Arguments for removing the exemption

39.37 The main arguments for removing the exemption include that:

  • 39.38there are no appropriate criteria that could exempt only those small businesses that pose a low risk to privacy, because any definition of ‘small business’ would be arbitrary;

  • 39.39removing the exemption would reduce inconsistency and fragmentation in privacy regulation;

  • 39.40removing the exemption would facilitate trade with the EU; and

  • 39.41some small businesses, especially those in high-risk sectors, handle large amounts of personal information and carry out some of the most privacy-intrusive activities.

The ‘small business’ criterion

39.42 A large number of stakeholders supported the ALRC’s proposal to remove the small business exemption.[55] Some expressed concern at the high percentage of businesses exempted from protecting individuals’ personal information.[56] The fact that a substantial number of all complaints against organisations closed by the OPC were closed because they fell within the small business exemption was also a cause of concern.[57] The Office of the Victorian Privacy Commissioner (OVPC) stated that:

About 30% of enquiries to my office result in referrals to the federal Office of the Privacy Commissioner, and the majority of these relate to small businesses which are likely to currently be exempt under the federal Act.[58]

39.43 Some stakeholders submitted that protection of privacy rights should not depend on the size of the business.[59] It was argued that the ability of a business to misuse personal information is not related to its size,[60] and that the consequences of misuse by small businesses could be just as severe as misuse by larger businesses.[61]

39.44 Other stakeholders questioned whether the assumptions that small businesses are unlikely to hold significant amounts of personal information, and that they are unlikely to deal with it inappropriately, were valid.[62] Some small businesses—such as internet businesses—do in fact hold large amounts of personal information.[63] The Australian Communications and Media Authority (ACMA) submitted that:

The increasing use of technology by small businesses, who may not be experienced in dealing with privacy matters places increasing pressure on the relevance of the small business exemption currently in the Privacy Act.[64]

39.45 There was concern among stakeholders that consumers may not be able to determine with any certainty whether the small business exemption applies to the business they are dealing with,[65] since annual turnover figures are rarely disclosed publicly.[66] National Legal Aid noted that removing the small business exemption

would resolve uncertainties which currently prevent members of the public from exercising their privacy rights or identifying the obligations of organisations [with which] they deal.[67]

39.46 Further, it was submitted that businesses themselves also may be uncertain about whether they are covered by the small business exemption—a problem that may be complicated further by the conditions that qualify the application of the exemption.[68] For example, the Legal Aid Commission of New South Wales noted that the Law Council of Australia was unable to provide clear guidance about whether law firms are covered by the exemption.[69]

39.47 Some stakeholders were concerned that the small business exemption, together with the exemption applying to related bodies corporate, may be used by large organisations to evade their responsibilities under the Privacy Act by transferring data-collection activities to a smaller entity within their corporate structure.[70] Another stakeholder submitted that the small business exemption was a barrier to efforts by particular industries to promote public confidence in the handling of personal information by small businesses.[71]

Regulatory inconsistency and fragmentation

39.48 Some stakeholders noted that the small business exemption contributes to the complexity of the privacy regime.[72] The Queensland Government expressed particular concern about the complexity of the exemptions regime in the education sector:

Non-State schools may or may not be required to comply based on a number of tests, for example annual turnover and the collection of ‘health information’. Exempt non-state schools may also choose to ‘opt in’ to the regime. The three tiered approach that currently operates—determined by the size of the school and the collection of one type of information—can create inconsistencies in the management of personal information in educational contexts.[73]

39.49 National Legal Aid noted that the application of the privacy regime to the provision of legal services was complicated, because some non-government organisations provide government-funded public services and therefore may not qualify for the small business exemption. It suggested that coverage of such non-government organisations would avoid this complication.[74]

39.50 Some stakeholders suggested that the small business exemption adversely affects the consistency of privacy regulation across Australia.[75] For example, one individual submitted that the coverage of small businesses by some state privacy legislation, but not the federal Privacy Act, caused confusion.

