The Attorney-General this week released a report by the privacy commissioner into the operation of the private sector provisions of the Privacy Act (Act) entitled Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. While the privacy commissioner, Karen Curtis, believes that 'there is no fundamental flaw with the private sector provisions in the Privacy Act', she has made 85 recommendations to improve the operation of the private sector provisions.
Some of the key recommendations of the report are to provide for a more nationally consistent privacy scheme—particularly in areas of health and telecommunications. Other recommendations included to consider amending the Act to:
apply to all residential tenancy databases
achieve EU 'adequacy' status
provide for short form privacy notices, to clarify the obligations on organisations to provide notice, and to clarify the links between National Privacy Principle (NPP) 1.3 and 5.1
provide that consumers have a general right to opt-out of direct marketing approaches at any time
provide that when an individual’s personal information is corrected in response to a request from the individual, the organisation should be obliged to notify third parties, where practicable, that they have received inaccurate information
give complainants and respondents a right to have the merits of complaints decisions made by the privacy commissioner reviewed
require organisations under NPP 1.3 to tell individuals where they acquired their personal information
require organisations under NPP 1.3 to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the privacy commissioner or (where relevant) the code adjudicator
expand the remedies available following a determination under section 52 to include giving the privacy commissioner power to require a respondent to take steps to prevent future harm arising from systematic issues
modify the small business exemption so that the definition of small business is expressed in terms of the ABS definition, currently 20 employees or fewer, rather than annual turnover
apply to small businesses in the telecommunications sector, including internet service providers and public number directory producers
impose under NPP 4 an obligation on an organisation to ensure personal information it discloses to a contractor is protected
take into account the practice of due diligence
make clear that an organisation collecting personal information from an individual must take reasonable steps under NPP 1.3 to notify them of likely disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.
In addition to the recommendations to amend the Act, a number of recommendations were made for further guidance to be issued in relation to topics including:
transborder data flows
the relationship between the Act and Part 13 of the Telecommunications Act
the relationship between the Act and the Spam Act
The Attorney-General will now consider the recommendations made in the report.
The content of this article is intended to provide a general guide
to the subject matter. Specialist advice should be sought about your
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).