GTMC oversees the implementation of the Gene Technology Act 2000 (Cth) and the operation of the Gene Technology Regulator. The GTMC was established by an intergovernmental agreement between the Australian Government and all state and territory governments. The intergovernmental agreement also commits state and territory governments to enact corresponding state and territory legislation.[144]

3.126 The functions conferred upon the GTMC by the intergovernmental agreement include: issuing policy principles, policy guidelines and codes of practice to govern the activities of the Regulator and the operation of the scheme; approving the appointment (and, if necessary, the dismissal) of the Regulator; and considering and, if thought appropriate, agreeing on proposed changes to the scheme.[145] The GTMC is supported by the Gene Technology Standing Committee comprised of senior Australian Government and state and territory department officials, and the Regulator is supported by the Office of the Gene Technology Regulator.

3.127 In DP 72, the ALRC proposed that, to promote and maintain uniformity, SCAG should adopt an intergovernmental agreement which provides that any proposed changes to the:

  • UPPs must be approved by SCAG; and
  • Privacy (Health Information) Regulations must be approved by SCAG, in consultation with the Australian Health Ministers’ Advisory Council (AHMAC).

3.128 The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.[146]

Submissions

3.129 Many stakeholders supported the ALRC’s proposal that SCAG have the role of overseeing national consistency in the regulation of personal information.[147] Some stakeholders submitted, however, that COAG would be the most appropriate body following the new Australian Government administrative arrangements.[148] It was also noted that COAG would be an appropriate forum, given the involvement of the significant privacy stakeholder group, the ALGA.[149]

3.130 The OPC suggested that any proposed changes to the Privacy (Health Information) Regulations be approved by SCAG in consultation with the Australian Health Ministers’ Conference, comprising the health ministers of all Australian jurisdictions, rather than AHMAC, as proposed by the ALRC. The OPC also suggested that the agreement could establish a consultative process when states and territories propose to amend their own privacy regulation.[150]

3.131 Other stakeholders did not support the proposal.[151] For example, the Queensland Government preferred a national standing committee of privacy representatives selected by constituent governments to assess and endorse proposals for future reform and amendment of the privacy principles.[152] The OVPC submitted that there is some merit in the creation of a permanent standing body comprising all jurisdictions’ privacy commissioners to consider and promote national consistency, information sharing between regulators, cooperative arrangements for enforcement, and enhanced legislative scrutiny of bills that may impact adversely on privacy.[153]

3.132 The Australian Privacy Foundation did not support the establishment of a permanent standing body on privacy. The Foundation submitted that such bodies have ‘delayed or buried privacy issues in the past’.[154]

ALRC’s view

3.133 A permanent standing body would assist in maintaining national consistency in the regulation of personal information. As noted above, national consistency will be promoted if the federal, state and territory governments enter into an intergovernmental agreement to establish a cooperative scheme in relation to the regulation of personal information. The intergovernmental agreement should provide that any proposed changes to the:

  • model UPPs and relevant definitions used in the Privacy Act (for example ‘personal information’ and ‘sensitive information’) must be approved by SCAG; and
  • new Privacy (Health Information) Regulations and relevant definitions (for example, ‘health information’ and ‘health services’) must be approved by SCAG, in consultation with the Australian Health Ministers’ Conference.

3.134 The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.

3.135 SCAG is the most appropriate body to ensure national consistency as it is an established body that has experience in considering privacy issues and in promoting consistency through cooperative schemes. The ALRC acknowledges that, while the majority of state and territory ministers with responsibility for the regulation of personal information are attorneys-general, the Australian Government minister and South Australian minister responsible for information privacy are not.[155]

3.136 The ALRC has been informed that, despite changes to the Australian Government administrative arrangements, SCAG will continue to be the body to consider information privacy issues. Under this arrangement, the Cabinet Secretary will brief the Attorney-General of Australia on information privacy issues that need to be considered by SCAG.[156]

3.137 Further, the South Australian minister with responsibility for information privacy is able to attend SCAG meetings. SCAG adopted procedures to accommodate this situation in its oversight of the National Classification Scheme. SCAG procedures provide that where a minister responsible for censorship is not the Attorney-General, that minister attends SCAG meetings for discussion of censorship matters.

3.138 When considering any changes to the Privacy (Health Information) Regulations, SCAG should consult with the Australian Health Ministers’ Conference, comprising the health ministers of all Australian jurisdictions, rather than AHMAC, as proposed by the ALRC in DP 72.

3.139 The ALRC sees merit in the intergovernmental agreement establishing a consultative process where states and territories propose to amend their own privacy regulation. Such a consultative process will promote and maintain national consistency.

