The ALRC's final report on privacy "For your information: Australian Privacy Law and Practice" was released on 11 August 2008
Background information
The ALRC 108 consisting of 3 volumes and 2700 pages is the culmination of a massive research and consultation exercise conducted over 2 years, and recommends 295 changes to privacy laws and practices in Australia. A full copy of the report can be accessed from ALRC's website at www.alrc.gov.au..
Key recommendations as outlined by ALRC:
Simplification and streamlining: A basic restructuring of the Privacy Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.
Unified privacy principles and national consistency: a single set of Unified Privacy Principles (UPPs) to replace the current public sector Information Privacy Principles and private sector National Privacy Principles. The UPPs will apply to all federal government agencies and the private sector. It is recommended that they also be applied to state and territory government agencies through an intergovernmental cooperative scheme, so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information. A new principle on direct marketing is included in the proposed UPPs.
Regulating cross-border data flows: an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
Improved complaint handling and stronger penalties: the Privacy Commissioner's complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.
More comprehensive credit reporting: in addition to the limited types of 'negative' information currently permitted, it is recommended that some additional categories of 'positive' information should be allowed to be added to an individual's credit file, in order to facilitate better risk management practices by credit suppliers and lenders. Such categories of information to include: the type of each current credit account opened (e.g. mortgage, credit card, personal loan); the account opening date; the credit limit and the account closing date. ALRC also recommends that the Government only amends the Privacy Act to allow credit reporting to include information about an individual's repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.
Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important field. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research.
Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been 'deleted'. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues.
Data breach notification: government agencies and business organisations should be required to notify individuals and the Privacy Commissioner, where there is a real risk of serious harm occurring as a result of a data breach.
Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC's recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.
Response by Government
In his speech during the launch of the ALRC 108, Senator John Faulkner (Cabinet Secretary and Special Minister of State) said that due to the large number of recommendations, the Government proposes to consider the report in 2 stages, with the possibility to legislate on the first stage of reforms within 12 to 18 months.
The first stage will focus on the recommendations relating to the unified privacy principles (UPPs), health and credit reporting regulations and improving education about the impact on privacy by new technologies. The second stage will consider the recommendations relating to the removal of exemptions, data breach notices and the tort of privacy.
Response by the Privacy Commissioner
In a media release of 11 August 2008, Karen Curtis (Privacy Commissioner) has welcomed the release of the report and stated that her office would be advising the Government on its assessment of the report's recommendations.
What does this mean to you?
The proposed changes to the privacy laws and practices will affect your current privacy policy and the way you handle personal information of your customers. It is important that you start reviewing the recommendations and keep up with the proposed legislative changes. We will be able to assist in making future submissions on your behalf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