People could find themselves referred back and forth between the Commonwealth and NSW Privacy Offices if there is any doubt as to the annual turnover of the allegedly offending company.[76]

39.51 The OVPC stated that privacy protection should be consistent and universal across Australia, and that there was no policy justification for completely exempting small businesses from the operation of the Privacy Act. The OVPC stated that every organisation should be required to protect the privacy of personal information it has collected, especially where the information is sensitive.[77] National Legal Aid submitted that:

Uniform coverage means that organisations and individuals can rely on clearly stated privacy obligations when dealing with small businesses and non government organisations, and on forms of alternative dispute resolution under the Privacy Act as a realistic alternative to legal action. Uniform coverage should ease the task of the Privacy Commissioner when providing education and advice.[78]

39.52 The Queensland Government noted that the removal of the small business exemption, together with the proposed removal of the employee records exemption, would fill a gap in coverage and ensure national consistency in the regulation of the private sector. It stated that the two proposals were ‘in line with the current examination by [the Standing Committee of Attorneys-General] of workplace privacy, and would answer a number of the issues identified during that process’.[79]

39.53 The Government of South Australia submitted that ‘business efficacy is not likely to be enhanced by misuse or careless management of personal information’.[80] It stated that the benefits of removing the exemption would include:

  • 39.54clarifying consumers’ confusion and closing off loopholes under the exemption, thus promoting public confidence in the effectiveness of the privacy regime;

  • 39.55creating a level playing field for all small businesses, as currently some small businesses are not exempt and others choose to opt in;

  • 39.56promoting good business management practice and helping to build business reputation; and

  • 39.57further harmonising the trans-Tasman privacy protection regime.[81]

39.58 Some stakeholders identified other ways to modify the impact of the Privacy Act on small businesses. It was suggested, for example, that the removal of the small business exemption could be qualified by the requirement that small businesses need only take reasonable steps to comply with the privacy principles. This would allow the Privacy Commissioner to issue guidance on what steps (if any) a small business should take to be deemed to have made a reasonable effort to comply.[82]

39.59 Other stakeholders suggested that the impact of the Privacy Act on small businesses could be reduced by:

  • 39.60a privacy code for small businesses, which would relax or remove bureaucratic aspects of the Privacy Act while ensuring that personal information is handled appropriately;[83]

  • 39.61public interest determinations issued by the Privacy Commissioner;[84] or

  • 39.62specific exceptions to the privacy principles in relation to small businesses.[85]

EU adequacy

39.63 The small business exemption is one of the major obstacles to Australia’s privacy laws being recognised as ‘adequate’ by the EU. This arguably impedes trade with the EU.[86]

39.64 Several stakeholders argued that removing the small business exemption would help to ensure that Australia’s privacy laws were recognised as adequate by the EU.[87] Some stakeholders submitted that Australian privacy laws should be consistent with international standards.[88] For example, the Public Interest Advocacy Centre (PIAC) submitted that removal of the exemption would bring Australia in line with other comparable jurisdictions, including the United Kingdom, Canada and New Zealand.[89]

39.65 Professor Graham Greenleaf, Nigel Waters and Associate Professor Lee Bygrave submitted that a European company would not be able to ascertain readily whether a business is an exempt small business for the purposes of the Privacy Act. They stated that:

If personal data are transferred from Europe to some proper recipient in Australia, there is nothing in the Privacy Act except the normal rules governing secondary purposes to prevent the data from being disclosed to an exempt small business operator.[90]

39.66 The Australian Bankers’ Association (ABA) noted that the lack of EU adequacy has significant disadvantages for Australian companies that operate in a European environment. This is because an Australian company would have to comply with the EU Directive by fulfilling certain conditions on a case-by-case basis when transferring data from an EU country to Australia. The ABA submitted that removing the small business exemption would eliminate a significant impediment to a finding of EU adequacy.[91]

