16 October 2009
Government responds to Australian Law Reform Commission's review of Australian Privacy Laws
On 14 October 2009, the government announced its First Stage Response to the privacy reforms proposed by the Australian Law Reform Commission (ALRC) in its report, For Your Information: Australian Privacy Law and Practice (ALRC 108).
The government's response accepts the majority of the recommendations proposed by the ALRC, many of which have significant impacts for Commonwealth agencies. Exposure draft legislation is being prepared for release in early 2010. The proposed changes would involve the most significant reform of privacy laws since the inception of the Commonwealth Privacy Act 1988.
The first stage of reforms
The government response addresses 197 of the ALRC's 295 recommendations for improving privacy protection:
- accepting 141 of the recommendations in full or in principle
- accepting 34 recommendations with qualification
- not accepting 20 recommendations, and
- noting two further recommendations which did not require action.
The response addresses recommendations in the following areas:
- the name, structure, objects, definitions and scope of the Privacy Act
- interaction between new technologies and privacy, the impact of digital media and developments in technology since the Privacy Act was enacted
- the interaction between the Privacy Act and other federal, state and territory laws
- the replacement of the Information Privacy Principles and National Privacy Principles with a single set of 'Unified Privacy Principles', to protect personal information held both by Australian Government agencies and relevant organisations in the private sector
- the structure, powers and functions of the Privacy Commissioner
- the introduction of comprehensive credit reporting in Australia
- health privacy issues.
The remaining 98 recommendations, including a statutory cause of action for a serious invasion of privacy, will be considered in stage two of the government's response.
Further information on the more significant recommendations
Unified Privacy Principles
The government has accepted the ALRC recommendation to replace the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) with a single set of 'Unified Privacy Principles' (UPPs) which would apply to information held by government agencies and relevant organisations in the private sector.
The UPPs are more closely aligned with the current NPPs, meaning significant changes for Commonwealth and ACT agencies, which are regulated by the IPPs. The significant differences between the proposed UPPs and the current IPPs include:
- Anonymity and pseudonymity: the requirement for an agency or organisation to give individuals a clear option to interact anonymously or pseudonymously, where it is lawful and practical in the circumstances.
- Collection: the requirement that an agency or organisation collect personal information about an individual only from the individual concerned, unless it is not reasonable or practicable to do so.
- Cross Border Data Flows: the UPPs will seek to ensure that an agency or organisation remains accountable for personal information that is transferred outside Australia, with limited exceptions.
- Use and disclosure principles: the circumstances in which uses and disclosures will be authorised will be completely harmonised, as they are in the current NPPs.
Privacy of deceased individuals
The government did not accept the ALRC recommendation to extend the Privacy Act to include provisions dealing with the personal information of individuals who have been deceased for 30 years or less where the information is held by an organisation. However, the government noted that the Freedom of Information Act 1982 and the Archives Act 1983 will continue to apply to information about deceased persons that is held by government agencies. Constitutional limitations on the Commonwealth's power in this area mean that the Privacy Act will continue to apply to living persons only.
The government agreed there are clear benefits of nationally consistent privacy regulation in the private sector, highlighting the health sector as an area subject to both Commonwealth and state legislation. The government undertook to work with state and territory counterparts in the appropriate fora to progress this matter.
Required or authorised under law
The Privacy Act currently permits use or disclosure of personal information where required or authorised under law. The government has accepted the ALRC recommendation to amend the Privacy Act to provide a definition of 'law'. The government broadly agreed with the ALRC proposed definition of 'law', which includes:
- Commonwealth, state and territory Acts and delegated legislation
- common law or equitable duties
- court or tribunal orders
- documents given the force of law by an Act, such as industrial awards.
The government agreed that the Office of the Privacy Commissioner should develop and publish guidance on this point, noting that while a definition of law will provide a degree of clarity, the meaning of 'law' will be best determined on a case-by-case basis.
The government has accepted the ALRC recommendation for the Office of the Privacy Commissioner to undertake research, consider and develop guidelines on ways in which technology may be used in a privacy enhancing way.
AGS's experienced national team of expert information access lawyers are ready to assist you with assessing the implications of the recommendations accepted by the government and advising on the impact in relation to the proposed changes.
For further information please contact:
Senior Executive Lawyer
T 02 6253 7240 F 02 6253 7380
Senior Executive Lawyer
T 02 6253 7417 F 02 6253 7380
Important: The material in Express law is provided to clients as an early, interim view for general information only, and further analysis on the matter may be prepared by AGS. The material should not be relied upon for the purpose of a particular matter. Please contact AGS before any action or decision is taken on the basis of any of the material in this message.