this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

2020/21 Membership Year

Your membership is due for renewal by 30 June 2020. 

Renew Now

ALRC: The business of privacy

Every Issue

Cite as: (2006) 80(12) LIJ, p. 84

The ALRC is looking at whether all businesses should be required to comply with the Privacy Act.

The Australian Law Reform Com-mission (ALRC) has been asked to conduct an inquiry into the extent to which the Privacy Act 1988 (Cth) and related laws continue to provide an effective framework for the protection of privacy in Australia.

In October 2006, the ALRC released issues paper 31, Review of Privacy (IP 31). Issues paper 32, which will deal with the credit reporting provisions of the Privacy Act, will be released later this month.

IP 31 raised a wide range of issues, including: the adequacy of federal privacy law; inconsistency in privacy laws; the protection of personal health information; the privacy of children and young people; the protection of personal information in the telecommunications context; the impact of developing technology on privacy; and the flow of personal information across borders.

The inquiry’s primary focus is on information privacy and rules regulating the handling of personal information.

The ALRC’s terms of reference specifically direct the ALRC to consider, among other things, the desirability of minimising the regulatory burden on businesses. One of the questions the ALRC is considering is whether all businesses should be required to comply with the Privacy Act.

At present, many small businesses – that is, businesses with an annual turnover of $3 million or less – are exempt from compliance with the Privacy Act.

It has been estimated that as many as 94 per cent of businesses may be exempt by reason of this exemption.[1] There are exceptions to this rule. For example, a small business must comply with the Act if it: provides a health service and holds health information; trades in personal information; is acting under a contract to provide services to the Australian government or its agencies; or also runs a larger business that has an annual turnover of more than $3 million.

A small business may also choose to “opt in” to be covered by the Act – in which case it will be listed on a register maintained by the Office of the Privacy Commissioner, who will then have power to handle privacy complaints made against the business.

The stated reasons for the small business exemption are twofold: (1) generally small businesses do not pose a high privacy risk; and (2) small businesses should not be subjected to an unreasonable compliance burden.[2]

The exceptions to the exemption reflect the government’s view that some businesses pose a higher risk to privacy and therefore should be covered by the Privacy Act.[3]Some privacy advocates argue that there is no reason why the level of privacy protection should be dependent on the size of the business. They note that some small businesses carry out privacy intrusive activities – for example, Internet service providers, debt collectors and dating agencies.[4]

The employee records exemption is another exemption that is of particular relevance to business.

An “employee record” is a record of personal information relating to the employment of the employee, such as resumes, referee reports, disciplinary matters, termination of employment, payslips, and tax and financial details.

Current or former private sector employers do not have to comply with the Privacy Act if they are handling employee records and their actions are directly related to the employment relationship. However, this exemption does not apply if the employers are handling employee records in a way that is beyond the scope of that relationship. For example, employers cannot pass on the personal details of their employees to workers’ compensation insurers without complying with the Privacy Act.

A reason given for the employee records exemption was that the privacy of employee records should be regulated under workplace relations legislation.[5]

However, currently there is little privacy protection under the workplace relations regime. The Privacy Act also does not contain a corresponding exemption for the handling of employee records by public sector agencies. The ALRC is considering whether the privacy of private sector employee records should be protected, and if so, the extent of the protection and where such protection should be located.

The ALRC is conducting an extensive program of public consultation. These consultations include public and youth forums, as well as meetings with government agencies, interest groups such as small and large businesses, non-government organisations and consumer groups, and other interested individuals and organisations. This round of consultation will be followed by the publication of a discussion paper around mid-2007.

The discussion paper will indicate the ALRC’s thinking in the form of specific reform proposals. The ALRC will then seek further submissions and conduct a further round of consultations concerning these proposals. The ALRC is due to present its final report to the Attorney-General by 31 March 2008.

All ALRC consultation papers are free. Once released, they are available on the ALRC’s website or by contacting the ALRC. People with an interest in the inquiry are encouraged to register online to be notified of developments by email or fax.

Contributed by the AUSTRALIAN LAW REFORM COMMISSION, GPO Box 3708, Sydney 2001, ph (02) 8238 6333, fax (02) 8238 6363, email, website

[1] Parliament of Australia – House of Representatives Standing Committee on Legal and Constitutional Affairs, advisory report on the Privacy Amendment (Private Sector) Bill 2000, (2000) [2.20].

[2] Commonwealth, Parliamentary debates, House of Representatives, 12 April 2000, 15749 (D Williams – Attorney-General), 15752; revised explanatory memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 6.

[3] Revised explanatory memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 6.

[4] Australian Privacy Foundation, Commentary on “Getting in on the Act: The review of the private sector provisions of the Privacy Act” 1988, at 11 October 2006; Electronic Frontiers Australia Inc, submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 22 December 2004.

[5] Commonwealth, Parliamentary Debates, House of Representatives, 12 April 2000, 15749 (D Williams – Attorney-General), 15752; revised explanatory memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth).


Leave message

 Security code
LIV Social