Client Update: Australian Government's response to ALRC privacy law report
20 October 2009
In brief: The Australian Government has released the first stage of its response to the ALRC's report on privacy law. Partner Catherine Parr , Special Counsel Karin Clark and Lawyer Jacqueline Goodall report.
On 14 October 2009, the Australian Government released the first stage of its response to the Australian Law Reform Commission's (ALRC) report into privacy law, For Your Information: Australian Privacy Law and Practice (the report). We summarised the recommendations of the ALRC report in a series of Focus articles in 2008: ALRC releases privacy law report; The new Unified Privacy Principles; Credit reporting and credit information; Privacy Commissioner's new guide on notification of data breaches; Reforming privacy and health information.
The first stage of the Government's response addresses 197 of the 295 recommendations in the ALRC's Report. Of these, 141 recommendations have been accepted, either in full or in principle, and a further 34 have been accepted with qualification.
Many of the accepted recommendations will require changes to the Privacy Act 1988 (Cth) and other privacy legislation.
The Government has accepted the ALRC recommendation to enact a single set of Privacy Principles to apply to both the Commonwealth public sector and relevant businesses in the private sector, replacing the National Privacy Principles (which currently apply to the private sector) and Information Privacy Principles (which currently apply to the Commonwealth public sector). While the Government did not respond specifically to all the model Unified Privacy Policies drafted by the ALRC, the Government's acceptance of the following ALRC recommendations gives some indication of the changes to the current regime for privacy protection that can be expected in the draft exposure Bill to be released early next year.
Definition of 'personal information' – this should be amended in accordance with the ALRC's recommendation, which the government believes will enable sufficient flexibility for the definition to encompass changes in the way that information that identifies an individual is collected and handled, and will bring the definition into line with international standards.
Sensitive information – the requirement that sensitive information be afforded a higher level of protection should apply to both the public and private sectors. It is also proposed that (even if the individual has not consented) sensitive information may be collected if authorised by law (currently the collection has to be 'required' by law) or where there is a serious threat to the life, health or safety of an individual (currently the threat must be imminent, as well as serious and safety is not a factor).
Unsolicited information – should be destroyed as soon as practicable without using or disclosing it, otherwise the information is to be treated as if the organisation had taken active steps to collect the information, ie the Privacy Principles will apply to that information.
Access and correction – an individual's right to access and correct his or her own personal information, whether held by an agency or a private sector organisation, should be provided, to the extent possible, under a single privacy principle. In addition to an individual's current rights, individuals should be provided with the right to correct information that is misleading or not relevant to the purpose for which the information is held. If an individual asks an organisation to correct information it holds about the individual, the organisation should, in addition to correcting its own records, take reasonable steps to notify other entities to whom the organisation has disclosed the relevant information, if requested to do so by the individual and provided such notification would be practicable in the circumstances.
Cross-border protection – reasonable steps should be taken (when information is collected) to notify individuals if their personal information is likely to be transferred overseas and where it may be transferred to. Organisations and agencies will remain accountable for personal information that is transferred overseas unless:
- the individual consents, after being expressly advised that the consequence of consent is that the agency or organisation will no longer be accountable for the information;
- there is a legal requirement or authorisation for transfer;
- there are strong public interest grounds (such as serious threat to life, health or safety, or to investigate unlawful activity or serious misconduct, or to investigate or punish criminal offences or breaches of prescribed laws); or
- the recipient of the information is subject to a law or binding scheme that upholds protections similar to the Privacy Principles and there are accessible mechanisms for individuals to enforce their privacy protection.
A contract between an Australian organisation or agency and an overseas recipient, binding the overseas recipient to observe the Privacy Principles, will not be sufficient on its own to remove the Australian transferor's accountability for the information. Individuals must have an effective mechanism for enforcing their rights against the overseas recipient before an Australian transferor can be relieved from accountability.
Developing technology – the Act should be technology-neutral and aim to protect personal information, whatever the medium. The Privacy Commissioner will have an enhanced role in conducting research on privacy-enhancing technologies and publishing guidance and educational materials relating to their use and impact on privacy. The Privacy Commissioner will have the power to request development of sector-specific privacy codes and discretion to develop and impose codes where an adequate code is not developed or approved by the relevant sector.
Direct marketing – this should be regulated by a new and separate privacy principle, with no age-based distinctions. The principle should distinguish between direct marketing to individuals who are existing customers and individuals who are not existing customers.
Credit reporting – a number of key changes to the regulation of credit reporting will be made, including the following:
- the introduction of more comprehensive credit reporting, supported by the general protections in the Privacy Principles. The Government accepted the expansion of the categories of personal information that can be included in credit reporting information held by credit reporting agencies to include: the type of each current credit account opened (eg mortgage, credit card, personal loan); the date on which each current credit account was opened; the credit limit of each current account; the date on which each credit account was closed; and certain information in relation to credit repayment history;
- a credit provider may only list information with a credit reporting agency if it is a member of an external dispute resolution scheme approved by the Privacy Commissioner;
- the Government recognises that Part IIIA of the Privacy Act is currently overly complex and prescriptive and should be re-drafted to provide 'more-user friendly' regulation of credit reporting, which will be defined to extend to reporting on credit to purchase or refinance residential investment properties (in line with the regulation of such credit under the National Consumer Credit Protection Bill 2009);
- the Government will prohibit the use of credit reporting information for direct marketing but will conditionally allow its use for 'pre-screening' to remove adverse credit risks from marketing lists; and
- the Government will consider the use of credit reporting information for the identification and verification required under anti-money laundering and counter-terrorism financing laws when it reviews those laws.
Health and research – individuals should have the right to request transfer of their health records (reasonable fees may apply) and be informed about what will happen to their health record if their provider closes down or changes hands. The Government also supported proposals to facilitate research in the public interest (not just health and medical research).
Powers of Privacy Commissioner – the Privacy Commissioner should have additional functions and powers, including the power to direct a federal agency to provide a Privacy Impact Assessment in relation to a new project (if it may have a significant impact on the handling of personal information), to conduct Privacy Performance Assessments of the records of personal information of a private sector organisation, to accept enforceable undertakings and to seek civil penalties for serious or repeated breaches of the Privacy Act.
The aim is for consistent standards across Commonwealth, state and territory privacy laws, which the Government will progress through discussion with state and territory governments.
The Government has indicted that stage two of the Government's response will be released once its first stage has been progressed. The Government proposes to release a draft exposure Bill implementing its first stage response in 2010.
Stage two will consider the remaining 98 recommendations in the ALRC report, including:
- exemptions (such as exemptions for employee records and the small business exemption);
- introduction of a statutory cause of action for a serious invasion of privacy; and
- serious data breach notifications.
The impact of the Government's response cannot be fully assessed until the Government releases its draft exposure Bill and stage two response. However, it is likely that every agency and organisation subject to the Act will need to review its privacy policies and procedures when the proposed reforms take effect.
Over the next few weeks, Allens Arthur Robinson will bring you more detailed analysis of the first stage of the Government's Response to the ALRC's recommendations and the implications for particular industries.
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.