Skip to content.

Home

Allens Arthur Robinson

Archive 2004

Return to top

Federal Privacy Commissioner publishes case notes 16 - 19, 2004

December 2004

The office of the Privacy Commissioner has recently published a number of interesting new Case Notes, covering:

  • Unnecessary collection of personal information when exchanging a 'cash' cheque
  • Payment default listed on consumer credit information file when the individual had not applied for credit
  • Unauthorised payment default listed on consumer credit information file and credit reporting offences
  • Use of personal information for the purpose of direct marketing

For more, see our summaries or full case notes published on the Commissioner's website.

Return to top

Medicare and PBS Privacy Guidelines to be reviewed

17 November 2004

The Privacy Guidelines (Guidelines), which apply to the handling of information by Government agencies connected to the Medicare and Pharmaceutical Benefits Programs, are to be reviewed. The Federal Privacy Commissioner, Karen Curtis, is asking all interested parties to make submissions in relation to the Guidelines which are set out in s135AA of the National Health Act 1953 (Cth).

Currently, the Guidelines apply to the Department of Health and Ageing and the Health Insurance Commission, and are designed to ensure that the Medicare and Pharmaceutical Benefits claims databases are kept functionally separate.

Principally, the Guidelines:

  • limit how long the Health Insurance Commission may retain identifying information about individuals;
  • restrict the circumstances in which the Department of Health and Ageing can receive identifying information from the Health Insurance Commission; and
  • limit the extent to which the two databases can be linked.

An Issues Paper has been released to help interested parties make a submission to the review. There will also be open forums held around Australia in November and December. A copy of the Issues Paper and details of the open forums may be found at www.privacy.gov.au/consultation/index_print.html.

The final date for submissions is 4 February 2005.

Return to top

Commissioner seeks views about the private sector provisions of the Privacy Act

11 November 2004

Individuals and organisations are being encouraged by the Federal Privacy Commissioner Karen Curtis to give their views about the operation of the private sector provisions of the Privacy Act, which came into effect on 21 December 2001. This follows a request by the Attorney General, the Hon Philip Ruddock MP, that the Commissioner conduct a review of the provisions and consider whether they have met their objectives.

The Commissioner late last month released an Issues Paper to assist parties in commenting on the provisions. The Paper provides a framework through which people can more easily assess the provisions and their effect.

Submissions may be made in writing to the Office, or verbally at stakeholder forums to be held around the country during November and December. The closing date for submissions is 22 December 2004.

The Issues Paper, along with general submission information, can be viewed at: http://www.privacy.gov.au/act/review/index.html.

Return to top

New privacy law introduced into Tasmanian Parliament

25 October 2004

The Personal Information Protection Bill 2004 has been put to the Tasmanian House of Assembly and received its first reading speech on 21 September 2004. The purpose of the Bill is to 'regulate the collection, maintenance, use and disclosure of personal information relating to individuals'.

The proposed regime would apply to 'personal information custodians' including state government agencies, statutory boards and government business enterprises, the University of Tasmania, as well as local councils and any other organisation or person who has entered into a 'personal information contract'; courts and tribunals are exempt. However, a personal information custodian may seek exemption from the proposed privacy obligations. The Minister for Justice and Industrial Relations would be responsible for determining (and revoking) any such exemptions.

The 'personal information protection principles' set out in Schedule 1 of the Bill are based upon the NPPs contained in the Commonwealth legislation, although aspects of the Victorian Information Privacy Act 2000 and the New South Wales Information Privacy Protection Act 1998 have also been taken into account. While the regime is similar in prescribing exemptions for public information and law enforcement information, the obligations in relation to 'employee information' are somewhat different, allowing both job applicants and employees to benefit from the privacy obligations to be imposed on employers.

Return to top

Focus: Privacy

22 October 2004

Recent overseas court decisions point to the emergence of a new common law right to privacy. Articled Clerk Maree Norton, Special Counsel Karin Clark and Partner Katherine Sainty report on the potential implications for Australian organisations, particularly media organisations. View publication; download pdf version (56KB)

Return to top

FPC releases more details of the consultation process for review of Privacy Act

27 August 2004

The Federal Privacy Commissioner Karen Curtis has released details of the consultation process for the review of the private sector provisions of the Privacy Act. The consultation process will involve the release of an issues paper and a two month period of consultation including the opportunity for people to make submissions before the report is finalised by the end of March next year.