39.67 The National Australia Bank and MLC Ltd submitted that, as Australia’s privacy laws are not recognised as adequate by the EU, Australian businesses that wish to trade with organisations in the EU have to bear the costs of additional contractual arrangements;[92] including the costs of periodic audits of compliance with these arrangements.[93]

39.68 In contrast, Australian Business Industrial stated that it was not aware of any instances where the small business exemption has had an adverse impact on those conducting business with EU organisations.[94] The Real Estate Institute of Australia (REIA) argued that Australia should not pursue a declaration of adequacy under the EU Directive if this comes at the cost of removing the small business exemption.[95]

Removing the exemption for high-risk sectors

39.69 There are significant concerns that certain small businesses pose a particularly high risk to privacy.[96] Examples of such businesses included those in the telecommunications industry (such as ISPs); debt collectors; and small businesses that are handling personal information by reason of the application of the Northern Territory Emergency Response Act and related legislation.[97]

Telecommunications industry

39.70 The OPC Review recommended that the Attorney-General consider regulations to ensure that the Privacy Act applies to all small businesses in the telecommunications sector.[98] In response, the Australian Government stated that the Attorney-General’s Department would, in conjunction with the relevant government agencies, consider making regulations to ensure that the Privacy Act applies to such businesses.[99]

39.71 The Senate Committee privacy inquiry expressed concern that regulating small businesses in some areas—such as residential tenancy databases and telecommunications—but not others would add to the complexity of the legislation.[100]

39.72 In submissions to this Inquiry, the Department of Broadband, Communications and the Digital Economy (DBCDE), ACMA and other stakeholders expressed particular concern that small business operators in the telecommunications industry are exempt from the operation of the Privacy Act.[101]

39.73 The DBCDE submitted that, from a policy perspective, all businesses in the telecommunications industry should be subject to privacy regulation, regardless of size. It noted that a high proportion of providers in the telecommunications industry are small business operators—and therefore exempt from the operation of the Privacy Act. The DBCDE noted that the Telecommunications Act 1997 (Cth) regulates the use and disclosure of information, but not other aspects of information handling. In addition, some small businesses operating in association with the telecommunications industry may not be subject to Part 13 of the Telecommunications Act, the Privacy Act or any relevant industry code. Consequently, the DBCDE expressed support for the ALRC’s proposal to remove the small business exemption.[102]

39.74 Other stakeholders supported the removal of the small business exemption as a way to address privacy concerns raised in relation to ISPs.[103] For example, ACMA noted that more than a quarter of ISPs are small business operators. It questioned the relevance of this exemption in the increasingly convergent telecommunications environment.

Most consumers have little or no knowledge of the exemptions to the Privacy Act. As a consequence, many consumers transact with businesses assuming that their personal information is protected by the Privacy Act, when this may not be the case. If the small business exemption is to continue, it may be beneficial to publicise the exemption. This activity may result in voluntary compliance becoming a key market differentiator.[104]

39.75 The Communications Alliance conceded that there were operators in the telecommunications sector that fell within the small business exemption and were not subject to privacy regulation. It submitted, however, that the problem should be resolved by raising awareness about privacy issues and providing education and incentives to the industry for voluntary adoption of the NPPs, rather than additional privacy regulation that increases the regulatory burden on small operators.[105]

Debt collectors

39.76 The Privacy Act generally does not apply to debt collectors that have an annual turnover of $3 million or less. A debt collection organisation that has purchased debts from a credit provider, however, may be subject to the credit reporting provisions of the Act. In addition, debt collection organisations are regulated by the consumer protection provisions of the Trade Practices Act 1974 (Cth), the Australian Securities and Investments Commission Act 2001 (Cth) and other relevant state legislation.[106]