3.140 Consultation will not be necessary every time a state or territory amends their own privacy regulation. The recommended intergovernmental agreement, however, should require the states and territories to consult with each other before amending certain elements of their own legislation. These elements include those identified by the ALRC in Recommendation 3–4 that have some impact on national consistency.

Recommendation 3-5 To promote and maintain uniformity, the Standing Committee of Attorneys-General (SCAG) should adopt an intergovernmental agreement which provides that any proposed changes to the:

(a) model Unified Privacy Principles and relevant definitions used in the Privacy Act must be approved by SCAG; and

(b) new Privacy (Health Information) Regulations and relevant definitions must be approved by SCAG, in consultation with the Australian Health Ministers’ Conference.

The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.

An expert committee

3.141 In DP 72, the ALRC proposed that SCAG should be assisted by an expert advisory committee to:

  • provide advice in relation to the amendment of the proposed UPPs and Privacy (Health Information) Regulations;

  • address issues related to national consistency such as the scrutiny of federal, state and territory bills that may adversely impact on national consistency in the regulation of personal information; and

  • address issues related to the enforcement of privacy laws, including information sharing between privacy regulators and cooperative arrangements for enforcement.

3.142 The ALRC also proposed that appointments to the expert advisory committee should ensure a balanced and broad-based range of expertise, experience and perspectives relevant to the regulation of personal information. The appointments process should involve consultation with state and territory governments, business, privacy and consumer advocates and other stakeholders.[157]

Submissions and consultations

3.143 Many stakeholders supported the ALRC’s proposal for the establishment of an expert advisory committee to assist a Ministerial Council.[158] The Australian Privacy Foundation supported the proposal, subject to its concerns about SCAG.[159]

3.144 It was suggested that the expert advisory committee should include:

  • representatives from federal, state and territory archival organisations, or that the committee should consult with such archival organisations;[160]
  • privacy regulators from throughout Australia;[161]
  • consumer representatives;[162] and
  • possibly some government departments.[163]

3.145 Some stakeholders questioned whether an expert committee was necessary.[164] The OPC, for example, submitted that such a committee may add to bureaucratic complexity. Instead, the Office suggested that existing bodies, such as the administering agencies for Australian, state and territory information privacy laws, would be well placed to provide advice. The OPC also was concerned that the expert committee may be seen as a substitute for consultation by SCAG with relevant stakeholders on information privacy issues.[165]

ALRC’s view

3.146 While the ALRC agrees that the amendment of the UPPs and the Privacy (Health Information) Regulations only should occur after consultation with relevant stakeholders, it is not necessary to establish an expert advisory committee to assist SCAG. Such a committee is unnecessary and may add to bureaucratic complexity.

3.147 The ALRC notes that SCAG is currently advised by the SCAG Officers Committee, and that SCAG committees have previously engaged in broad-based consultation, most recently in relation to workplace privacy. On privacy issues, such a committee usefully could consult with the public and private sectors; federal, state and territory privacy regulators and other bodies with responsibility for information privacy; bodies with responsibility for records management, including archival organisations; and privacy and consumer representatives.

3.148 SCAG might also consult with the Privacy Advisory Committee established under the Privacy Act[166] and the Asia Pacific Privacy Authorities (APPA) forum that meets biannually and includes the federal and state and territory privacy regulators of Australia, New Zealand, Hong Kong and South Korea.

Ensuring uniform interpretation

3.149 As noted above, national consistency will be promoted if the model UPPs and other key elements of the Privacy Act are adopted at the federal, state and territory level. The uniformity of these elements may be reduced over time, however, by differing interpretations of these elements by courts and tribunals.

3.150 Under the ALRC’s recommendations, the Administrative Appeals Tribunal (AAT), the Federal Magistrates Court and the Federal Court of Australia will play a significant role in maintaining uniformity in the development of jurisprudence at the federal level. As noted in Part F, privacy complaints under the Privacy Act should generally be dealt with by the Privacy Commissioner, with a right of appeal to the AAT and the Federal Court. Applications for civil penalties will be dealt with by the Federal Magistrates Court and the Federal Court.[167]

3.151 State and territory courts and tribunals may be required to consider state and territory privacy legislation that applies the UPPs and other key elements of the Privacy Act. National consistency could be undermined if state and territory courts and tribunals adopt different interpretations of the UPPs and other key elements of the Privacy Act applied in state and territory legislation.

