Chapter 2


Chapter 2

Background

2.1        This chapter provides an overview of the Privacy Act 1988 (the Privacy Act), the inquiry undertaken by the Senate Legal and Constitutional Affairs References Committee into the Privacy Act and the reviews conducted by the Office of the Privacy Commissioner (OPC) and Australian Law Reform Commission (ALRC).[1]

Privacy Act 1988

2.2        The Privacy Act 1988 was enacted to give effect to Australia's agreement to implement the Organisation for Economic Cooperation and Development (OECD) Guidelines for the Protection of Privacy and Transborder Flows of Personal Information, as well as to its obligations under Article 17 of the International Covenant on Civil and Political Rights.

2.3        The Privacy Act initially regulated the collection, handling and use of information about individuals by Commonwealth Government departments and agencies. The Privacy Act also established the Privacy Commissioner to oversee privacy matters and to handle complaints. In addition, the Privacy Act provided guidelines for the collection, storage, use and security of tax file number information.[2] Eleven Information Privacy Principles (IPPs), based on the OECD guidelines, set out the safeguards for personal information that is handled by the Commonwealth Government and Australian Capital Territory Government agencies.[3]

2.4        Amendments were made to the Privacy Act in 2000 to strengthen privacy protection in the private sector by establishing national standards for the handling of personal information by the private sector. The aim was to give consumers confidence in Australian business practices; to take advantage of the opportunities presented by electronic commerce and the information economy; and allay concerns about the security of personal information when conducting business online. The Privacy Amendment (Private Sector) Act 2000 provided for approved privacy codes and introduced National Privacy Principles (NPPs). The NPPs were based on voluntary guidelines for the private sector, the National Principles for the Fair Handling of Personal Information, which had been developed by the Privacy Commissioner. The amendments also introduced exemptions for small business and employee records.[4]

2.5        Other amendments to the Privacy Act since 1988 provided the Privacy Commissioner with additional functions in relation to:

  • spent convictions;
  • regulation of credit reporting and information held by credit reporting agencies and credit providers (1990);
  • data matching (1990);
  • guidelines to safeguard personal information provided for the purposes of the Pharmaceutical and Medical Benefits Schemes (1991); and
  • records made by telecommunications carriers, carriage service providers and others of their disclosures of customer information (1997).

2.6        Further amendments in 2006 were made to the definitions of 'health information' and 'sensitive information' to expressly include genetic information to ensure that the collection, use and disclosure of genetic information would be given the additional protections of the Privacy Act. In addition, new provisions were inserted into the Act to enhance information exchange between Commonwealth Government agencies, State and Territory authorities, private sector organisations, non-government organisations and others, in an emergency or disaster situation.

2.7        On 1 November 2010, the Office of the Privacy Commissioner (OPC) was integrated into the Office of the Australian Information Commissioner (OAIC).

Reviews of the Privacy Act

Senate Legal and Constitutional Affairs References Committee

2.8        In June 2005, the Senate Legal and Constitutional Affairs References Committee tabled its report, The real Big Brother: Inquiry into the Privacy Act 1988.[5] The committee's inquiry reviewed the overall effectiveness and appropriateness of the Privacy Act as a means of protecting the privacy of Australians with particular reference to international comparisons and emerging technologies. The committee also reviewed the effectiveness of the extension of the privacy scheme to the private sector and the resourcing of the OPC.

2.9        The committee made 19 recommendations including that the Commonwealth Government undertake a comprehensive review of privacy regulation, including a review of the Privacy Act in its entirety with the objective of establishing a nationally consistent privacy protection regime to effectively protect the privacy of Australians. In addition, the Committee recommended that the review be undertaken by the ALRC and that the report be presented to the Government and to the Parliament.

Office of the Privacy Commissioner

2.10      On 13 August 2004, the Attorney-General asked the Privacy Commissioner to review the operation of the private sector provisions of the Privacy Act. In March 2005, the OPC reported on its review.[6] The OPC recommended that the Government consider undertaking a wider review of privacy laws in Australia to ensure that in the 21st century the legislation best serves the needs of Australia.

Australian Law Reform Commission

2.11      On 30 January 2006, the then Attorney-General, the Hon Philip Ruddock, MP, announced that the Australian Law Reform Commission (ALRC) would undertake a comprehensive review of the Privacy Act. The Attorney-General stated the review was being undertaken in response to the recommendations of the Senate Legal and Constitutional Affairs References Committee and the OPC recommendations and commented:

It is timely to respond to these recommendations and review the overall effectiveness of the Privacy Act to see where improvements can be made...

The Review will examine existing Commonwealth, State and Territory laws and practices and will consider the needs of individuals for privacy protection in light of evolving technology...

The ALRC will also examine current and emerging international law in the privacy area and consider community perceptions of privacy and the extent to which it should be protected by legislation.[7]

2.12      In undertaking the review, the ALRC was to identify and consult with relevant stakeholders, State and Territory Governments, the business community and the public, and report by 31 March 2008. The ALRC was subsequently granted an extension of the reporting date to 30 May 2008.

2.13      The ALRC's report, For Your Information: Australian Privacy Law and Practice was the culmination of a 28 month inquiry which included face-to-face meetings with individuals, organisations and agencies; public forums; workshops; and a phone-in.[8] The ALRC also produced two issues papers: Review of Privacy (IP 31) and Review of Privacy: Credit Reporting Provisions (IP 32); as well as a three-volume Discussion Paper, Review of Australian Privacy Law (DP 72).

