Who will this affect?
- All businesses – including small businesses
- Health service providers
- All organisations which handle personal information
- Small business exemption removed – Privacy Act will apply to all businesses regardless of size or turnover
- New statutory cause of action for an "invasion of privacy"
- Increased powers for Privacy Commissioner
On 11 August 2008, the Australian Law Reform Commission ("ALRC") released its final report on privacy, entitled "For Your Information: Australian Privacy Law and Practice".
The report is the outcome of a wide-ranging review by the ALRC into the effectiveness of Australia's privacy regime. It contains 295 recommendations intended to promote the protection of individual privacy and the responsible handling of personal information.
Small businesses should be aware of the proposed changes, in particular, as one of the key recommendations is to remove the small business exemption from the operation of the Privacy Act 1988 (Cth). If this proposal is implemented, the Privacy Act would apply to all businesses regardless of size or turnover.
Many people will also welcome the creation of a statutory claim arising from an invasion of privacy.
The key recommendations include:
Unified Privacy Principles
At present, the Privacy Act provides for two sets of privacy principles, being the National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs). The NPPs apply to certain private sector organisations and health service providers and the IPPs primarily apply to federal public sector agencies.
The ALRC has recommended that the NPPs and IPPs be streamlined into one set of principles which would apply to both public and private sector organisations – the "Unified Privacy Principles" (UPPs). The UPPs would be supplemented by regulations, industry-specific codes and guidance materials issued by the Privacy Commissioner.
Removal of small business exemption
Arguably the most significant recommendation is the ALRC's proposal to expand the application of the Privacy Act to all businesses regardless of size or turnover. At present, the Privacy Act applies to most private sector organisations which have a turnover of greater than $3 million and certain other organisations (including those which opt-in to the privacy legislation).
Removal of employee records exemption
The ALRC has also recommended the removal of the current exemption which applies to employee records held by an employer which is a private organisation. There are several exceptions which would apply, such as where disclosing the records would breach the confidence of a third party who supplied the material.
Statutory cause of action – "invasion of privacy"
In addition to the changes to privacy legislation, the ALRC has recommended the introduction of a statutory right to sue for an "invasion of privacy". Under the ALRC proposal, the action could be brought where there has been interference with home or family life, unauthorised surveillance, or sensitive facts relating to a person's private life have been disclosed. The affected person would be required prove that they had a reasonable expectation of privacy and that the breach was serious.
Increasing the powers of the Privacy Commissioner
At present, the Privacy Commissioner has limited powers to enforce compliance with Australia's privacy regime. In a bid to strengthen the Office of the Privacy Commissioner, the ALRC has recommended that the Commissioner be empowered:
- to commence court proceedings and to seek civil penalties where there has been a serious or repeated interference with the privacy of an individual;
- to order an organisation to conduct a "privacy impact assessment" in relation to new projects which may significantly impact on the handling of personal information; and
- to conduct an audit of an organisation's records to ensure compliance (a "Privacy Performance Assessment").
There are several other significant recommendations. These include:
- a new privacy principle dealing specifically with direct marketing;
- where there has been a breach of data security, a requirement to notify the Privacy Commissioner and the affected individual in certain circumstances;
- allowing a person to appoint a "nominee" to deal with matters relating to their personal information; and
- increasing the accountability of organisations which transfer personal information outside Australia.
The ALRC has also recommended a consistent national approach to privacy. This is a sensible move which is designed to overcome confusion about different obligations under state and federal legislation.
The Federal Government has indicated that they will introduce new privacy legislation in two stages, with the first round of changes due in the next 12 to 18 months. It is not known at present how many of the ALRC's 295 recommendations will be incorporated in this first stage.
We will be running detailed seminars on the proposed changes in October-November this year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.