Search 
Mallesons Stephen Jaques
Who does this affect?

Any organisation that collects, uses and/or discloses personal information, in particular, government agencies, financial institutions and participants in the health industry and telecommunications industries.

What do you need to do?

Organisations need to review the Australian Law Reform Commission's proposals and consider how these proposals could affect their business. This is the last opportunity to comment on the proposals before the Commission provides its final report to the Attorney-General. We can help.

Andrea Beatty  
Partner

Sydney
Patrick Gunning  
Nicole Heller  

Melbourne
Katherine Forrest  
Cheng Lim  

ALRC Privacy Review - submissions due 7 December 2007

The Australian Law Reform Commission (ALRC) released its 1,977 page discussion paper: Review of Australian Privacy Law: Discussion Paper 72 on 12 September 2007 (Discussion Paper). Submissions must be made by 7 December 2007.

The ALRC’s proposals are the most significant changes to privacy law in Australia since the Privacy Act 1988 (Cth) (Privacy Act) was first enacted. Their impact is potentially much greater than the introduction of the National Privacy Principles (NPPs) in 2001.

The Discussion Paper sets out more than 300 proposals, including proposals to change the Privacy Act framework.

The key proposals are summarised in Volume 1 of the Discussion Paper. We recommend that your organisation gives serious consideration to making a submission on the main areas of impact on its business. This could be the last opportunity to have a say!

Submission points

We suggest below key areas of focus for your submission on the Discussion Paper.

1. Changes to the Privacy Act framework

  • The ALRC proposes that there should be one set of principles for the public and private sectors called the “Unified Privacy Principles” (UPPs). The UPPs would replace the NPPs and the Information Privacy Principles (IPPs).
  • There are currently two sets of privacy principles in the Privacy Act, with many overlapping areas but with important differences:

 
  • The NPPs, which apply to many private sector organisations (they were introduced in 2001); and
  • The IPPs which apply to the handling of personal information by federal and ACT public sector agencies, including Commonwealth government departments and government agencies, such as Centrelink.
  • There are arguably issues relating to maintaining two sets of principles, including the potential for confusion in certain circumstances where both sets of principles apply. For example, when Australian government services are outsourced to a private or not-for-profit organisation and where public sector agencies have both public and private functions.
  • The proposed UPPs have not been without criticism. The ALRC Discussion Paper quotes concerns from the Australian Bankers’ Association (ABA) that moving now to a single set of privacy principles is “premature”, noting that the NPPs were only recently enacted.

2. Statutory cause of action for invasion of privacy

  • The ALRC has proposed the development of a statutory cause of action for individuals for invasion of privacy where it can be established that the person concerned had a reasonable expectation of privacy and that the act complained of is “sufficiently serious to cause substantial offence to a person of ordinary sensibilities”. Damages may be awarded to compensate for insult and humiliation.
  • The ALRC has asked for submissions on the proposal, possible defences and the types of remedies a court should be able to be award.
  • In framing submissions on this point, consideration should be given to the possible reasons for proposing the statutory cause of action. In considering what defences should be available, careful analysis of possible scenarios in which the cause of action may be triggered should be undertaken.
  • There will be no certainty as to what acts would constitute an invasion of privacy. The test is quite broad. The only limitation is that the act must be intentional or reckless.
  • If the competing interests are not appropriately balanced in the ALRC's final recommendation, this new right could give rise to substantial uncertainties and may require the courts to decide a series of test cases before regulated entities will be able to confidently comply with the changes.
  • The media exemption may apply so that the media do not have to comply with privacy principles, but this does not mean they would be immune from having an action brought against them under the proposed cause of action.
  • It is important that the purpose of the law is recognised and understood. There is also a need to carefully define the exceptions, for example, how consent is given etc. Understanding the purpose of the law and the exceptions will prevent any possibly confusion that the new laws are intended to replace the operation of defamation law.

3. Credit reporting

  • The Discussion Paper proposes significant overhaul of the existing credit reporting regime. The suggested changes affect the following areas:

 
  • the regulatory framework for credit reporting;
  • type of information covered (ie, consumer vs commercial);
  • operational matters including the development of an industry code;
  • type of information collected (ie, a move towards a comprehensive credit reporting regime, instead of the current negative regime);
  • data quality monitoring and assessment;
  • a requirement that a credit provider must be a member of an external dispute resolution scheme to list a default; and
  • unauthorised access reporting and measures.
  • The proposed overhaul is likely to have a very significant impact on credit providers as well as credit reporting bodies. Each proposed amendment should be considered carefully, as the proposals are likely to require significant changes to operational, compliance and training regimes.