39.77 The Consumer Credit Legal Centre (NSW) (CCLC) submitted that a small business exemption should not apply in relation to debt collection, because when a bank sells the debt to a debt collector who is covered by the small business exemption, ‘the strict confidentiality the consumer expected when entering into the loan has now been eroded often without their knowledge’. The CCLC contended that ‘a consumer should be able to expect that the privacy rights that consumer had upon entering the loan are preserved for the life of the debt’.[107]

39.78 On the other hand, Abacus-Australian Mutuals (Abacus)—while acknowledging that debt collection activity may fall under the small business exemption even though the debtor borrowed from a larger financial institution—suggested that:

The 2005 renewal of the ASIC/ACCC Debt Collection Guidelines does, in [our]view, provide some confidence that creditors will ensure any debt recovery action is undertaken in accord with privacy measures.[108]

Northern Territory National Emergency Response

39.79 In August 2007, the Northern Territory National Emergency Response Act and related legislation were passed to address issues of drug abuse and child sexual assault in the Northern Territory. The suite of legislation introduced a number of measures that involve the collection, use and disclosure of personal information by certain agencies and organisations, including exempt small businesses. Privacy and other human rights advocates have identified a number of privacy issues concerning these measures—in particular, measures contained in the Northern Territory National Emergency Response Act andthe Social Security and Other Legislation Amendment (Welfare Payment Reform) Act 2007 (Cth).[109]

39.80 Under s 20(5) of the Northern Territory National Emergency Response Act,licensees and their employees are required to collect certain personal information before selling liquor for consumption away from the licensed premises. The personal information to be collected includes the purchaser’s name and address, and the name and address of the place where the purchaser proposes to consume the alcohol. Section 21 of the Act also requires a licensee to keep records of the personal information collected for at least three years after the records are made, and to produce the records to an inspector upon demand.

39.81 In addition, s 27 of the Actrequires a ‘responsible person’ for a publicly funded computer to ensure that a record is kept of each person who uses the computer, and the time and day of use.[110] A ‘publicly funded computer’ means a computer that is: owned or leased by an individual or body that received funding from a federal, state, territory or local government authority; on loan from a body that receives such funding; or owned or leased by an individual or a body that receives money directly or indirectly from the Australian Government under an arrangement to deliver employment-related services or programs.[111]

39.82 Where the ‘responsible person’ is a small business not acting under a Commonwealth contract it may fall within the small business exemption, for example, small businesses that receive funding from a state, territory or local government authority, and those that borrow a publicly funded computer from a government-funded body.

39.83 The OPC’s submission to the inquiry by the Senate Standing Committee on Legal and Constitutional Affairs into the Northern Territory National Emergency Response Bill 2007 (Cth) and related bills (NT National Emergency Response inquiry)[112] noted that, although it was not clear what proportion of these licensees and responsible persons would be small businesses, it is possible that some of them could come within the definition of ‘small business operator’ and therefore fall outside the coverage of the Privacy Act. The OPC stated that, as a result, ‘it would appear there may be a gap in statutory privacy protections applying to information collected and handled under these provisions’.[113]

39.84 The Social Security and Other Legislation Amendment (Welfare Payment Reform) Act 2007 (Cth) amended social security law to set up an income management regime for recipients of certain welfare payments. Under this regime, whole or parts of certain welfare payments are set aside and directed to meet the priority needs of certain welfare recipients, as well as those of the recipient’s partner, children and other dependants.[114] The legislation provides for certain powers in the collection, use and disclosure of personal information. For example, a person may disclose protected information[115] to another person who is responsible for the operation of a school if the protected information relates to the enrolment of children and their attendance at school.[116] Accordingly, a small business operating a private school may collect personal information about children without being subject to the requirements of the Privacy Act.

39.85 Further, small businesses operating community stores may be required to participate in the income management regime and handle personal information of welfare recipients to ensure that welfare payments are used to meet priority needs. To obtain a community store licence, community stores may be assessed on a number of matters, including their capacity to participate in, and their record of compliance with, the requirements of the income management regime.[117] In addition, they may be subject to licence conditions relating to the regime.[118] Although many community stores may be government-funded and therefore may have to comply with the Privacy Act as government contractors, those that are not government-funded may qualify for the small business exemption.

