Footnotes
CHAPTER 1 - INTRODUCTION
[1]
House of Representatives, Votes and Proceedings, No. 166-29 May
2013, p. 2303.
[2]
Senate, Journals of the Senate, No. 147-17 June 2013, pp
4028-4029; Senate, Journals of the Senate, No. 148-18 June 2013, pp 4048-4050.
[3]
The Hon. Mark Dreyfus QC MP, Attorney-General, House of
Representatives Hansard, 29 May 2013, p. 11.
[4]
Australian Law Reform Commission, For Your Information: Australian
Privacy Law and Practice (ALRC Report 108), May 2008, Recommendation 51-1,
pp 1696-1697.
[5]
Explanatory Memorandum (EM), p. 1. Also see: subsection 6(1) and section
6C of the Privacy Act 1988 (Cth) (Privacy Act).
[6]
In 2010, the Office of the Australian Information Commissioner was
created and the Australian Information Commissioner (Commissioner) became
responsible for the functions conferred on that office by the Privacy Act. The
Commissioner is supported in this role by the Privacy Commissioner. For this
reason, the Commissioner and the Privacy Commissioner are sometimes referred to
interchangeably in the context of privacy law and privacy reform.
[7]
EM, p. 1.
[8]
The Hon. Mark Dreyfus QC MP, Attorney-General, House of
Representatives Hansard, 29 May 2013, p. 11.
[9]
The terms 'credit reporting body' and 'credit provider' are defined in
the Privacy Act: see subsection 6(1) and section 6G of the Privacy Act
(items 26 and 69 of Schedule 2 of the Privacy Amendment (Enhancing
Privacy Protection) Act 2012 (Cth)).
CHAPTER 2 - KEY ISSUES
[1]
For example: Australian Law Reform Commission, Submission 6, p.
1; Australian Communications Consumer Action Network, Submission 7,
p. 1; Consumer Credit Legal Centre, Submission 8, p. 1; Office of the
Australian Information Commissioner, Submission 12, p. 1.
[2]
Proposed new paragraphs 26X(1)(d) and (2)(d), 26Y(1)(d) and (2)(d),
26Z(1)(d) and (2)(d), and 26ZA(1)(d) of the Privacy Act 1988 (Cth)
(Privacy Act) (item 4 of Schedule 1).
[3]
For example: Fundraising Institute Australia, Submission 1, p. 1;
Communications Alliance, Submission 2, p. 2; Association for Data-driven
Marketing and Advertising, Submission 3, p. 2; Australian Communications
Consumer Action Network, Submission 7, p. 2; Australian Bankers'
Association, Submission 11, p. 2: Office of the Victorian Privacy
Commissioner, Submission 14, p. 5.
[4]
Submission 11, p. 2.
[5]
Submission 11, p. 3. Also see: Association for Data-driven
Marketing and Advertising, Submission 3, p. 4, which argued that the
failure to define key terms will endow the Australian Information Commissioner
(Commissioner) with a free hand to interpret the legislation via regulation.
[6]
Submission 14, p. 6.
[7]
Submission 2, p. 2. In relation to potential over-reporting and
under-reporting, also see: Association for Data-driven Marketing and
Advertising, Submission 3, p. 2; Australian Bankers' Association, Submission 11,
p. 3; Office of the Victorian Privacy Commissioner, Submission 14, p. 5.
[8]
Submission 4, p. 2. The Australian Privacy Foundation suggested
that the Privacy Amendment (Privacy Alerts) Bill 2013 (Bill) should require
either a real risk of harm (without qualifications such as 'serious') or a
significant breach (regardless whether a real risk of harm has arisen).
[9]
Explanatory Memorandum (EM), p. 40. Also see: the Hon. Mark Dreyfus QC
MP, Attorney-General, 'Privacy Alerts to notify Australians of data breaches',
Media Release, 28 May 2013.
[10]
EM, pp 1-2 (emphasis in original). Also see: Office of the Australian
Information Commissioner, Data Breach Notification: A guide to handling
personal information security breaches (OAIC guidelines), April 2012, p. 1,
available at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches
(accessed 19 June 2013); Australian Communications Consumer Action
Network, Submission 7, p. 2.
[11]
Submission 10, p. 4.
[12]
Submission 10, p. 4.
[13]
Submission 12, p. 5.
[14]
Proposed new paragraph 26ZB(1)(e) and proposed new subsection 26ZB(2) of
the Privacy Act (item 4 of Schedule 1). Also see: EM, p. 50, which notes that
the content of the statement is based on the matters set out in the OAIC
guidelines.
[15]
Proposed new paragraph 26ZB(1)(f) of the Privacy Act (item 4 of Schedule
1).
[16]
Proposed new paragraph 26ZB(1)(g) of the Privacy Act (item 4 of Schedule
1). An individual will be 'significantly affected' by a serious data breach in
one of two situations: if the individual is at real risk of serious harm from
the breach; or if the information relates to the individual and the individual
is deemed by the regulations to be significantly affected by the breach:
see proposed new paragraph 26ZB(1)(h) of the Privacy Act (item 4 of
Schedule 1).
[17]
Proposed new paragraph 26ZB(1)(h) of the Privacy Act (item 4 of Schedule
1).
[18]
Submission 9, pp 3-4.
[19]
Submission 2, p. 3.
[20]
Submission 11, p. 5.
[21]
Submission 10, pp 5-6. Also see: EM, p. 51.
[22]
Submission 10, p. 6.
[23]
Submission 10, p. 6.
[24]
Proposed new subsections 26ZB(4) -(11) of the Privacy Act (item 4 of
Schedule 1).
[25]
Proposed new subsections 26ZB(5)-(7) of the Privacy Act (item 4 of
Schedule 1). Note: the exemption applies to the three mandatory steps set out
in proposed new subsection 26ZB(1) of the Privacy Act.
[26]
Submission 9, pp 4-5.
[27]
Submission 4, Attachment 2, p. 2. Also see: Mr Bruce Arnold, Submission
5, p. 4; Cyberspace Law and Policy Centre, Submission 13, p. 2.
[28]
Submission 13, p. 3. Also see: Australian Privacy Foundation, Submission
4, p. 4.
[29]
Submission 5, p. 4.
[30]
EM, p. 52.
[31]
Submission 12, pp 2-4.
[32]
Attorney-General's Department, Australian Privacy Breach Notification,
Discussion Paper, October 2012, p. 11.
[33]
EM, Regulation Impact Statement, p. 7.
ADDITIONAL COMMENTS BY COALITION SENATORS
[1]
Submission 13, p. 1.
[2]
Submission 4, p. 1.