On Line Opinion is a not-for-profit publication and relies on the generosity of its sponsors, editors and contributors. If you would like to help, contact us.
___________

Syndicate
RSS/XML

Because of the Privacy Act

By Jonathan Dobinson and Lauren Jamieson - posted Wednesday, 17 October 2007

My daughter attends a childcare centre in my local area. One day, the carer commented on how well she was playing with a special friend. When I asked who the special friend was, I was advised that the name of the child, even the first name, couldn’t be released to me due to the provisions of the “Privacy Act”. This is crazy. (National Privacy Phone-In Comment, June 2006.)

Reluctance by government agencies and private sector organisations to share personal information has emerged as a key concern in the Australian Law Reform Commission’s review of Australia’s privacy laws. The main law that the Australian Law Reform Commission (ALRC) is reviewing is the federal Privacy Act, which was introduced in 1988.

The ALRC has heard numerous examples of agencies and organisations using “because of the Privacy Act” as an excuse for not providing information. In many cases, such as the one outlined above, the Privacy Act would not have prohibited the sharing of the information.

Agencies and organisations have told the ALRC that inconsistent, fragmented and multi-layered privacy regulation can cause confusion about how to comply with privacy laws. This confusion can result in agencies and organisations adopting an overly cautious approach to sharing information. This reluctance to share information can be exacerbated where agencies or organisations are subject to two or three layers of federal and state privacy regulation.

On September 12, 2007, the ALRC released a blueprint with 301 proposals for overhauling Australia’s complex privacy laws. Review of Australian Privacy Law (Discussion Paper 72) is just under 2,000 pages, and is the product of the largest consultation process in ALRC history. The ALRC is seeking public comment on all the proposals, before making its final recommendations for reform to the federal Attorney-General at the end of March 2008.

Reducing complexity in privacy regulation

The ALRC has made several proposals to help reduce the complexity of privacy regulation in Australia and achieve national consistency.

First, the ALRC proposes that the Privacy Act apply to the Commonwealth public sector and to all of the private sector, to the exclusion of state and territory privacy legislation.

Second, the ALRC has proposed that the current system of two sets of privacy principles - one for the public sector, one for the private sector - should be replaced with a unified set of privacy principles to apply to the Commonwealth, states and territories in both the private and public sectors.

Third, important definitions in the Privacy Act - such as the definition of “personal information”, “sensitive information” and “record” - should be updated to deal with new technologies and new methods of collecting and storing personal information and should be uniform across federal, state and territory privacy legislation.

“Light touch” regulation

The ALRC has considered whether the current “light-touch” approach of the Privacy Act is appropriate. This approach is based on the idea that it is better to help organisations to comply with the Act, rather than punishing those few organisations that do not comply. The ALRC agrees that while education, guidance and advice are critical to help prevent non-compliance, it is also important that the Privacy Commissioner have sufficient powers to deal with serious or repeated contraventions of the Act. The ALRC proposes that the Privacy Commissioner should be given greater power to order an agency or organisation to take steps to improve its information-handling practices to bring it into compliance with the Act and the Commissioner should have the option of seeking civil penalties in the most serious cases.

Sending information overseas

If I deal with a company in Australia, I most certainly do not want that company passing my details overseas, where laws about privacy are even weaker. I also have a right to know when paying online whether my payment details are being sent overseas, as I view this as a huge security risk. (National Privacy Phone-In Comment, June 2006.)

The transfer of personal information overseas, such as when customer call centres are outsourced to other countries, was another concern raised before the ALRC. The ALRC has proposed a comprehensive transborder data flow principle to regulate the flow of personal information overseas, a key feature of which is that unless the individual consents to the transfer or the organisation or agency reasonably believes that the body receiving the information is subject to similar privacy requirements to the Privacy Act, the organisation or agency will be accountable for ensuring that the outsourcer handles the information consistently with the Privacy Act.

Telecommunications privacy

Telecommunications privacy is another area considered by the ALRC in the inquiry. Many aspects of privacy in telecommunications are covered by separate legislation, in particular the Telecommunications Act 1997 (Cth). The ALRC has made several proposals to reform telecommunications privacy laws. For example, the Telecommunications Act is silent on whether a fee can be charged for an unlisted number. While charging for an unlisted number may not breach privacy laws, it reduces an individual’s ability to control the use or disclosure of their personal information. The ALRC proposes, therefore, that the Telecommunications Act be amended to prohibit the charging of a fee for an unlisted number in a public number directory.

Some types of small businesses that are currently exempt from the Privacy Act may regularly deal in large amounts of personal information - particularly Internet service providers and businesses that provide telephone number databases. While the ALRC propose the removal of the small business exemption, unless and until that proposal is implemented, it is the ALRC’s preliminary view that these businesses should be covered by the Privacy Act.

The ALRC is interested in feedback on whether laws that regulate “spam” and calls by telemarketers should be amended to provide further privacy protection. For example, should the Spam Act prohibit the sending of certain commercial Bluetooth and facsimile messages? Should the exemption for political parties, members of parliament and election candidates under the Do Not Call Register Act 2006 be removed?

Complaint handling

The ALRC’s review has identified concerns about the transparency and efficiency of complaint handling under the Privacy Act. In order to increase efficiencies in the handling of complaints by the Privacy Commissioner, the ALRC has proposed that the Commissioner have the power to refer matters to approved external dispute resolution bodies, such as the Telecommunications Industry Ombudsman and Banking and Financial Services Ombudsman, where appropriate.

Where to next?

The proposals outlined in Discussion Paper 72 do not represent the ALRC’s final views. They are preliminary views and the ALRC welcomes feedback on whether they are practical and appropriate. If you would like to comment on any issue, you can use the online comment form on our website, send an email (privacy@alrc.gov.au), or a letter.

Feedback on proposals for reform is welcome until December 7, 2007, after which the ALRC will prepare a final report to the Attorney-General. The ALRC’s final report is due to the Attorney-General by March 31, 2008.