2.14      The extensive public engagement provided the ALRC with a range of views on privacy issues. For example, there was a general feeling that technological advances had steadily and irreparably eroded personal privacy and that much greater effort should be made to resist this. At the same time, the benefits of information and communication technologies were acknowledged.

2.15      The ALRC also found that there was a high degree of willingness to trade-off privacy interests to meet concerns about law and order at a local level or about national security more generally. In addition, while privacy was frequently seen as a 'right', a need to strike a commonsense balance between privacy interests and practical concerns in a range of areas was acknowledged, one example being the access to sensitive personal health information in the case of a medical emergency.[9]

2.16      Children and young people were consulted during the review and provided an insight into views on privacy in relation to new mediums such as websites like Facebook. The ALRC noted that some young people were very savvy about how to control access to, and distribution of, personal information on social networking sites. Unfortunately, many young people were unaware of how to protect their privacy and the implications of widely distributing, downloading or archiving personal information. The ALRC found that 'there was little appetite for more law or formal regulation in this area'. Rather, the need for more education was emphasised.[10]

2.17      Other issues highlighted in the consultations were the complexity of privacy laws in Australia particularly the overlapping of Commonwealth, State and Territory laws and the separate privacy principles for the public and private sectors; the lack of adequate enforcement mechanisms in privacy legislation; and, the use of 'because of the Privacy Act' as an excuse for inaction or non-cooperation.[11]

2.18      The ALRC made 295 recommendations to improve privacy protection in Australia in the following key areas:

  • redrafting and reconstructing the Privacy Act and privacy principles to achieve significantly greater consistency, clarity and simplicity;
  • unification of the privacy principles for the public and the private sector into one single set of principles;
  • structuring privacy regulation to follow a three-tiered approach: high level principles of general application; regulation and industry codes detailing the handling of personal information in certain specified contexts; and, guidance provided by the Privacy Commissioner dealing with operational matters and providing explanations;
  • adoption of a common approach to privacy in all jurisdictions in order to overcome confusion and uncertainty, including the establishment of an intergovernmental cooperative scheme;
  • updating of key definitions, including the definitions of 'personal information', 'sensitive information' and 'record';
  • improvements to complaint handling;
  • rationalisation and clarification of exemptions from, and exceptions to, the requirements of the Privacy Act;
  • restructuring of the Office of the Privacy Commissioner and strengthening of the role of the Privacy Commissioner;
  • implementation of a data breach notification process;
  • clarification of the legal position to facilitate authorised persons to assist a person, temporarily or permanently incapacitated, to deal with agencies or organisations;
  • more comprehensive credit reporting requirements;
  • promotion of national consistency in relation to health information;
  • greater facilitation of research through an exception to the 'Collection' and 'Use and Disclosure' principles in the model Unified Privacy Principles;
  • provision of a 'Cross-Border Data Flows' principle to ensure accountability for personal information transferred offshore; and
  • provision in federal legislation for a statutory cause of action for a serious breach of privacy.

2.19      The ALRC also recommended that the Commonwealth Government initiate a review of the amended Privacy Act and credit reporting information regulations five years after the date of commencement.

2.20      In addition to the recommendations, the ALRC also provided eleven Unified Privacy Principles (UPPs). The ALRC noted that:

These model UPPs are merely indicative of how the privacy principles in the Act may appear if the ALRC's relevant recommendations were to be implemented. The ALRC anticipates that, if its recommendations are accepted, the Australian Government will instruct the Office of Parliamentary Counsel to draft the new privacy principles using the ALRC's recommendations as a template, rather than simply adopting the ALRC's model UPPs in their current form.[12]

Government response to the ALRC review

2.21      In October 2009, the Government provided its first stage response to the ALRC's report. In providing the response, the Cabinet Secretary and Special Minister of State, Senator the Hon Joe Ludwig stated:

The Government will outline a clear and simple framework for privacy rights and obligations and build on its commitment to trust and integrity in Government. The Government will:

  • create a harmonised set of Privacy Principles which will replace the separate sets of public and private sector principles at the federal level, untangling red tape and marking a significant step on the road to national consistency;
  • redraft and update the Privacy Act to make the law clearer and easier to comply with;
  • create a comprehensive credit reporting framework which will improve individual credit assessments, complimenting the Government's reforms to responsible lending practices;
  • improve health sector information flows, and give individuals new rights to control their health records, contributing to better health service delivery;
  • require the public and private sector to ensure the right to privacy will continue to be protected if personal information is sent overseas; and
  • strengthen the Privacy Commissioner's powers to conduct investigations, resolve complaints and promote compliance, contributing to more effective and stronger protection of the right to privacy.

These reforms will be technology neutral, providing protection for personal information held in any medium. The Privacy Commissioner will also have an enhanced role in researching, guiding and educating on technologies that enhance or impact on privacy.[13]

2.22      In formulating the response, the Department of the Prime Minister and Cabinet (the department) conducted further consultations with stakeholders, agencies, industry and consumer representatives, academics and privacy experts. The first stage response addressed 197 of the ALRC's 295 recommendations. The department stated that of those 197 recommendations, the Government:

  • accepted 141 recommendations, either in full or in principle;
  • accepted 34 recommendations with qualification;
  • did not accept 20 recommendations; and
  • noted two recommendations.[14]

2.23      The Cabinet Secretary indicated that once the first stage reforms had progressed, the remaining recommendations would be considered. It was also noted that the remaining recommendations 'include sensitive and complex questions around the removal of exceptions and data breach notices'. Extensive consultation and input will be required for these matters.

Navigation: Previous Page | Contents | Next Page