Chapter 2
Background
2.1
This chapter provides an overview of the Privacy Act 1988 (the
Privacy Act), the inquiry undertaken by the Senate Legal and Constitutional
Affairs References Committee into the Privacy Act and the reviews
conducted by the Office of the Privacy Commissioner (OPC) and Australian Law
Reform Commission (ALRC).[1]
Privacy Act 1988
2.2
The Privacy Act 1988 was enacted to give effect to Australia's
agreement to implement the Organisation for Economic Cooperation and
Development (OECD) Guidelines for the Protection of Privacy and Transborder Flows
of Personal Information, as well as to its obligations under Article 17 of
the International Covenant on Civil and Political Rights.
2.3
The Privacy Act initially regulated the collection, handling and use of
information about individuals by Commonwealth Government departments and
agencies. The Privacy Act also established the Privacy Commissioner to oversee
privacy matters and to handle complaints. In addition, the Privacy Act provided
guidelines for the collection, storage, use and security of tax file number
information.[2]
Eleven Information Privacy Principles (IPPs), based on the OECD guidelines, set
out the safeguards for personal information that is handled by the Commonwealth
Government and Australian Capital Territory Government agencies.[3]
2.4
Amendments were made to the Privacy Act in 2000 to strengthen privacy
protection in the private sector by establishing national standards for the
handling of personal information by the private sector. The aim was to give
consumers confidence in Australian business practices; to take advantage of the
opportunities presented by electronic commerce and the information economy; and
allay concerns about the security of personal information when conducting
business online. The Privacy Amendment (Private Sector) Act 2000
provided for approved privacy codes and introduced National Privacy Principles
(NPPs). The NPPs were based on voluntary guidelines for the private sector, the
National Principles for the Fair Handling of Personal Information, which had
been developed by the Privacy Commissioner. The amendments also introduced
exemptions for small business and employee records.[4]
2.5
Other amendments to the Privacy Act since 1988 provided the Privacy
Commissioner with additional functions in relation to:
-
spent convictions;
-
regulation of credit reporting and information held by credit
reporting agencies and credit providers (1990);
-
data matching (1990);
-
guidelines to safeguard personal information provided for the
purposes of the Pharmaceutical and Medical Benefits Schemes (1991); and
-
records made by telecommunications carriers, carriage service
providers and others of their disclosures of customer information (1997).
2.6
Further amendments in 2006 were made to the definitions of 'health
information' and 'sensitive information' to expressly include genetic
information to ensure that the collection, use and disclosure of genetic
information would be given the additional protections of the Privacy Act. In
addition, new provisions were inserted into the Act to enhance information
exchange between Commonwealth Government agencies, State and Territory
authorities, private sector organisations, non-government organisations and
others, in an emergency or disaster situation.
2.7
On 1 November 2010, the Office of the Privacy Commissioner (OPC) was
integrated into the Office of the Australian Information Commissioner (OAIC).
Reviews of the Privacy Act
Senate Legal and Constitutional
Affairs References Committee
2.8
In June 2005, the Senate Legal and Constitutional Affairs References
Committee tabled its report, The real Big Brother: Inquiry into the Privacy
Act 1988.[5]
The committee's inquiry reviewed the overall effectiveness and
appropriateness of the Privacy Act as a means of protecting the privacy of
Australians with particular reference to international comparisons and emerging
technologies. The committee also reviewed the effectiveness of the extension of
the privacy scheme to the private sector and the resourcing of the OPC.
2.9
The committee made 19 recommendations including that the Commonwealth Government
undertake a comprehensive review of privacy regulation, including a review of
the Privacy Act in its entirety with the objective of establishing a nationally
consistent privacy protection regime to effectively protect the privacy of
Australians. In addition, the Committee recommended that the review be
undertaken by the ALRC and that the report be presented to the Government and
to the Parliament.
Office of the Privacy Commissioner
2.10
On 13 August 2004, the Attorney-General asked the Privacy Commissioner
to review the operation of the private sector provisions of the Privacy Act. In
March 2005, the OPC reported on its review.[6]
The OPC recommended that the Government consider undertaking a wider review of
privacy laws in Australia to ensure that in the 21st century the legislation
best serves the needs of Australia.
Australian Law Reform Commission
2.11
On 30 January 2006, the then Attorney-General, the Hon Philip Ruddock, MP,
announced that the Australian Law Reform Commission (ALRC) would undertake a
comprehensive review of the Privacy Act. The Attorney-General stated the review
was being undertaken in response to the recommendations of the Senate Legal and
Constitutional Affairs References Committee and the OPC recommendations and
commented:
It is timely to respond to these recommendations and review
the overall effectiveness of the Privacy Act to see where improvements can be
made...
The Review will examine existing Commonwealth, State and
Territory laws and practices and will consider the needs of individuals for
privacy protection in light of evolving technology...
The ALRC will also examine current and emerging international
law in the privacy area and consider community perceptions of privacy and the
extent to which it should be protected by legislation.[7]
2.12
In undertaking the review, the ALRC was to identify and consult with
relevant stakeholders, State and Territory Governments, the business community
and the public, and report by 31 March 2008. The ALRC was subsequently granted
an extension of the reporting date to 30 May 2008.
2.13
The ALRC's report, For Your Information: Australian Privacy Law and
Practice was the culmination of a 28 month inquiry which included face-to-face
meetings with individuals, organisations and agencies; public forums;
workshops; and a phone-in.[8]
The ALRC also produced two issues papers: Review of Privacy (IP 31) and Review
of Privacy: Credit Reporting Provisions (IP 32); as well as a three-volume
Discussion Paper, Review of Australian Privacy Law (DP 72).