The issues paper should be released in early October and will provide a framework for all interested to submit their views on how the private sector provisions of the Privacy Act are working. The closing date for submissions will be the end of November.

The Federal Privacy Commissioner's Office has also announced that it will conduct a number of meetings with key stakeholders including consumer and privacy advocacy groups, business representatives and members of the private health sector. It has also convened a steering committee whose members are:

  • Charles Britton, Senior Policy Officer, Information Technology and Communications, Australian Consumers' Association;
  • Peter Coroneos, Chief Executive Officer, Internet Industry Association;
  • Ian Gilbert, Director of Retail Regulatory Policy, Australian Bankers' Association;
  • Graeme Innes, Deputy Discrimination Commissioner, Human Rights and Equal Opportunity Commission;
  • John O'Brien, Senior Lecturer in Industrial Relations and Organisational Behaviour, University of New South Wales; and
  • Joan Sheedy, Assistant Secretary, Information Law Branch, Attorney General's Department.

The FPC announcement can be found at: http://www.privacy.gov.au/news/media/04_13.html

Return to top

Review of Privacy Act announced

17 August 2004

A review of the operation of the private sector provisions of the Privacy Act 1998, which was foreshadowed when the provisions were enacted, has been announced.

Federal Privacy Commissioner Karen Curtis has been asked by Attorney-General Philip Ruddock to review the provisions, which have now been in place for almost 3 years.

The Commissioner has been asked to report by 31 March 2005.

The review will consider if the legislation has achieved its goal of creating a comprehensive national scheme for the private sector that regulates how organisations collect, use, store, disclose and transfer individuals' personal information. It will also assess whether the provisions achieve this goal in a way that recognises individuals' interests in protecting their privacy and meets Australia's international obligations relating to privacy, while allowing a balance to be struck with other human rights and social interests, including the general desirability of a free flow of information and the right of business to achieve its objectives efficiently.

The Attorney's announcement also requested that as certain aspects of the private sector provisions are, or have been, the subject of separate review, the Privacy Commissioner exclude review of:

  • genetic information;
  • employee records;
  • children's privacy; and
  • electoral roll information, and the related exemption for political acts and practices.

The Privacy Commissioner has stated that her Office will be consulting widely and strongly encouraged participation by all stakeholders. Details and process for the review will be announced shortly.

Return to top

New privacy website initiatives launched

4 August 2004

Two new initiatives recently launched on the Office of the Federal Privacy Commissioner's website will 'help people to better know their privacy rights', according to the Federal Privacy Commissioner Karen Curtis. The privacy website now includes multilingual web pages and a new online interactive site called ComplaintChecker.

The multilingual pages are available in 11 languages including Arabic, Chinese, Greek, Italian, Korean, Russian, Serbian, Spanish, Thai, Turkish and Vietnamese, and allow non-English speakers to email the office to organise to speak by phone with a representative and an interpreter.

The pages can be accessed at: http://www.privacy.gov.au/privacy_rights/languages.

The ComplaintChecker will assist people in understanding how to make a complaint by asking the complainant step-by-step questions and then indicating whether the Office would be likely to investigate the matter based on the answers given to those questions. The ComplaintChecker is designed to help the public better understand the scope of the Privacy Act quickly, and without the need to read detailed information about it.

This interactive site can be viewed at http://www.privacy.gov.au/privacy_rights/ComplaintChecker/index.html.

Return to top

New Privacy Commissioner to adopt softer approach to Privacy compliance

4 August 2004

In a statement which will be welcomed by Australian business, Australia's new Privacy Commissioner Karen Curtis has been reported in The Australian as announcing her intention to adopt a more educative approach to Privacy regulation, rather than threatening businesses with penalties for non-compliance.

This softer approach would represent a move away from that of her predecessor Malcolm Crompton, who emphasised the possibility of prosecution for businesses which are apathetic about their privacy obligations.

It is reported that Ms Curtis is convinced that businesses have "adopted a culture of compliance, especially in big business" and that "there's been an attitude change."

According to the article, Ms Curtis pointed out that Privacy Act regulations impact disproportionately on small business, and said that "for small businesses covered by the legislation, it is harder to comply because of the call on their resources."