39.86 In its submission to NT National Emergency Response inquiry, the OPC stated that, where small businesses operating community stores are required to participate in the income management regime:

The Office assumes this may require them to collect and possibly use or disclose personal information that could include financial or sensitive information. It may be that some of these businesses will not be subject to privacy regulation. The Office suggests that appropriate information handling practices based on privacy principles in the Privacy Act could be made part of the renewed licence conditions for these businesses.[119]

39.87 Having considered different aspects of the Northern Territory National Emergency Response Billand related bills, the OPC submitted that:

Given the sensitivities of much of the information that will be collected, used and disclosed under some of the provisions of the Bills the Office believes it is important that consideration be given to ensuring that appropriate privacy safeguards are put in place for those entities not currently covered by statutory privacy regulation.[120]

39.88 In the Social Justice Report 2007, Mr Tom Calma, the Aboriginal and Torres Strait Islander Social Justice Commissioner, expressed concern about the inadequate privacy protection in the Northern Territory National Emergency Response Act and related legislation, including the fact that most small businesses are not regulated under the Privacy Act.[121] The Commissioner recommended that the income management scheme under the Social Security and Other Legislation (Amendment (Welfare Payment Reform) Act should be reviewed and amended to ensure compliance with human rights standards, including privacy protection.[122]

39.89 In its submission to this Inquiry, the Human Rights and Equal Opportunity Commission (HREOC) noted the OPC’s concern that the passing of the Northern Territory Emergency Response Act and associated legislation resulted in a gap in privacy protection. HREOC submitted that Indigenous people may have no legal redress when there is an unauthorised use or disclosure of their personal information collected by a small business operator under the relevant legislation. HREOC submitted that removing the small business exemption would be one way of addressing this gap.[123]

Other industries or services

39.90 Some stakeholders suggested other high-risk sectors to which the small business exemption should not apply.[124] One particular area of concern is small businesses that work with children or young people.[125] The NSW Commission for Children and Young People expressed concern that services such as child care centres, family counselling or dispute resolution services—which often keep records of sensitive personal information of children and young people—may fall within the small business exemption. The Commission submitted that the Privacy Act should be amended to include specifically any business that provides services to children and young people.[126]

39.91 Youthlaw noted that community service organisations that are small business operators are not covered by either federal or state privacy legislation unless they are contracted service providers to a government agency.

As a result young people, children and families may be wary about seeking help and providing information to these agencies if they believe this information is not subject to privacy legislation.[127]

39.92 The OPC suggested that consideration should be given to extending, or clarifying, the application of the Privacy Act to child care centres and family counselling and dispute resolution services.[128]

39.93 Other stakeholders raised concern about the application of the small business exemption to other types of small businesses, including:

  • 39.94real estate agents;[129]

  • 39.95dating agencies;[130]

  • 39.96recruitment agents;[131]

  • 39.97small businesses that provide computer data maintenance services;[132]

  • 39.98small businesses that collect and use biometric information;[133] and

  • 39.99small businesses that have control over large amounts of personal information and access to the credit reporting system,[134] such as financial services providers.[135]

[55] See, eg, Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 535, 21 December 2007; Optus, Submission PR 532, 21 December 2007; National Legal Aid, Submission PR 521, 21 December 2007; Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; BUPA Australia Health, Submission PR 455, 7 December 2007; Australian Digital Alliance, Submission PR 422, 7 December 2007 (endorsed by Australian Library and Information Association, Submission PR 446, 10 December 2007); Australasian Compliance Institute, Submission PR 419, 7 December 2007; S Hawkins, Submission PR 382, 6 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[56] Privacy NSW, Submission PR 468, 14 December 2007. See also Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Insurance Council of Australia, Submission PR 110, 15 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[57] Insurance Council of Australia, Submission PR 110, 15 January 2007.

