The Federal Government yesterday issued its long-awaited response1 to last year’s Australian Law Reform Commission (ALRC) report, ‘For Your Information: Australian Privacy Law and Practice’.2
Cabinet Secretary, Senator Joe Ludwig, announced the government response at a conference of the International Association of Privacy Professionals, accepting 141 of the 197 recommendations dealt with in the government’s ‘First Stage Response’. The government’s response to the remaining 98 ALRC recommendations is unlikely to be available before 2010.
Following is an overview of the key developments foreshadowed in the government’s response, with particular focus on those that divert from the ALRC’s recommendations, on which we have previously reported.3
The Privacy Act
The government intends to include many of the planned reforms in a refreshed Privacy Act, rather than in separate regulations, as had been recommended by the ALRC for credit reporting and health.
The Act will remain applicable to living individuals only, with the government rejecting a recommendation to extend the definition of ‘personal information’ to individuals dead for up to 30 years.
Creating consistency in regulation
The government has agreed to harmonise the current Information Privacy Prinicples (for the Commonwealth public sector) and National Privacy Principles (for the private sector) into a single set of principles. It remains to be seen whether the government will succeed in persuading the states and territories to fall into line with the new principles rather than retaining existing state-based public sector and health privacy laws.
The new privacy principles The new privacy principles will differ in some respects from the Uniform Privacy Principles (UPPs) proposed by the ALRC. Amongst the government’s planned deviations from the ALRC recommendations are:
- where the collection of personal information is required by law, the specific law should be identified as part of notice to the individual
- a new exception allowing certain use and disclosure of personal information in relation to missing persons
- clarification that consent can be withdrawn by individuals in appropriate circumstances
- that direct marketing will not have to be restricted to individuals over 15
- giving individuals the ability to opt out of disclosure of their information for the purpose of direct marketing, not just direct marketing itself
- a new requirement to take reasonable steps to implement compliance with the principles, for example through appropriate procedures and training, and
- specific permission to handle government identifiers for identity verification.
Cross-border data flows
In response to community concern about transfers of personal information overseas, particularly with the rise in offshore outsourcing and cloud computing, the government intends to introduce the following additional protections for individuals:
- an obligation to take reasonable steps to notify individuals if their information is reasonably likely to be transferred overseas and to where it may be transferred, and
- greater accountability for the party sending the information overseas, notwithstanding any contractual obligations they may place on the recipient.
The Privacy Commissioner
The government plans to introduce a range of additional functions and powers for the Privacy Commissioner, including discretionary powers to:
- require agencies to conduct privacy impact assessments
- undertake privacy performance assessments of organisations’ activities
- handle complaints and gather information more effectively, compel appearances or production of documents, and accept enforceable undertakings, and
- seek civil penalties for serious or repeated breaches of the Privacy Act.
We note that separate reforms are proposed to have the Privacy Commissioner and an FOI Commissioner operating as part of a new Office of the Information Commissioner. These changes may result in some formal powers being vested in the Information Commissioner, but with the Privacy Commissioner continuing to have a role in exercising relevant powers and functions.
The government has agreed to make Australia’s consumer credit reporting system more comprehensive by allowing for the recording of details of account type, account opening and closing dates, credit limits and repayment history, the latter being subject to the introduction of responsible lending reforms4 currently before Parliament.
Notable diversions from the ALRC recommendations include:
- rejecting the recommendation to allow use and disclosure of credit information within individuals’ reasonable expectations, and instead keeping to a defined set of allowed grounds for use and disclosure
- allowing for the use of credit reporting information for ‘pre-screening’ direct marketing lists in limited circumstances
- retaining restrictions on disclosing a broader class of ‘credit worthiness information’ beyond what is recorded in a credit reporting agency’s file, although this concept would be made narrower than in the current Privacy Act
- requiring individuals to be notified before missed payments (not just those overdue by 60 days) are listed in their credit information file
- requiring the party receiving a complaint to take initial steps to resolve the complaint, whether that is the credit provider or the credit reporting agency, and
- extending the requirement to participate in an external dispute resolution scheme to all credit providers that actively contribute to individuals’ credit files.
The government intends to add to the ALRC’s recommended definition of ‘health service’, an exclusion for activities performed for reasons other than care or treatment, such as insurance.
Other variations from the ALRC positions deal with issues including individuals incapable of giving consent, genetic information and health research.
Drafting is underway and public consultation on exposure draft legislation is scheduled for early 2010. These changes will have significant impacts in terms of compliance requirements and costs for many businesses and government agencies. Affected parties should familiarise themselves with the changes and prepare themselves to engage in the consultation process where appropriate.
The government is yet to respond to several high-profile recommendations, including those relating to:
- exemptions for small business, employee records and the media
- privacy decision making by young people and authorised representatives
- the Telecommunications Act privacy regime
- the creation of a privacy right for individuals, and
- obligations to notify serious data breaches.
Consultation on these areas and formulation of the government’s response to the related ALRC recommendations will commence once the first stage dealt with here has further progressed.