Home | Databases | WorldLII | Search | Feedback Australian Law Reform Commission - Reform Journal

Editors --- "Reference update: for Your Information: Australian Privacy Law and Practice" [2009] ALRCRefJl 20; (2009) 93 Australian Law Reform Commission Reform Journal 62

For Your Information: Australian Privacy Law and Practice

By Professor Les McCrimmon*

The ALRC’s final report in its Privacy Inquiry own motion investigation, where the Privacy Commissioner determines that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual; and commence proceedings in the was sent to the Attorney-General of Australia, the Hon Robert McClelland MP, on Thursday 29 May 2008. The report, entitled For Your Information: Australian Privacy Law and Practice (ALRC 108), consists of 11 parts, 74 chapters and 295 recommendations for reform. The three volume, 2,694 page report is the largest ever produced by the ALRC. It also is the product of the largest consultation program ever undertaken by the ALRC.

During the course of the 28-month Inquiry, the ALRC held approximately 250 meetings with individuals, public sector agencies, privacy commissioners in Australia and overseas, private organisations, privacy and consumer groups and peak industry associations. The ALRC also undertook six youth workshops, three public meetings (in Melbourne, Sydney and Coffs Harbour), a two day ‘Privacy Phone-in’ and numerous roundtables with key stakeholders. Finally, the ALRC received 585 submissions during the course of the Inquiry.

The following outlines some of the key recommendations contained in the Report:

• Eleven Privacy Principles should replace the existing Information Privacy Principles and the National Privacy Principles. The new principles, referred to in the Report as the Unified Privacy Principles (UPPs), will apply to the Commonwealth public sector and the private sector. Existing state and territory laws currently applying to private sector organisations will be excluded by the operation of the Privacy Act 1988 (Cth).
• There should be greater harmonisation of Australian privacy law, through the adoption of the UPPs by state and territory privacy laws applying to the state and territory public sector. Such laws also should replicate key provisions in the federal Privacy Act—for example, in relation to health privacy regulations and key definitions.
• The number of exemptions in the Privacy Act should be reduced. In particular, the small business, employee records, registered political parties and political acts and practices exemptions should be removed.
• To foster compliance with the provisions of the Privacy Act, the enforcement powers of the Privacy Commissioner should be increased, for example, to allow the Commissioner to:
o require a Privacy Impact Assessment to be carried out if a new Australian Government initiative has a significant impact on the handling of personal information;
o decline to investigate a complaint if the Privacy Commissioner deems the complaint to be frivolous, or the complaint is being handled by an approved External Dispute Resolution scheme;
o audit organisations for compliance with the privacy principles and other provisions of the Privacy Act;
o issue a notice to comply to an agency or organisation following an own motion investigation, where the Privacy Commissioner determines that the agency or organisation has engaged in conduct constituting an interference with the privacy of an individual; and
o commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce the notice to comply.
• The Privacy Act should be amended to include a new Part on data breach notification. If an agency or organisation becomes aware that specified personal information has been acquired by an unauthorised person and the agency, organisation or the Privacy Commissioner believes that such acquisition may give rise to a real risk of serious harm to an individual, the agency or organisation should be required to notify the affected individual of the unauthorised acquisition.
• The credit reporting provisions in the Privacy Act should permit the inclusion of the following items of personal information, in addition to those currently allowed to be held in credit information files:
o the type of credit account opened (for example, mortgage, personal loan, credit card);
o the date on which each credit account was opened;
o the current limit of each open credit account;
o the date on which each credit account was closed; and
o after the Australian Government is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation, an individual’s repayment performance history.
• A statutory cause of action for a serious invasion of privacy should be provided for in federal legislation. To establish liability under such a cause of action, the claimant must show that, in the circumstances, he or she had a reasonable expectation of privacy and the act or conduct complained of is highly offensive. In determining whether an individual’s privacy has been invaded, the court also would have to take into account whether the public interest in maintaining the claimant’s privacy outweighs other matters of public interest—including the interest of the public to be informed about matters of public concern and the public interest in allowing freedom of expression.

For Your Information was tabled in the Australian Parliament on 11 August 2008. On the same day it was launched publically at the ALRC offices by the Hon Senator John Faulkner, Special Minister for State and Cabinet Secretary, and by the Attorney-General of Australia. The launch, which was well attended by media representatives, Privacy Advisory Committee members and others who had been involved in the Inquiry, received widespread television, radio and print media coverage.

When launching the report, Senator Faulkner indicated that the Australian Government would consider the ALRC’s recommendations in two stages:

• Stage 1 – legislation within 12 to 18 months (from 11 August 2008) addressing:
o one set of privacy principles;
o credit reporting and health regulations; and
o new technology.
• Stage 2:
o removal of exemptions;
o statutory cause of action for a serious invasion of privacy; and
o mandatory data breach notification.
• Concurrent:
o harmonisation of Commonwealth, state and territory privacy laws;
o recommendations relating to the Office of the Privacy Commissioner; and
o public education concerning the implications on privacy of developing technology.

The Privacy Inquiry was a mammoth undertaking. Through the dedication and hard work of the ALRC Commissioners and staff, and the Privacy Inquiry team in particular, the Australian Government and other interested stakeholders have a blueprint for the reform of privacy law. For Your Information is a report of global significance, and addresses in detail the challenging privacy issues facing Australians.

* Professor Les McCrimmon is a full-time Commissioner at the Australian Law Reform Commission and was Commissioner-in-charge of the Privacy Inquiry