[58] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[59] Ibid; Government of South Australia, Submission PR 187, 12 February 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[60] ACTU, Submission PR 155, 31 January 2007.

[61] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; ACTU, Submission PR 155, 31 January 2007.

[62] New South Wales Council for Civil Liberties Inc, Submission PR 156, 31 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; AAMI, Submission PR 147, 29 January 2007.

[63] Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[64] Australian Communications and Media Authority, Submission PR 268, 26 March 2007.

[65] Government of South Australia, Submission PR 565, 29 January 2008;National Legal Aid, Submission PR 521, 21 December 2007; Abacus–Australian Mutuals, Submission PR 174, 6 February 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007; Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[66] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[67] National Legal Aid, Submission PR 521, 21 December 2007.

[68] Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[69] Ibid.

[70] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; New South Wales Council for Civil Liberties Inc, Submission PR 156, 31 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[71] Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.

[72] Queensland Government, Submission PR 242, 15 March 2007; Abacus–Australian Mutuals, Submission PR 174, 6 February 2007.

[73] Queensland Government, Submission PR 242, 15 March 2007.

[74] National Legal Aid, Submission PR 521, 21 December 2007.

[75] Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[76] P Youngman, Submission PR 394, 7 December 2007.

[77] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[78] National Legal Aid, Submission PR 521, 21 December 2007.

[79] Queensland Government, Submission PR 490, 19 December 2007.

[80] Government of South Australia, Submission PR 187, 12 February 2007.

[81] Government of South Australia, Submission PR 565, 29 January 2008.

[82] Privacy NSW, Submission PR 468, 14 December 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[83] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; New South Wales Council for Civil Liberties Inc, Submission PR 156, 31 January 2007.

[84] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[85] Legal Aid Commission of New South Wales, Submission PR 107, 15 January 2007.

[86] One of the express objectives of the private sector provisions of the Privacy Act was to facilitate trade with the EU: Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 16.

[87] Government of South Australia, Submission PR 565, 29 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[88] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[89] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[90] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.

[91] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.

[92] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007; AAMI, Submission PR 147, 29 January 2007.

[93] National Australia Bank and MLC Ltd, Submission PR 148, 29 January 2007.

[94] Australian Business Industrial, Submission PR 444, 10 December 2007.

[95] Real Estate Institute of Australia, Submission PR 400, 7 December 2007.

[96] See, eg, Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[97] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[98] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 9, 15, 52.

[99] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), 3.

[100] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.32].

[101] Australian Communications and Media Authority, Submission PR 268, 26 March 2007; Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[102] Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007. See also Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[103] Australian Digital Alliance, Submission PR 422, 7 December 2007; Australian Communications and Media Authority, Submission PR 268, 26 March 2007.

[104] Australian Communications and Media Authority, Submission PR 268, 26 March 2007.

[105] Communications Alliance Ltd, Submission PR 198, 16 February 2007.

[106] The Australian Competition and Consumer Commission and the Australian Securities and Investments Commission, who are jointly responsible for enforcing consumer protection legislation in relation to the debt collection industry, have issued guidance to assist collectors and creditors in understanding how the legislation applies to them: Australian Competition and Consumer Commission and Australian Securities and Investments Commission, Debt Collection Guideline: For Collectors and Creditors (2005). Issues concerning the application of the credit reporting provisions of the Act to debt collectors are discussed in Ch 57.

[107] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[108] Abacus–Australian Mutuals, Submission PR 174, 6 February 2007, referring to Australian Competition and Consumer Commission and Australian Securities and Investments Commission, Debt Collection Guideline: For Collectors and Creditors (2005).

[109] Office of the Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs, Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 1 August 2007; Aboriginal and Torres Strait Islander Social Justice Commissioner, Social Justice Report 2007 (2008), Ch 3. See also Office of the Victorian Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 10 August 2007.