3.152 While courts of appeal in each state and territory can work to ensure consistency within their jurisdictions, they cannot contribute directly to national consistency because their decisions are not binding in other jurisdictions. The principle of comity, however, is intended to encourage a degree of uniformity across jurisdictions. As the High Court of Australia stated in the context of the Corporations Law scheme:

uniformity of decision in the interpretation of uniform national legislation … is a sufficiently important consideration to require that an intermediate appellate court—and all the more so a single judge—should not depart from an interpretation placed on such legislation by another Australian intermediate appellate court unless convinced that that interpretation is plainly wrong.[168]

3.153 The principle of comity will ensure a certain level of national consistency in the interpretation of the UPPs and other key elements of the Privacy Act applied in state and territory legislation. The ALRC also notes that the High Court of Australia plays a key role in ensuring uniformity in the development of jurisprudence in Australia.

3.154 In Chapter 17, the ALRC recommends that the OPC should develop memoranda of understanding with each of the bodies with responsibility for information privacy in Australia. The memoranda of understanding should outline processes for developing and publishing joint guidance on the interpretation of the model UPPs and other applied elements of the Privacy Act. This should assist bodies with responsibility for information privacy, including state and territory privacy regulators, to adopt a consistent interpretation of the UPPs and other aspects of privacy regulation.

[114]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–4(a).

[115] See, eg, Australian Commission on Safety and Quality in Health Care, Submission PR 252, 14 March 2007; Law Council of Australia, Submission PR 177, 8 February 2007; Australian Retailers Association, Submission PR 131, 18 January 2007.

[116] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also National Children’s and Youth Law Centre, Submission PR 166, 1 February 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.

[117]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–4.

[118]Ibid, Proposal 4–4(b)(i)–(v).

[119]Ibid, Proposal 4–4.

[120] See, eg, Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Confidential, Submission PR 519, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007. The Australian Privacy Foundation stated that it would like to see more detailed options: Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[121]Australian Taxation Office, Submission PR 515, 21 December 2007.

[122]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[123]School of Public Health—University of Sydney, Submission PR 504, 20 December 2007.

[124]Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007. The Health Services Commissioner Victoria did not, however, support the amendment of the Privacy Act to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information: see Rec 3–1. See also Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[125]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[126]Government of South Australia, Submission PR 565, 29 January 2008.

[127]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Government of South Australia, Submission PR 565, 29 January 2008.

[128]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[129]National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[130]Australian Direct Marketing Association, Submission PR 543, 21 December 2007. See also Law Society of New South Wales, Submission PR 443, 10 December 2007.

[131] Definitions of these terms are discussed in Chs 6, 62.

[132] Rec 3–5.

[133] See Ch 17.

[134] Rec 51–1.

[135] See discussion in Ch 51.

[136]Rec 68–1.

[137] Recs 68–1, 68–2, 68–3.

[138] See Rec 17–3.

[139] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 43.

[140] The Privacy Advisory Committee is discussed in Ch 46.

[141] Australian Government Attorney-General’s Department, Standing Committee of Attorneys-General <www.ag.gov.au> at 14 April 2008.

[142] See Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General Residential Tenancy Database Working Party, Report on Residential Tenancy Databases (2005).

[143] SCAG has recently agreed that a SCAG working group should develop a model for nationally consistent workplace privacy regulation: Standing Committee of Attorneys-General, Communiqué, 28 March 2008.

[144] The Intergovernmental Agreement on Gene Technology, cl 9.

[145] Ibid, cl 9.

[146]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–6.

[147] See, eg, Government of South Australia, Submission PR 565, 29 January 2008; Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[148] The Administrative Arrangements Order of 25 January 2008 established that s 63 of the Privacy Act (Legal Assistance) is to be dealt with by the Attorney-General and administered by the Attorney-General’s Department. Otherwise privacy matters are dealt with by the Special Minister of State, and the Privacy Act is administered by the Department of the Prime Minister and Cabinet: Commonwealth of Australia, Administrative Arrangements Order, 25 January 2008 [as amended 1 May 2008].

[149]Privacy NSW, Submission PR 468, 14 December 2007.

[150]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[151]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[152] Queensland Government, Submission PR 242, 15 March 2007.

[153] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[154] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[155] The minister responsible for information privacy in South Australia is currently the Minister for Finance.

[156] Australian Government Attorney-General’s Department, Correspondence, 12 February 2008.

[157]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 4–7.

[158]Cancer Council Australia and Clinical Oncological Society of Australia, Submission PR 544, 23 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[159]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[160]National Archives of Australia, Submission PR 414, 7 December 2007.

[161]Privacy NSW, Submission PR 468, 14 December 2007.

[162]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[163]Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008.

[164]Government of South Australia, Submission PR 565, 29 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[165]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[166] The ALRC recommends that the membership of the Privacy Advisory Committee be expanded: see Ch 46.

[167] See Chs 49 and 50.

[168]Australian Securities Commission v Marlborough Gold Mines Limited (1993) 177 CLR 485, 492.