"We need education and awareness programs so that they know their obligations, and to help them meet their compliance requirements. It's important to have dialogue with them and work with them wherever possible" Ms Curtis is quoted as saying.

The Australian also reported that the Australian Privacy Foundation has expressed concern at Ms Curtis' 'soft-touch' approach and would prefer to see that she take a more rigid stance, with an example being made of offenders.

A formal review of the Privacy Act is planned for this year, with lobby groups from both sides arguing their cases.

Return to top

New Federal Privacy Commissioner appointed

15 June 2004

Ms Karen Curtis has been appointed as the new Federal Privacy Commissioner and will take up her appointment on 12 July 2004.

Ms Curtis was recently the Director of Industry Policy for the Australian Chamber of Commerce and Industry (ACCI).

In the six years that Ms Curtis was with the ACCI, she had responsibility for a range of industry policy issues affecting the competitiveness of Australian business including innovation, electronic commerce, telecommunications, regulatory reform, food policy, government purchasing, energy policy, and privacy. She also had responsibility for ACCI's Environment agenda, where key issues were climate change, packaging, eco-efficiency and cleaner production.

In September 2002, Ms Curtis was appointed to the Privacy Advisory Committee, which advises the Federal Privacy Commissioner on privacy issues and provides strategic input to key projects undertaken by the Federal Privacy Commissioner.

Return to top

The Privacy Act: no more a 'toothless tiger'?

2 June 2004

In a first for Australia, the Federal Court has granted an injunction to stop a breach of privacy law. The decision has implications for all businesses bound by the National Privacy Principles (NPPs), particularly call centres, telemarketers and businesses with large customer databases.

The case arose when a union retained a call centre to contact the employees of Seven Network (Operations) Limited (Seven) (using an internal Seven directory of employees obtained without a license from Seven) to ask those employees about their reactions to a proposed enterprise agreement. Seven applied to the Court for an injunction against the union and the call centre. The injunction was sought on several grounds and Seven was successful in relation to its claims of breach of copyright in the internal directory and breach of the Privacy Act.

The case makes it clear that if an organisation breaches, or is about to breach, an NPP, a complainant can go directly to the Federal Court or the Federal Magistrates Court to stop or prevent the breach.

Even more significantly, it is not just the individuals concerned, or the Privacy Commissioner, who can ask for an injunction under the Privacy Act. Any other party with sufficient standing (such as Seven in this case) can apply for such an injunction. Thus, for example, if a business obtains the customer list of a competitor, the competitor might be able to apply to the Court to prevent the use of the list in breach of the Privacy Act.

This case is therefore a timely reminder that privacy law compliance needs to be taken as seriously as any other legal compliance, and that a breach of privacy laws can be very costly for a business. View publication

Return to top

New Complaint Determination: when can an individual reasonably expect their information to be disclosed?

13 May 2004

In this case, a public servant from the ACT Department of Justice and Community Safety complained to the ACT Ombudsman about some of the Department's actions. In response to the Ombudsman's inquiries about the complaint, an officer of the Department identified the complainant and revealed that this was not the first time the public servant had made that complaint. The officer also made a number of statements about the complainant to the Ombudsman, including details about the complainant's problems at work and the fact that the complainant was a bookie at racetracks.

The complainant claimed that the Department's disclosure to the Ombudsman interfered with their privacy.

The public sector provisions of the Privacy Act provide that a record-keeper must not disclose an individual's personal information, except in certain circumstances. In this determination, the Commissioner had a closer look at two of these circumstances.

Disclosure of personal information is allowed if the individual would reasonably expect that information to be passed on the relevant body. It was determined that the employer, the Department, was entitled to tell the Ombudsman about the identity of the public servant, as this would be reasonably expected, but was not allowed to reveal other personal information.

Disclosure of personal information is also allowed where the disclosure is 'required or authorised by law', but again, the exception is limited to disclosure of information which is relevant in the circumstances.

The Commissioner found that the Department interfered with the Complainant's privacy.

This Determination provides useful guidance about the scope of the exceptions to the general rules against the disclosing personal information, both in the private and public sectors.

The Determination can be found at: http://www.privacy.gov.au/act/casenotes/comdeter0405.doc.

Return to top

Naomi Campbell wins privacy appeal in the House of Lords

13 May 2004

Celebrity model Naomi Campbell has won her appeal to the House of Lords in her long running breach of confidence case against the British tabloid, the Daily Mirror.

