The Attorney-General this week released a report by the privacy commissioner into the operation of the private sector provisions of the Privacy Act (Act) entitled Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988. While the privacy commissioner, Karen Curtis, believes that 'there is no fundamental flaw with the private sector provisions in the Privacy Act', she has made 85 recommendations to improve the operation of the private sector provisions.
Some of the key recommendations of the report are to provide for a more nationally consistent privacy scheme—particularly in areas of health and telecommunications. Other recommendations included to consider amending the Act to:
- apply to all residential tenancy databases
- achieve EU 'adequacy' status
- provide for short form privacy notices, to clarify the obligations on organisations to provide notice, and to clarify the links between National Privacy Principle (NPP) 1.3 and 5.1
- provide that consumers have a general right to opt-out of direct marketing approaches at any time
- provide that when an individual’s personal information is corrected in response to a request from the individual, the organisation should be obliged to notify third parties, where practicable, that they have received inaccurate information
- give complainants and respondents a right to have the merits of complaints decisions made by the privacy commissioner reviewed
- require organisations under NPP 1.3 to tell individuals where they acquired their personal information
- require organisations under NPP 1.3 to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the privacy commissioner or (where relevant) the code adjudicator
- expand the remedies available following a determination under section 52 to include giving the privacy commissioner power to require a respondent to take steps to prevent future harm arising from systematic issues
- modify the small business exemption so that the definition of small business is expressed in terms of the ABS definition, currently 20 employees or fewer, rather than annual turnover
- apply to small businesses in the telecommunications sector, including internet service providers and public number directory producers
- impose under NPP 4 an obligation on an organisation to ensure personal information it discloses to a contractor is protected
- take into account the practice of due diligence
- make clear that an organisation collecting personal information from an individual must take reasonable steps under NPP 1.3 to notify them of likely disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.
- In addition to the recommendations to amend the Act, a number of recommendations were made for further guidance to be issued in relation to topics including:
- transborder data flows
- bundled consent
- the relationship between the Act and Part 13 of the Telecommunications Act
- the relationship between the Act and the Spam Act
- data quality.
The Attorney-General will now consider the recommendations made in the report.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
