Part A—Introduction

3. Achieving National Consistency

Recommendation 3–1 The Privacy Act should be amended to provide that the Act is intended to apply to the exclusion of state and territory laws dealing specifically with the handling of personal information by organisations. In particular, the following laws of a state or territory would be excluded to the extent that they apply to organisations:

(a) Health Records and Information Privacy Act 2002 (NSW);

(b) Health Records Act 2001 (Vic);

(c) Health Records (Privacy and Access) Act 1997 (ACT); and

(d) any other laws prescribed in the regulations.

Recommendation 3–2 States and territories with information privacy legislation that purports to apply to organisations should amend that legislation so that it no longer applies to organisations.

Recommendation 3–3 The Privacy Act should not apply to the exclusion of a law of a state or territory so far as the law deals with any ‘preserved matters’ set out in the Act. The Australian Government, in consultation with state and territory governments, should develop a list of ‘preserved matters’. The list should only include matters that are not covered adequately by an exception to the model Unified Privacy Principles or an exemption under the Privacy Act.

Recommendation 3–4 The Australian Government and state and territory governments, should develop and adopt an intergovernmental agreement in relation to the handling of personal information. This agreement should establish an intergovernmental cooperative scheme that provides that the states and territories should enact legislation regulating the handling of personal information in the state and territory public sectors that:

(a) applies the model Unified Privacy Principles (UPPs), any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act as in force from time to time; and

(b) contains provisions that are consistent with the Privacy Act, including at a minimum provisions:

(i) allowing Public Interest Determinations and Temporary Public Interest Determinations;

(ii) regulating state and territory incorporated bodies (including statutory corporations);

(iii) regulating state and territory government contracts;

(iv) regulating data breach notification; and

(v) regulating decision making by individuals under the age of 18.

Recommendation 3–5 To promote and maintain uniformity, the Standing Committee of Attorneys-General (SCAG) should adopt an intergovernmental agreement which provides that any proposed changes to the:

(a) model Unified Privacy Principles and relevant definitions used in the Privacy Act must be approved by SCAG; and

(b) new Privacy (Health Information) Regulations and relevant definitions must be approved by SCAG, in consultation with the Australian Health Ministers’ Conference.

The agreement should provide for a procedure whereby the party proposing a change requiring approval must give notice in writing to the other parties to the agreement, and the proposed amendment must be considered and approved by SCAG before being implemented.

Recommendation 3–6 The Australian Government should initiate a review in five years from the commencement of the amended Privacy Act to consider whether the recommended intergovernmental cooperative scheme has been effective in achieving national consistency. This review should consider whether it would be more effective for the Australian Parliament to exercise its legislative power in relation to information privacy to cover the field, including in the state and territory public sectors.

5. The Privacy Act: Name, Structure and Objects

Recommendation 5–1 The regulation-making power in the Privacy Act should be amended to provide that the Governor-General may make regulations, consistent with the Act, modifying the operation of the model Unified Privacy Principles (UPPs) to impose different or more specific requirements, including imposing more or less stringent requirements, on agencies and organisations than are provided for in the UPPs.

Recommendation 5–2 The Privacy Act should be redrafted to achieve greater logical consistency, simplicity and clarity.

Recommendation 5–3 The Privacy Act should be renamed the Privacy and Personal Information Act. If the Privacy Act is amended to incorporate a cause of action for invasion of privacy, however, the name of the Act should remain the same.

Recommendation 5–4 The Privacy Act should be amended to include an objects clause. The objects of the Act should be specified to:

(a) implement, in part, Australia’s obligations at international law in relation to privacy;

(b) recognise that individuals have a right to privacy and to promote the protection of that right;

(c) recognise that the right to privacy is not absolute and to provide a framework within which to balance that right with other human rights and to balance the public interest in protecting the privacy of individuals with other public interests;

(d) provide the basis for nationally consistent regulation of privacy and the handling of personal information;

(e) promote the responsible and transparent handling of personal information by agencies and organisations;

(f) facilitate the growth and development of electronic transactions, nationally and internationally, while ensuring respect for the right to privacy;

(g) establish the Australian Privacy Commission and the position of the Privacy Commissioner; and

(h) provide an avenue for individuals to seek redress when there has been an alleged interference with their privacy.

