Client Update: ALRC releases privacy law report
11 August 2008
In brief: After undertaking the largest community consultation program in its 33-year history, the Australian Law Reform Commission today released its report on privacy law. Partners Peter Jones and Catherine Parr , and Special Counsel Karin Clark report.
The Australian Law Reform Commission (the ALRC) today released a report into privacy law, entitled For Your Information: Australian Privacy Law and Practice (the report). The report contains 295 recommendations for reform, including the following.
- The National Privacy Principles, which currently apply to the private sector, and the Information Privacy Principles, which currently apply to the Commonwealth public sector, will be replaced by a new set of Unified Privacy Principles (UPPs).
- The Privacy Act 1988 (Cth) should apply to all personal information held by the federal public sector and the private sector, to the exclusion of state and territory laws and the Commonwealth. State and territory governments should co-operate so that they enact legislation to regulate the handling of personal information in their public sectors by adopting key elements of the Privacy Act, such as the same set of privacy principles.
- The employee records exemption should be removed. Where it is undesirable for employees to have access to certain information (for example, access by an employee to evaluative material, such as referees' reports), reliance can be placed on the fact that providing access would lead to a breach of confidence.
- The small business exemption under the Privacy Act should be removed, but before it is removed, the Office of the Privacy Commissioner (the Privacy Commissioner) should help small businesses comply with the Privacy Act; for example, by providing education materials and templates for privacy policies.
- The exemption for registered political parties and for political acts and practices should be removed.
- On the credit reporting provisions of the Privacy Act:
- Part IIIA of the Act should be repealed and credit reporting should be regulated under the general provisions of the Act, including new credit reporting regulations, and the UPPs;
- there should be some expansion of the categories of personal information that can be included in credit reporting information held by credit reporting agencies to include: the type of each current credit account opened (eg mortgage, credit card, personal loan); the date on which each current credit account was opened; the credit limit of each current account; and the date on which each credit account was closed; and
- a credit provider may list overdue payment information only where the credit provider is a member of an external dispute resolution scheme approved by the Privacy Commissioner.
- New regulations governing health information should be prepared, containing those requirements that are different or more specific than provided for in the model UPPs. Also, an intergovernmental agreement should be developed to ensure that the privacy regulation of health information is harmonised across Australia.
- Private sector organisations and Commonwealth agencies should be required to notify the Privacy Commissioner and affected individuals when a data breach has occurred that may give rise to serious harm to any affected individual.
- Federal legislation should provide for a statutory
cause of action for a serious invasion of privacy, in circumstances including
- there has been an interference with an individual's home or family life;
- an individual has been subjected to unauthorised surveillance;
- an individual's correspondence or private communication has been interfered with; or
- sensitive facts about an individual's private life have been disclosed.
The cause of action should apply only where:
- the individual had a reasonable expectation of privacy; and
- the act or conduct complained of is highly offensive to a reasonable person of ordinary sensibilities,
and a court would also be required to consider whether the public interest in maintaining the claimant's privacy outweighs other matters of public interest.
- The penalty regime under the Privacy Act should be strengthened by allowing the Privacy Commissioner to seek a civil penalty in the courts, but only when there is a serious or repeated interference with privacy.
- The Privacy Commissioner should have the power to direct a federal agency to provide a Privacy Impact Assessment in relation to a new project (if it may have a significant impact on the handling of personal information) and to conduct Privacy Performance Assessments of the records of personal information of a private sector organisation.
Over the next few weeks, Allens Arthur Robinson will bring you more detailed analysis of the ALRC's recommendations and their implications.
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.