For 28 months the Privacy Act 1988 (Cth) and related laws were the subject of an inquiry by the Australian Law Reform Commission.
The result of which was a three volume report containing 74 Chapters and 295 recommendations for reform. The report, entitled For Your Information: Australian Privacy Law and Practice is more and often referred to as ALRC Report 108.
ALRC Report 108 made recommendations to improve the existing privacy law to protect the public from threats to privacy and to the security of their information. The federal government hopes to balance the privacy rights of persons as against other competing rights and interests, such as the right to information and national security.
The report revealed that the Privacy Act is still a reliable piece of legislation. However, the advancement of technology requires that the law must be refined to fit into modern day activities. As technology grows, a person’s personal information if more likely to be collected and stored in public and corporate databases that should be protected against misuse and irresponsible handling.
The ALRC Reform Recommendations
The ALRC report has introduced several reform recommendations. The more significant recommendations include:
- The simplification and streamlining of the Privacy Act and other related laws. The report found a need for restructuring the Privacy Act to focus on providing high-level principles of general application that will be supplemented by policies and regulations to specific fields like the health, credit and finance sector.
- To regulate cross-border data flows. This is to protect information from being irresponsibly transferred outside the country by holding the person, agency or organisation responsible and accountable for the damaged caused unless allowed under certain specified circumstances.
- To introduce amendments to rationalise exemptions and exceptions to the Privacy Act. The Privacy Act is not an absolute law. Amendments to the Act are necessary to change the granting of exemptions and exceptions. The ALRC recommended the removal of the exemptions enjoyed by political parties, employee’s records, and small businesses.
- To improve the mechanisms for dealing with complaints and impose stiffer penalties for violations. The procedure for handling complaints should be further developed and strengthened. Additionally, the federal courts should be empowered to be able to impose civil penalties for serious or repeated breaches of the Privacy Act.
- Comprehensive credit reporting. It is recommended that there be some expansion of the categories of information held by credit reporting agencies to include: the type of each current credit account opened; the date on which each current credit account was opened; the credit limit of each current account; and the date on which each credit account was closed.
In addition, the ALRC also recommended allowing credit reporting to include information about an individual’s repayment history after it is satisfied that there is an adequate framework imposing responsible lending obligations in Commonwealth, state and territory legislation.
- Health privacy. The ALRC recommends the revision of new Privacy (Health Information) Regulations that will regulate important areas of concern. It also recommends the use of electronic health records to facilitate faster health and medical research.
- To educate children. The ALRC recommends that agency regulators and industry associations will have to intensify efforts to inform young people about the use of personal information that they post on social networking websites. They are fully unaware that such information remains available even after it has been ‘deleted’ on the site.
- To strengthen data breach notification. Government agencies and business organisations should be required to notify individuals including the Privacy Commissioner in such cases where there is a real risk of serious harm as a result of a data breach.
- Cause of action for a serious invasion of privacy: Federal law should provide for a private cause of action in which an individual is provided with appropriate remedies against serious invasion of privacy. In the same way, courts should be empowered to impose appropriate penalties, such as an order for damages, an injunction or an apology.
- Strengthening the powers of the Privacy Commissioner. The Commissioner shall have the power to investigate and enforce judgments.
- Enhanced credit reporting system. This is to provide for enhanced use of data for credit reporting and include additional specific protections to ensure that the information has been used appropriately.
- To harmonise privacy laws across the country.
The Privacy Amendment Act
In response to the call of reforms in the Privacy Act, the government introduced to Parliament the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) on 23 May 2012. The amendments were approved on 29 November 2012. The Act introduces significant changes to the Privacy Act which came into force on the 12th of March 2014 along with the Privacy Regulations 2013.
Many businesses and organisations that previously held no obligation to privacy principles are now covered under the Act. This means that many organisations were unaware, or unprepared for the changes.