Australia: Proposed changes to the Privacy Act, and the Privacy Act in action: the Privacy Commissioner’s decisions in 2009

Privacy: Who cares?
Last Updated: 15 March 2010
Article by Lisa Vanderwal

1. Introduction

The Australian Government has said that it will provide an update to the Privacy Act 1998 ("Act") in early 2010. As we are well into "early 2010", I recommend that all those holding their breath for the draft legislation release it.

At a very high level, the government intends to amend the Act in two stages. The first stage is a fairly standard (though long awaited) review of the Act. The really interesting issues will be addressed in stage 2. These issues include the removal of the small business exception, the removal of the employee records exemption, the introduction of a legal remedy for a serious invasion of privacy, handling of personal information under the Telecommunications Act 1997, and resolving national inconsistencies of privacy regulation. Unsurprisingly, there has not been any date set for stage 2, and whether there will in fact be any stage 2 may depend on which government is in at the time.

2. Changes

So, what are the proposed amendments in stage one? I‟m glad you asked. Here are some of the highlights.

The National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs) will be replaced by a single set of Uniform Privacy Principles ("UPPs"), which will apply to private organisations and Commonwealth agencies (generally referred to as "organisations" in this article).

Certain acts or practices are authorised "by or under law". The ambit of "law" has been a matter of some discussion. The Privacy Commissioner has taken a fairy broad view (see one of the Privacy Commissioner's decisions, below) and this broad view will now be included in the legislation. Law will include (so it won't be an exhaustive list) Commonwealth, State and Territory Acts and delegated legislation, common law or equitable duties, an order of a court or tribunal, or documents given the force of law by an Act, such as industrial awards. To avoid parties contracting out of their obligations under the Act, contracts will be specifically excluded from the definition of "law".

The receipt of unsolicited personal information has challenged some organisations in the past (see one of the Privacy Commissioner's decisions, below). Accordingly, upon receipt of unsolicited personal information, an organisation must decide, as soon as practicable, whether or not it will keep it. If not, the organisation must promptly destroy the unsolicited information. If the organisation decides to keep it, must comply with all the UPPs, including notifying the relevant individuals that their personal information has been collected.

There is a general exemption that personal information can be disclosed if an individual's life or health is in imminent danger. The government proposes to remove the "imminent" requirement, which it now sees as too restrictive.

Many of us in the past have received unsolicited phone calls or correspondence, and wanted to know how they got our details. One of the proposed amendments to the Act will allow us to find out. If an organisation engages in direct marketing with an individual who is not an existing customer, the organisation must advise the individual where it got their personal information if the individual asks.

If an organisation has disclosed personal information to someone else (where entitled to), and the individual subsequently updates or corrects it, the organisation that disclosed it in the first place will have to update that information with everyone it disclosed the information to in the first place. I for one will be very interested to see how this is actually going to work.

Organisations will remain accountable for personal information transferred outside Australia (including to a related body corporate) other than in restricted circumstances (required by law, consent, subject to equivalent laws). The previous exception, where there overseas party is subject to a binding contract to protect the personal information, will be removed. The government's reasoning is that the individual can't take action in relation to a breach of such a contract. I know from personal experience that this is a very useful and much-used exception; again, I suspect that this may create problems in practice, particularly where an organisation needs to transfer personal information to areas that do not have particularly strong privacy protections, such as Asia, the US or South America.

Credit reporting is a major area of contention - see several of the Privacy Commissioner's decisions, below. The changes to the Act will mean that organisations will also be prevented from disclosing credit reporting information to foreign credit providers, and will not be obliged to maintain information about foreign credit. In addition, to allow credit providers an independent and easily attainable source of information about an individual's willingness (or ability) to repay, the information that can be included in credit reference records will be expanded to include the type of credit account (eg. mortgage, personal loan, credit card etc), the date on which a credit account was opened and closed, the limit of the credit account and the person's repayment performance history over the immediately preceding two year period including the number of repayment cycles that the individual was in arrears.

3. Examples

However, enough of this legal background. How about where organisations have got it wrong in the past. How did they get it wrong, and what happened? Here is a summary of some of the cases that the Privacy Commissioner investigated last year.

  1. Some of these cases highlight that a breach of the Act can have an important impact on the individual, particularly where the personal information was not checked.

    A Commonwealth agency investigated the conduct of an employee, including preparing a report of that individual's work attendance. The employee claimed the attendance record was incorrect, and that no reasonable effort had been made to ensure it was correct. The Commissioner compared the attendance report with the individual's time sheet and building access records, and looked at how the agency checked the attendance information before finalising the report. The Commissioner found the attendance report contained inaccurate personal information which the agency could have avoided if it had re-checked the dates. It was a particularly severe breach of the Act because the attendance report was used in making a decision about the employee's conduct. A conciliation took place, followed by a payment to the individual.

    A Commonwealth agency sent a letter confirming details of an individual's new name (changed by deed poll to escape domestic violence) and address to the individual's previous address (where they suffered the domestic violence). The individual incurred medical and removal costs because of the disclosure, and while the agency admitted the mistake, it refused to pay for the individual's costs. The Privacy Commissioner conciliated the matter, the individual provided more evidence of costs incurred, and the agency paid an amount in compensation.
  2. Some of the cases show that no matter how much privacy training you have, "stuff happens". Computer or human glitch, you sometimes have to watch out for the unexpected.