6. The Privacy Act: Some Important Definitions

Recommendation 6–1 The Privacy Act should define ‘personal information’ as ‘information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual’.

Recommendation 6–2 The Office of the Privacy Commissioner should develop and publish guidance on the meaning of ‘identified or reasonably identifiable’.

Recommendation 6–3 The Office of the Privacy Commissioner should develop and publish guidance on the meaning of ‘not reasonably identifiable’.

Recommendation 6–4 The definition of ‘sensitive information’ in the Privacy Act should be amended to include:

(a) biometric information collected for the purpose of automated biometric verification or identification; and

(b) biometric template information.

Recommendation 6–5 The definition of ‘sensitive information’ in the Privacy Act should be amended to refer to ‘sexual orientation and practices’ rather than ‘sexual preferences and practices’.

Recommendation 6–6 The definition of ‘record’ in the Privacy Act should be amended to make clear that a record includes:

(a) a document (as defined in the Acts Interpretation Act 1901 (Cth)); and

(b) information stored in electronic or other format.

Recommendation 6–7 The definition of ‘generally available publication’ in the Privacy Act should be amended to clarify that a publication is ‘generally available’ whether or not a fee is charged for access to the publication.

7. Privacy Beyond the Individual

Recommendation 7–1 The Office of the Privacy Commissioner should encourage and assist agencies and organisations to develop and publish protocols, in consultation with Indigenous groups and representatives, to address the particular privacy needs of Indigenous groups.

Recommendation 7–2 The Australian Government should undertake an inquiry to consider whether legal recognition and protection of Indigenous cultural rights is required and, if so, the form such recognition and protection should take.

8. Privacy of Deceased Individuals

Recommendation 8–1 The Privacy Act should be amended to include provisions dealing with the personal information of individuals who have been dead for 30 years or less where the information is held by an organisation. The Act should provide as follows:

(a) Use and Disclosure

Organisations should be required to comply with the ‘Use and Disclosure’ principle in relation to the personal information of deceased individuals. Where the principle would have required consent, the organisation should be required to consider whether the proposed use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person. The organisation must not use or disclose the information if the use or disclosure would involve an unreasonable use or disclosure of personal information about any person, including the deceased person.

(b) Access

Organisations should be required to provide third parties with access to the personal information of deceased individuals in accordance with the access elements of the ‘Access and Correction’ principle, except to the extent that providing access would have an unreasonable impact on the privacy of other individuals, including the deceased individual.

(c) Data Quality

Organisations should be required to comply with the use and disclosure elements of the ‘Data Quality’ principle in relation to the personal information of deceased individuals.

(d) Data Security

Organisations should be required to comply with the ‘Data Security’ principle in relation to the personal information of deceased individuals.

Recommendation 8–2 The Privacy Act should be amended to provide that the content of National Privacy Principle 2.1(ea) on the use and disclosure of genetic information to genetic relatives—to be moved to the new Privacy (Health Information) Regulations in accordance with Recommendation 63–5—should apply to the use and disclosure of genetic information of deceased individuals.

Recommendation 8–3 Breach of the provisions relating to the personal information of a deceased individual should be considered an interference with privacy under the Privacy Act. The following individuals should have standing to lodge a complaint with the Privacy Commissioner:

(a) in relation to an alleged breach of the use and disclosure, access, data quality or data security provisions—the deceased individual’s parent, child or sibling who is aged 18 or over, spouse, de facto partner or legal personal representative; and

(b) in relation to an alleged breach of the access provision—the parties in paragraph (a) and any person who has made a request for access to the personal information of a deceased individual where that request has been denied.