4. Consent and bundled consents

  • The Discussion Paper recommends that further guidance is needed on the meaning of consent when used with respect to bundled consents. A bundled consent is where an individual is required to consent to a bundle of arrangements for the handling of personal information in order to obtain a product or service. “Bundled consent” may require an individual to accept all of an organisation’s information-handling practices. The ALRC has expressed concerns regarding the voluntariness of such bundled consents.
  • The advantage of “bundled consent” is that it allows organisations to obtain the consents they need to do business efficiently.
  • There are likely to be significant customer relationship, administrative and systems issues if it was to become necessary to negotiate and record separate and different consents for each customer.
  • The ALRC seeks submission on how the meaning of “consent” should be altered and when it appropriate to use a “bundled consent”.

5. Privacy and anti-money laundering

  • The Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth) (AML/CTF Act) permits electronic identity verification. Clearly, credit reporting databases could be useful for electronic verification. The ALRC raises this as a matter for further consideration. (At present, only “credit providers” as defined in the Privacy Act can obtain and use credit reports from credit reporting agencies.)
  • Credit providers have limitations under Part IIIA on the uses and disclosures they can make of credit reports and other credit information.
  • A significant issue is whether such information should be expressly allowed to be used for identity checks in relation to any designated service (ie not just where there is credit involved).
  • The ALRC has asked for submission on what other data sources might be used to satisfy obligations under the AML/CTF Act.

6. Direct marketing

  • The ALRC seeks submissions on the proposed “Direct Marketing” UPP.
  • The ALRC wants to strike a balance between the concerns of consumers and these factors. It proposes a separate principle covering all direct marketing. If implemented, there will be important new restrictions, even where direct marketing is a primary or a secondary purpose of collection.
  • Direct marketing would only be allowed if an individual had consented, unless it would be impracticable to gain consent.
  • The principle would apply to any personal information to be used for direct marketing, setting out general requirements. These may be overridden by more specific legislation, such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
  • The ALRC also seeks submissions on whether the “Direct Marketing” UPP should be extended to the public sector and on whether, upon request, an organisation should be required to take reasonable steps to advise an individual where that individual’s information has been obtained. This would require systems changes for many organisations.

7. Removing Privacy Act exemptions

  • As part of simplifying privacy laws, the ALRC proposes removing and narrowing some key exemptions.
  • Of particular interest, the ALRC proposes removing the small business exemption on the basis that it is not necessary or justifiable to continue to exempt small business from the Privacy Act.
  • Also, the ALRC proposes removing the employee records exemption. For example, this could mean that it will be necessary to obtain consent from an employee when information uses change. This may be difficult to achieve in practice.
  • The ALRC also proposes narrowing the media exemption by defining the term “journalism” and requiring media organisations to be subject to standards that deal “adequately” with privacy issues in a media context.
  • The ALRC has proposed that the Privacy Act should be amended to group together in a separate part of the Act exemptions for certain categories or types of acts and practices. The ALRC has also proposed that the Privacy Act be amended to set out in a schedule to the Act exemptions for specifically named entities.

8. Data breach notification

  • The ALRC proposes to amend the Privacy Act to include a new Part on data breach notification which would require an agency or organisation to notify the Privacy Commissioner and affected individuals when certain personal information has been acquired by an unauthorised person and the agency, organisation or the Privacy Commissioner believes that there is a real risk of serious harm to any affected individual as a result.
  • The ALRC also proposes to amend the Privacy Act so that a failure to notify the Privacy Commissioner of a data breach may attract a civil penalty.
  • The obligation to notify a customer about a data breach is likely to be an important point for submissions. On one view, this should only be required where the breach has clear potential to cause an adverse effect for the customer concerned.

ALRC background and timing

  • 30 Jan 2006 -the Attorney-General asked the ALRC to review Australian privacy laws and make recommendations about reform.
  • Oct & Dec 2006 - ALRC issued 2 Issues Papers and sought submissions from the public.
  • 12 Sept 2007 - ALRC releases Discussion Paper 72 - 1,977 pages and 3 volumes.
  • 7 Dec 2007 - Submissions and feedback on the proposals are due.
  • 31 March 2008 - ALRC report is due to the Attorney-General.
  • After the report is submitted, the final report will be tabled in Parliament and after 15 parliamentary sitting days, the report will be publicly released.

How we can help

We have considerable experience and expertise in advising on privacy issues. We can assist you in considering the Discussion Paper and preparing submissions in response to the Discussion Paper.

This publication is only a general outline. It is not legal advice. You should seek professional advice before taking any action based on its contents.