    A passer-by found a scrapbook in a shopping centre car park with stories, and personal details, of customer incidents put together by staff at a retailer's call centre. The retailer stated it was unaware of the scrapbook, and had privacy protections in place, including induction, on-going staff training and a quality control team that monitored customer calls. To prevent a similar occurrence, the retailer counselled and formally warned all employees involved in the scrap book, implemented additional privacy training and updated its training material to refer specifically to the incident.

    A number of medical documents, including personal and sensitive information, were found scattered in a public park next to a private medical centre. The medical centre, which had already started its own investigation, found that a lock on a medical waste bin, kept at the back of the medical centre, had been broken. Several other facilities at or around the park had also been vandalised. Due to the sensitivity of the information, the Privacy Commissioner and the medical centre discussed a number of steps to keep the personal information secure, including having secure fencing installed around the medical centre, moving the secure bin inside the medical centre, upgrading the lock, and obtaining a shredder so documents could be securely destroyed on-site.

    A credit provider listed a default on an individual's consumer credit information file which was statute barred, and failed to notify the relevant credit reporting agency once it knew that the default was statute-barred. The issue arose because of computer glitches. The credit provider apologised to the individual, removed the debt from the credit file, revised its process for identifying statute-barred debts and trained its staff on managing statute-barred debts.
  3. Other cases highlight that the application of the Act isn't just mechanical compliance, sometimes you have to think about it – like when you get unsolicited information, receive information in confidence, or take on an unauthorised role...

    A party to a joint bank account amended the signature authority on the bank account after a dispute, and advised the bank of the dispute. A relative of the other signatory later contacted the bank and discussed further details of the dispute. Based on this unsolicited information the bank unilaterally modified the signature authority, without attempting to verify the information. The bank argued that it did not collect information from the relative because it did not ask for it - the information was unsolicited. However, the Commissioner took the view that collection can occur from any source and by any means. There was also a collection because the bank had acted on the information. The Commissioner also found that it was reasonable and practicable to collect the personal information from the individual, rather than a third party. This was a particularly serious breach of the Act because it had an effect on the complainant's finances. The bank compensated the individual for its interference with that individual' privacy.

    An individual applied to acquire a car dealership. The individual' referees provided information about the individual on the condition that it be treated confidentially. When the application was unsuccessful, the individual sought access to the referee's information, which the car dealership refused on the basis that doing so would be a breach of its duty of confidence to the referees. The Privacy Commissioner's view is that common law and equitable obligations constitute law' for the purposes of the Act. Accordingly the car dealership was not only entitled to refuse access because providing access would be unlawful, but was required or authorised by law to deny such access.

    A health service provider listed an unpaid debt with a credit reporting agency. The individual affected claimed the debt was not related to "credit" as defined by the Act and Determinations. The health service provider argued that according to its research, it was a credit provider. The Privacy Commissioner considered the health service provider didn' have a sufficient credit relationship with the individual, and was not a credit provider in accordance with the Determinations. In addition, given the potentially serious financial consequences of listing the payment default, the Commissioner was of the view that the health service provider should have undertaken additional steps, such as seeking legal advice or contacting the Commissioner's Office. The health service provider removed the payment default, stopped reporting overdue accounts to a credit reporting agency, and paid compensation to the individual.
  4. And in other cases, the action leading to the breach of privacy is just a little bit careless...

    An individual lodged a claim with their insurance company for damage done to their home, and was not satisfied with the repairs, and wrote to the insurance company to let them know. When the repairer then contacted the individual, angry about the statements made in the letter, the individual claimed the insurance company had inappropriately disclosed a copy of the letter to the repairer. The Privacy Commissioner found that the individual would reasonably expect the insurance company to disclose the substance of the complaints, but would not have expected that a full copy of their letter would be disclosed directly to the repairer. The insurance company apologised and agreed to amend its staff training program in relation to customer complaints.

    An individual, who was under mistaken surveillance (it should have been their relative under surveillance!), requested access to their photos and recordings collected by the organisation who requested the surveillance. The organisation didn' respond, and upon investigation claimed that it had never received any correspondence in relation to the matter. However, the organisation subsequently destroyed all personal information about the individual held by it and its solicitors, and no further action was taken.

    An individual worked for a large cleaning company for several years before resigning. After the resignation, an organisation to which the individual owed money contacted the cleaning company seeking information about the individual. The cleaning company disclosed personal information to the organisation, including the individual' address and financial details. The cleaning company relied upon the employee records exemption as the reason for not complying with the NPPs. However, the Privacy Commissioner found that the disclosure was not related to the individual's employment was therefore not exempt. The matter was conciliated, the cleaning company apologised to the individual and agreed to develop and implement privacy training for its staff.

So, from the interest in the amendments to the Act, and from the complaints made to the Privacy Commissioner (I have summarised just a few), it seems that the answer to the title of this article, who cares about privacy, is that we do.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.