Executive Summary

Last month, the Federal Government announced that it will overhaul the privacy laws of Australia and implement a consistent privacy law regime. These changes will represent the most material reforms to Australian privacy law since the Privacy Act 1988 (Cth) was introduced over 20 years ago.

This announcement marks the first step in the move towards nationally consistent privacy laws across all Australian jurisdictions. When implemented, the reforms will:

  • eliminate overlapping standards in dealing with privacy between the public and private sectors at federal and state /territory levels;
  • simplify the privacy regime for Australian Government agencies and private sector organisations;
  • provide greater clarity and cut red tape in dealing with privacy issues;
  • introduce a right to privacy; and
  • bring Australia's privacy laws up to date with the information age.

Timeline

  • 3 December 2007 – Federal Labour Government sworn into office.
  • 11 August 2008 – Australian Law Reform Commission (ALRC) report entitled "For Your Information: Australian Privacy Law & Practice" (ALRC 108) (the ALRC Report) proposes 295 recommendations for improving privacy protection in Australia.
  • 15 October 2009 – The first stage of the Australian Government's formal response to the ALRC Report1.
  • Early 2010 - Exposure draft of new privacy legislation to be published.

Current Privacy Laws are Outdated

The Privacy Act was implemented prior to the Internet, and the recent rapid developments in new technologies which affect mobile phones, e-commerce, social networking sites, surveillance devices and digital cameras, among others. Concerns about the complexity of the law and confusion around the application of overlapping privacy laws at the federal and state/territory levels have led to the Government's plans to enact a single privacy regime which will apply across the private sector as well as continuing to apply to the Commonwealth public sector.

First Stage

The Australian Government's first stage response to the ALRC Report addresses 197 of the 295 recommendations. Of these, 141 recommendations are accepted fully or in effect.

Briefly, these changes will involve a harmonised set of privacy principles, redrafting of the Privacy Act, a new comprehensive credit reporting framework, improvements in health sector information flows, and enhanced powers for the Privacy Commissioner (including a strengthening of the Privacy Commissioner's powers of investigation, compliance and enforcement).

The proposed changes will fall into the following categories:

  • The Privacy Act: Name, Structure, Objects, Definitions and Scope (Part A):
    • Achieving national consistency, with a new privacy framework and a redrafting of the Privacy Act.
  • Developing Technology (Part B):
    • Due to the challenges faced by new technologies, the impact of digital media and the increasing ability to store and transfer personal information, the role of the Privacy Commissioner will be confirmed to include conducting research to assist Australians in understanding the effect of these technologies that impact on privacy.
    • Providing the capability for industry sectors to develop privacy codes, and allowing the Privacy Commissioner to require codes to be developed where appropriate.
    • Biometric information will be included in the definition of 'sensitive information'.
  • Interaction, Inconsistency and Fragmentation (Part C):
    • Consideration will be given by the Government to the impact of other laws on the protection of privacy and these issues will be reflected in the Privacy Act and other related legislation.
    • This will be part of an ongoing review.
  • The Privacy Principles (Part D):
    • A single set of Privacy Principles will be developed to protect personal information whether held by Australian Government agencies or relevant businesses in the private sector.
    • The principles will include:
  • specific requirements for various matters, such as the use and disclosure of personal information for the purposes of direct marketing, handling of government identifiers and use of health and credit reporting information.
  • an obligation to take reasonable steps to implement compliance with the Privacy Principles.
  • greater accountability for entities that transfer information overseas.
  • Office of the Privacy Commissioner: Powers and Functions (Part F):
    • Additional duties and powers will be conferred on the Privacy Commissioner. These include:
      • a responsibility to investigate and resolve complaints relating to privacy issues;
      • an obligation to promote and enforce compliance with privacy obligations;
      • the power to require agencies to conduct 'privacy impact assessments';
      • the ability to undertake 'privacy performance assessments' of organisations' activities;
      • the responsibility to handle privacy complaints and gather information more effectively;
      • the power to compel appearances or production of documents; and
      • the ability to accept enforceable undertakings and seek civil penalties for serious or repeated breaches of the Privacy Act.
  • Credit Reporting Provisions (Part G):
    • A comprehensive credit reporting in Australia will be introduced. Industry will need to develop a mandatory and binding credit reporting code, with detailed standards for consistent compliance.
  • Health Services and Research (Part H):
    • Individuals will have a new right to have their health records transferred between health service providers (reasonable fees to apply), and to be told what will happen to their health records if their provider closes down or changes hands.
    • National consistency will exist in the public and the private health sectors.

Stage 2

The remaining 98 recommendations of the ALRC Report will be considered in Stage 2 of the Government's response to the ALRC Report. This stage, which will be addressed after legislation is passed to address Stage 1, will cover complex and contentious issues such as:

  • A scheme for compulsory data breach notification;
  • The creation of a cause of action for serious invasions of personal privacy; and
  • The removal of exemptions, including the exemption for small business. This will result in privacy obligations extending to all Australian businesses.

Conclusion

Extensive reforms to the privacy laws will be announced in the form of draft legislation in early 2010. It is imperative that businesses consider carefully their practices and systems in dealing with privacy issues and take steps in anticipates of the proposed privacy reforms.

Only time will tell whether the Government's ultimate goal of making the privacy laws more simplistic and easier to comply with are achieved. Further details of the reforms will be set out in future FocusPapers.

Footnote

1 http://www.pmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.doc

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.