this product is unavailable for purchase using a firm account, please log in with a personal account to make this purchase.

ALRC: Privacy widely canvassed

Every Issue

Cite as: (2007) 81(12) LIJ, p. 93

The review of privacy law has involved the ALRC in its largest ever consultation process.

On 12 September, the Australian Law Reform Commission (ALRC) released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

Review of Australian Privacy Law (Discussion Paper 72) is just under 2000 pages, and is the product of the largest consultation process in ALRC history.

The ALRC received more than 300 submissions from stakeholders and interested members of the public, and more than 170 consultations were conducted in all capital cities.

The ALRC is seeking public comment on all the proposals in Discussion Paper 72, before making its final recommendations for reform to the federal Attorney-General at the end of March 2008.

Reducing complexity in privacy regulation

One of the key themes in the ALRC’s proposals is to reduce complexity and achieve national consistency in privacy regulation.

Agencies and organisations have told the ALRC that inconsistent, fragmented and multi-layered privacy regulation can cause confusion about how to comply with privacy laws.

Some businesses, for example, may be subject to two or three layers of federal and state privacy regulation. This confusion can result in agencies and organisations adopting an overly cautious approach to sharing personal information.

For consumers, the reluctance on the part of agencies and organisations to share personal information can lead to agencies and organisations using “because of the Privacy Act” as an excuse for not providing information.

In many of the examples provided to the ALRC, the Privacy Act (the Act) would not have prohibited the sharing of the information.

The ALRC has made several proposals to help reduce the complexity of privacy regulation in Australia and achieve national consistency.

First, it proposes that the Act apply to the federal public sector and to all of the private sector, to the exclusion of state and territory privacy legislation.

Second, the ALRC proposes that the current system of two sets of privacy principles – one for the public sector, one for the private sector – should be replaced with a unified set of privacy principles to apply to the Commonwealth, states and territories in both the private and public sectors.

Third, important definitions in the Act – such as the definition of “personal information”, “sensitive information” and “record” – should be updated to accommodate new technologies and new methods of collecting and storing personal information and should be uniform across federal, state and territory privacy legislation.

Removing exemptions

In Discussion Paper 72, the ALRC proposes that the exemptions that currently apply to small businesses and political parties should be removed from the Act.

The removal of these two exemptions would mean that small businesses and political parties would be subject to the same requirements as other organisations and agencies.

The ALRC also proposes removing the current exemption that means that private sector employers do not have to comply with the Act in relation to records about current or past employees. As public sector employee records are currently covered by the Act, this proposal would achieve consistency between the public and private sectors and ensure that private sector organisations would be required to handle employee records in the same way as other personal information.

Enforcing the Privacy Act

The ALRC has proposed expanding the Privacy Commissioner’s powers to enforce compliance with the Act.

While supporting the emphasis on education, guidance and advice to help prevent non-compliance, it is important that the Privacy Commissioner have sufficient powers to deal with serious or repeated contraventions of the Act. The ALRC proposes that the Privacy Commissioner be given greater power to order an agency or organisation to take steps to improve its information-handling practices to bring it into compliance with the Act and the Commissioner should have the option of seeking civil penalties in the most serious cases.

Data breach notification

Currently, agencies and organisations are not required to notify affected individuals when their personal information, such as credit card details, has been leaked, lost or inadvertently published.

Under the ALRC’s proposed data breach notification model, agencies and organisations would be required to tell an affected individual about the data breach where there is a real risk of serious harm to the affected individual because of the breach.

Cause of action for invasion of privacy

Another key ALRC proposal is for a statutory cause of action for invasion of privacy.

The Act currently does not deal with other aspects of privacy besides information privacy, such as the right to enjoyment of home or family life, or a right to freedom from surveillance.

Based on community feedback, the ALRC proposes that a right to privacy should be recognised formally in the Act.

The proposed statutory cause of action would allow an individual to take action in court to seek a range of remedies where there has been an invasion of their privacy in circumstances where there was a reasonable expectation of privacy and the action complained about was serious enough to cause substantial offence to an ordinary person.

Where to next?

The proposals outlined in Discussion Paper 72 do not represent the ALRC’s final views.

They are preliminary views and the ALRC welcomes feedback on whether they are practical and appropriate.

Feedback on proposals for reform is welcome until 7 December, after which the ALRC will prepare a final report to the Attorney-General by 31 March next year.

Contributed by the AUSTRALIAN LAW REFORM COMMISSION. Contact the ALRC at GPO Box 3708, Sydney 2001, ph (02) 8238 6333, fax (02) 8238 6363, email, website


Leave message

 Security code
LIV Social