2.14
The extensive public engagement provided the ALRC with a range of views
on privacy issues. For example, there was a general feeling that technological
advances had steadily and irreparably eroded personal privacy and that much
greater effort should be made to resist this. At the same time, the benefits of
information and communication technologies were acknowledged.
2.15
The ALRC also found that there was a high degree of willingness to
trade-off privacy interests to meet concerns about law and order at a local
level or about national security more generally. In addition, while privacy was
frequently seen as a 'right', a need to strike a commonsense balance between
privacy interests and practical concerns in a range of areas was acknowledged,
one example being the access to sensitive personal health information in the
case of a medical emergency.[9]
2.16
Children and young people were consulted during the review and provided
an insight into views on privacy in relation to new mediums such as websites
like Facebook. The ALRC noted that some young people were very savvy about how
to control access to, and distribution of, personal information on social
networking sites. Unfortunately, many young people were unaware of how to
protect their privacy and the implications of widely distributing, downloading
or archiving personal information. The ALRC found that 'there was little
appetite for more law or formal regulation in this area'. Rather, the need for
more education was emphasised.[10]
2.17
Other issues highlighted in the consultations were the complexity of
privacy laws in Australia particularly the overlapping of Commonwealth, State
and Territory laws and the separate privacy principles for the public and
private sectors; the lack of adequate enforcement mechanisms in privacy
legislation; and, the use of 'because of the Privacy Act' as an excuse for
inaction or non-cooperation.[11]
2.18
The ALRC made 295 recommendations to improve privacy protection in
Australia in the following key areas:
-
redrafting and reconstructing the Privacy Act and privacy
principles to achieve significantly greater consistency, clarity and
simplicity;
-
unification of the privacy principles for the public and the
private sector into one single set of principles;
-
structuring privacy regulation to follow a three-tiered approach:
high level principles of general application; regulation and industry codes
detailing the handling of personal information in certain specified contexts;
and, guidance provided by the Privacy Commissioner dealing with operational
matters and providing explanations;
-
adoption of a common approach to privacy in all jurisdictions in
order to overcome confusion and uncertainty, including the establishment of an
intergovernmental cooperative scheme;
-
updating of key definitions, including the definitions of
'personal information', 'sensitive information' and 'record';
-
improvements to complaint handling;
-
rationalisation and clarification of exemptions from, and
exceptions to, the requirements of the Privacy Act;
-
restructuring of the Office of the Privacy Commissioner and
strengthening of the role of the Privacy Commissioner;
-
implementation of a data breach notification process;
-
clarification of the legal position to facilitate authorised
persons to assist a person, temporarily or permanently incapacitated, to deal
with agencies or organisations;
-
more comprehensive credit reporting requirements;
-
promotion of national consistency in relation to health
information;
-
greater facilitation of research through an exception to the
'Collection' and 'Use and Disclosure' principles in the model Unified Privacy Principles;
-
provision of a 'Cross-Border Data Flows' principle to ensure
accountability for personal information transferred offshore; and
-
provision in federal legislation for a statutory cause of action
for a serious breach of privacy.
2.19
The ALRC also recommended that the Commonwealth Government initiate a
review of the amended Privacy Act and credit reporting information regulations
five years after the date of commencement.
2.20
In addition to the recommendations, the ALRC also provided eleven
Unified Privacy Principles (UPPs). The ALRC noted that:
These model UPPs are merely indicative of how the privacy
principles in the Act may appear if the ALRC's relevant recommendations were to
be implemented. The ALRC anticipates that, if its recommendations are accepted,
the Australian Government will instruct the Office of Parliamentary Counsel to
draft the new privacy principles using the ALRC's recommendations as a
template, rather than simply adopting the ALRC's model UPPs in their current
form.[12]
Government response to the ALRC
review
2.21
In October 2009, the Government provided its first stage response to the
ALRC's report. In providing the response, the Cabinet Secretary and Special
Minister of State, Senator the Hon Joe Ludwig stated:
The Government will outline a clear and simple framework for
privacy rights and obligations and build on its commitment to trust and
integrity in Government. The Government will:
-
create a harmonised set of Privacy Principles which will replace
the separate sets of public and private sector principles at the federal level,
untangling red tape and marking a significant step on the road to national
consistency;
-
redraft and update the Privacy Act to make the law clearer and
easier to comply with;
-
create a comprehensive credit reporting framework which will
improve individual credit assessments, complimenting the Government's reforms
to responsible lending practices;
-
improve health sector information flows, and give individuals new
rights to control their health records, contributing to better health service
delivery;
-
require the public and private sector to ensure the right to
privacy will continue to be protected if personal information is sent overseas;
and
-
strengthen the Privacy Commissioner's powers to conduct
investigations, resolve complaints and promote compliance, contributing to more
effective and stronger protection of the right to privacy.
These reforms will be technology neutral, providing
protection for personal information held in any medium. The Privacy
Commissioner will also have an enhanced role in researching, guiding and
educating on technologies that enhance or impact on privacy.[13]
2.22
In formulating the response, the Department of the Prime Minister and
Cabinet (the department) conducted further consultations with stakeholders,
agencies, industry and consumer representatives, academics and privacy experts.
The first stage response addressed 197 of the ALRC's 295 recommendations. The
department stated that of those 197 recommendations, the Government:
-
accepted 141 recommendations, either in full or in principle;
-
accepted 34 recommendations with qualification;
-
did not accept 20 recommendations; and
-
noted two recommendations.[14]
2.23
The Cabinet Secretary indicated that once the first stage reforms had
progressed, the remaining recommendations would be considered. It was also
noted that the remaining recommendations 'include sensitive and complex
questions around the removal of exceptions and data breach notices'. Extensive
consultation and input will be required for these matters.
Navigation: Previous Page | Contents | Next Page