In 2001 the Daily Mirror published an article, together with photographs, of supermodel Campbell's attendance to Narcotics Anonymous meetings. Campbell received somewhat nominal damages in her successful suit in the High Court, the decision of which was overturned by the Court of Appeal in 2002.

In the House of Lords, all the judges agreed that, in relation to a cause of action for breach of confidence, there is an inherent tension between the right to respect of private life (from Article 8 of the European Convention on Human Rights) and the right to freedom of expression (Article 10) and that there is a need in each case to strike a balance between these competing rights. In this case, the differences of opinion related the specific facts of the case and whether the Daily Mirror went too far in publishing photos of Ms Campbell, rather than simply reporting that she was a drug user when she had previously asserted that she was not.

Lord Hope (who found in favour of Campbell) said that the underlying question in all cases where there has been an alleged breach of confidence, is "whether the information disclosed is private and not public". His Lordship stated that the test of whether information is private is whether a person of ordinary sensibilities in the individual's position would be substantially offended by the disclosure. Baroness Hale stated that it is a long held principle that information about a person's health and treatment for ill-health is both private and confidential.

This case arguably further develops UK privacy law, which has shifted since the incorporation of the European Convention on Human Rights into UK law by the Human Rights Act 1998 . It may also influence the thinking of Australian judges if similar cases come before the Australian courts, when considered together with other decisions such as the recent New Zealand Court of Appeal case (Hosking v Runting) which confirmed that there is separate cause of action in New Zealand for giving unreasonable publicity to private facts.

Return to top

New guide for directors about their privacy obligations now available

13 May 2004

The Office of the Federal Privacy Commissioner has released a guide which will help directors better understand privacy law in Australia and how their companies can benefit from complying with it.

The guide, entitled 'Privacy & Boards - What You Don't Know Can Hurt You', outlines the National Privacy Principles under the Privacy Act 1988 (Cth), and gives practical advice for directors which will help them not just to comply with the law, but also to improve their client relations and ultimately the company's bottom line.

The guide sets out examples where a lack of attention to privacy issues has had profound financial consequences for certain companies, including , in some cases, litigation, damage to brand and reputation, and share market price drops. Further, it explains that companies which give priority to protecting clients' information stand to gain on numerous levels. For example, an increasingly privacy-sensitive public is starting to prefer to do business with organisations that show a commitment to privacy and security.

Finally, the guide outlines practical ways in which directors can ensure that their companies both comply with the Privacy Act and benefit financially from higher awareness of privacy issues. These include having privacy expertise on the board and establishing a privacy committee.

An electronic copy of the guide is available from: http://www.privacy.gov.au/publications/privacydirectors.pdf.

Return to top

Tenancy database operator breaches the Privacy Act

19 April 2004

The Federal Privacy Commissioner has issued four complaint determinations that strengthen the privacy rights of tenants whose tenancy history is held in a retail tenancy database. The Commissioner found that TICA Default Tenancy Control Pty Ltd, which operates one of Australia's largest databases, breached the Privacy Act by:

  • charging an excessive amount for people to access their tenancy record;
  • failing to advise tenants adequately about the collection of their personal information;
  • failing to have appropriate measures in place to check the quality of data; and
  • failing to destroy information when no longer required.

TICA was ordered to cease the offending practices and recommended to implement a variety of new procedures including:

  • charging tenants less to access their information;
  • deleting information when it is no longer needed;
  • developing new collection forms clearly indicating information handling practices; and
  • commissioning an independent audit of information held in the database.

The Commissioner also noted that appropriate information handling practices were particularly important when dealing with such a fundamental right as having a home.

The complete determinations are available at privacy.gov.au.

Return to top

NSW Anti-Cyber Snooping Bill

5 April 2004

New South Wales Attorney-General, Bob Debus, recently announced the Government's plans to become the first Australian state to extend workplace surveillance legislation to regulate employer use of tracking devices, email surveillance and other forms of 'cyber snooping'.

Speaking in Parliament on March 30, Mr Debus recognised that the growth in online communication within workplaces has not been matched by legislation governing employer surveillance of such activity: 'To date the law has not provided any guidance as to when legitimate employer caution crosses the line into unacceptable cyber snooping.'

