Upcoming Mallesons seminarsAny organisation that collects, uses and/or discloses personal information, in particular, government agencies, financial institutions and participants in the health industry and telecommunications industries.
What do you need to do?Organisations need to review the Australian Law Reform Commission's proposals and consider how these proposals could affect their business. This is the last opportunity to comment on the proposals before the Commission provides its final report to the Attorney-General. We can help.
Cheng Lim
Partner
Tatiana Rudometova
Solicitor
Cheng Lim
Partner
T +61 3 9643 4193
Sydney
Patrick Gunning
Melbourne
Katherine Forrest
Brisbane
Nicole Heller
The Australian Law Reform Commission (ALRC) has released a Discussion Paper which summarises the ALRC’s proposals for reform of Australian privacy laws. The proposals cover a wide range of issues and, if accepted by the Government, will result in substantial changes in privacy laws. Public submissions are due by 7 December 2007. The ALRC’s final report is due to the Attorney-General by 31 March 2008.
Some of the key ALRC proposals include:
- a new statutory cause of action for invasion of privacy;
- a single set of Unified Privacy Principles across both the public sector and the private sector;
- the exclusion of inconsistent State and Territory legislation;
- significant expansion of powers of the Office of Privacy Commissioner;
- the removal of the small business and employee information exemptions;
- the inroduction of data breach notification provisions; and
- changes to the privacy regime in relation to credit reporting.
General proposals
The ALRC report is about 2000 pages long, is published in 3 volumes and contains 64 sets of proposals. Important general changes proposed by the ALRC include:
1. The creation of a statutory cause of action for invasion of privacy, which will enable individuals to directly sue organisations for an invasion of privacy.
2. The consolidation of the public sector Information Privacy Principles and the private sector National Privacy Principles into a single set of Unified Privacy Principles (UPPs) which will apply across both public and private sector organisations.
3. The exclusion by the Commonwealth of inconsistent State and Territory legislation affecting organisations (including legislation governing the privacy of health records).
4. The conferral of wider powers on the Office of the Privacy Commissioner, including the power to:
- allow the Commissioner to set different standards than those imposed by the UPPs in particular circumstances;
- require privacy impact assessments to be prepared for new projects that may impact on handling of personal information;
- audit personal information held by organisations, to assess compliance with privacy laws; and
- issue an order to take specific actions to ensure compliance with the Privacy Act.
5. The introduction of a separate privacy principle to govern direct marketing by organisations.
6. Making the Privacy Act technologically neutral so that it does not refer to any specific types of technology to which it applies and giving the Minister power to determine technology-specific standards for handling of information.
7. The inclusion of new obligations that would require organisations to notify the Privacy Commissioner and affected individuals where there has been unauthorised access to personal information that could lead to a real risk of serious harm.
8. The removal of the existing small business and employee information exemptions and the narrowing of the media exemption.
Industry-specific proposals
For the telecommunications industry:
9. The review of the Telecommunications Act 1997 to achieve greater consistency with the privacy laws.
10. A prohibition on charges for an unlisted telephone number in a public number directory.
11. The inclusion of email and IP addresses into the definitions of "personal information".
For credit providers:
12. The repeal of the credit reporting provisions in the Privacy Act and the regulation of credit reporting under the general provisions of the Privacy Act, the new UPPs and new credit reporting-specific regulations.
13. That credit reporting-specific privacy regulations should:
- apply to personal information relating to credit advances to an individual for any purpose, i.e. not limited to credit advances only for domestic, family or household purposes;
- permit the inclusion in credit reporting files of additional categories of personal information; and
- provide for more comprehensive dispute resolution procedures.
Health:
14. That health information should be regulated under the general provisions of the Privacy Act and the UPPs, and that amendments to the UPPs specific to the handling of health information should be set out in the new Privacy (Health Information) Regulations.
15. The establishment of a national Unique Healthcare Identifiers (UHIs) scheme and a national Shared Electronic Health Record scheme under specific enabling legislation that will address various privacy issues in relation to the schemes.
Consultation
The ALRC is also seeking feedback on a range of issues, including:
1. whether there should be a "take down notice" scheme that would require a website operator to remove information that may constitute an invasion of privacy;
2. whether the Spam Act 2003 should also cover facsimile and Bluetooth messages; and
3. what should be the scope of the definition of “credit provider” under the proposed Regulations.
View ALRC Discussion Paper 72. Submissions are due by 7 December 2007.
The ALRC has prepared an overview of the Discussion Paper - An Overview of Discussion Paper 72.
How we can help
We have advised many of Australia’s leading organisations on privacy issues since the introduction of the private sector privacy laws. We can assist you in considering the impact on proposals on your organisation and preparing submissions in response to the Discussion Paper.