[110] Northern Territory National Emergency Response Act 2007 (Cth) s 27. A ‘responsible person’ in this context means the individual, or the head of the entity, that has custody and control of the computer: Northern Territory National Emergency Response Act 2007 (Cth) s 3.

[111] Northern Territory National Emergency Response Act 2007 (Cth) s 3.

[112] See Parliament of Australia—Senate Standing Committee on Legal and Constitutional Affairs, Social Security and Other Legislation Amendment (Welfare Payment Reform) Bill 2007 and Four Related Bills concerning the Northern Territory National Emergency Response (2007).

[113]Office of the Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs, Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 1 August 2007.

[114] Social Security (Administration) Act 1999 (Cth) s 123TB; Social Security and Other Legislation Amendment (Welfare Payment Reform) Act 2007 (Cth) sch 1 item 17.

[115] ‘Protected information’ means information: (a) about a person that is or was held in the records of the Department of Families, Housing, Community Services and Indigenous Affairs or of the Commonwealth Services Delivery Agency; (b) about a person obtained by an officer under the family assistance law that is or was held in the records of the Australian Taxation Office (ATO), Medicare Australia or the Health Insurance Commission; or (c) to the effect that there is no information about a person held in the records of the Department of Families, Housing, Community Services and Indigenous Affairs, the Commonwealth Services Delivery Agency, the ATO or Medicare Australia: Social Security Act 1991 (Cth) s 23.

[116] Social Security (Administration) Act 1999 (Cth) s 202(6); Social Security and Other Legislation Amendment (Welfare Payment Reform) Act 2007 (Cth)sch 1 item 21.

[117] Northern Territory National Emergency Response Act 2007 (Cth) s 93.

[118] Ibid s 103(1)(c).

[119]Office of the Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs, Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 1 August 2007.

[120]Ibid, 1.

[121] Aboriginal and Torres Strait Islander Social Justice Commissioner, Social Justice Report 2007 (2008), 278.

[122] Ibid, rec 11(c), 298.

[123] Human Rights and Equal Opportunity Commission, Submission PR 500, 20 December 2007.

[124] G Poscoliero, Submission PR 575, 3 March 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Youthlaw, Submission PR 390, 6 December 2007; NSW Commission for Children and Young People, Submission PR 120, 15 January 2007; AXA, Submission PR 119, 15 January 2007; Confidential, Submission PR 97, 15 January 2007.

[125] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Youthlaw, Submission PR 390, 6 December 2007; NSW Commission for Children and Young People, Submission PR 120, 15 January 2007.

[126] NSW Commission for Children and Young People, Submission PR 120, 15 January 2007.

[127] Youthlaw, Submission PR 390, 6 December 2007.

[128] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[129] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[130] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[131] Confidential, Submission PR 97, 15 January 2007. Although recruitment organisations trade in personal information, under s 6D(7)(a) of the Privacy Act, a recruitment organisation that has an annual turnover of $3 million or less may still be covered by the small business exemption if it has the consent of the individuals concerned. It also should be noted that the acts and practices of a recruitment organisation do not fall within the employee records exemption, unless they are in relation to the employee records of a current or former employee of that recruitment organisation and are directly related to that current or former employment relationship: see Information Technology Contract & Recruitment Association, Privacy and the Recruitment Industry <www.itcra.com/index.asp?menuid=100.010&artid=119> at 19 May 2008. The employee records exemption is discussed in Ch 40.

[132]G Poscoliero, Submission PR 575, 3 March 2008.

[133] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[134] Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007; AXA, Submission PR 119, 15 January 2007.

[135] AXA, Submission PR 119, 15 January 2007. The ALRC notes that the small business exemption generally does not apply to private investigators, as they trade in personal information without the consent of the individuals concerned: see Privacy Act 1988 (Cth) s 6D(4)(c), (d), (7), (8). Privacy issues relating to private investigators are discussed in detail in Ch 44.