The proposed legislation will seek to strike an appropriate balance between employer interests in the protection of intellectual and commercial property and employee privacy rights, and is expected to mirror the model adopted under the Workplace Video Surveillance Act 1998 (NSW).

Under the new law, employers wishing to monitor cyber activity must either:

(a) Provide employees with reasonable notice of such intention (for example, through the appearance of a warning box on computer screens); or

(b) Obtain a court order permitting surveillance. Such orders will only be granted if the employer is able to demonstrate reasonable grounds for suspecting that their employee is engaged in unlawful activity.

Failure to comply with the above requirements will constitute a criminal offence.

The Exposure Bill will be released later this month.

Return to top

Discussion paper to review the privacy protection of employee records

24 February 2004

A discussion paper on information privacy and employee records, jointly prepared by the federal Attorney-General's department and the Department of Employment and Workplace Relations, has recently been released. The discussion paper forms the basis of a consultation being conducted by officers of both Commonwealth Departments about various options for the additional privacy protection of employee records, which are currently exempt from the National Privacy Principles under the Privacy Act 1988.

The options include modifying the scope of the employee records exemption (for example to exclude sensitive information) or amending the Privacy Act so that the exemption only applied to low risk privacy principles. Another option mentioned is to amend the Workplace Relations Act so that one piece of legislation governs general record-keeping obligations and privacy requirements in relation to employee records. Yet another is to amend the Workplace Relations Act to direct parties to consider, or compulsorily require, privacy provisions in certified agreements or Australian workplace agreements.

The release of the discussion paper was welcomed by the Federal Privacy Commissioner, Malcolm Crompton, who encouraged all persons with an interest in this area to make a submission. Submissions close on 16 April.

Return to top

Privacy Commissioner warns that Ticketmaster7 privacy errors indicate wider problems

16 February 2004

Federal Privacy Commissioner, Malcolm Crompton, has concluded his investigation into  Ticketmaster7's online inquiry service, finding a breach of the federal Privacy Act.  When people made use of the online enquiry service they were given a unique web site address in order to be able to track the progress of their enquiry.  However, if the enquirer typed in four different numbers at the end of the web address the details of other Ticketmaster7 enquirers came up.

The Commissioner commended Ticketmaster7 on its quick response to the privacy breach and said he was satisfied with the measures that Ticketmaster7 have put in place since the problem was discovered. 

However, he expressed his disappointment that businesses which have been covered by the Privacy Act for several years are still not meeting their obligations under the Act.  The Commissioner has urged all organisations to learn from the Ticketmaster7 issues and to ensure that they do not make the same errors, warning that he will be keeping a close eye on online business activities.  He said that there is no longer any excuse for not having privacy built into information technology system re-design and or upgrades.

In a press release, the Commissioner urged people who know of Australian web sites with inadequate security to contact his office.

Return to top

Client update: Privacy

8 January 2004

The Spam Act 2003 received royal assent on 12 December 2003 and its key operative provisions will come into force on 10 April 2004. View publication 

Return to top

Commencement of Spam Act

The Spam Act 2003 received royal assent on 12 December 2003 and its key operative provisions will come into force on 10 April 2004. The key provisions include prohibitions against sending unsolicited commercial electronic messages and the supply, acquisition or use of electronic address-harvesting software and address lists produced using such software. Other key provisions include an obligation to incorporate certain identifying information and a functional unsubscribe facility in commercial electronic messages.

Some provisions of the Spam Act, however, came into operation on 12 December 2003 and these are set out below.

(a) Part 1 - Introduction

Part 1 of the Spam Act consists of sections 1 to 14, which are predominantly definitional provisions. Part 1 also outlines the commencement and application of the Spam Act.

(b) Section 42

Section 42 establishes additional functions of the Australian Communications Authority (ACA), which include conducting and/or coordinating community education programs, conducting and /or commissioning research and liaising with regulatory and other relevant overseas bodies about:

(i) unsolicited commercial electronic messages; and

(ii) address-harvesting software.

(c) Section 47

This provision allows the Governor-General to make regulations that are required or permitted under the Spam Act or regulations that are necessary or convenient for giving effect to the Spam Act.

(d) Schedule 2

Schedule 2 defines the expression 'consent' for the purposes of the exception to the prohibition on sending unsolicited commercial electronic messages (section 16).

For more information on the key provisions of the Spam Act, see December Focus: Communications, Media & Technology.

Return to top