Rewrite of privacy law for 21st century

The Federal Government has announced its stage one response to the Australian Law Reform Commission's Report 108, For Your Information: Australian Privacy Law and Practice.

In a speech to the International Association of Privacy Professionals in Melbourne, Special Minister of State Senator Joe Ludwig said the Government’s intention was to effectively rewrite the Commonwealth Privacy Act 1988 for the 21st Century. Full details of the response are contained in this 144 page response released at the same time. The response sets the foundation for a revamped privacy framework, addressing 197 of the 295 recommendations in the ALRC’s Report. Key features, as outlined in the Minister's speech and in the detailed response are to

• provide for one set of Privacy Principles for Commonwealth agencies and relevant businesses alike. Senator Ludwig said the Government was all too aware of the flaws of regulatory duplication, unnecessary complexity of obligations and rights, and the impediments to information-flow inherent in the current situation of treating the Government and private sector separately. New Government proposals for the Privacy Principles include: a requirement to take reasonable steps to implement compliance with the Privacy Principles, under the ‘openness’ principle; a ‘missing persons’ exception under the ‘use and disclosure’ principle; greater accountability for entities that transfer information overseas under the ‘cross-border data flows’ principle; and specific permission to handle Commonwealth, state and territory government identifiers for identity verification purposes under the ‘identifiers’ principle.
• deal with developing technology by ensuring the Privacy Act will be technology neutral. Various parts of the response will further protect against emerging threats and privacy pitfalls by empowering the Privacy Commissioner to undertake research, and provide guidance and education on technologies that enhance or impact on privacy. Biometric information will be included in the definition of ‘sensitive information’ (reflecting its unique nature and heightened risks of misuse)
• strengthen the Privacy Commissioner’s powers of investigation, compliance and enforcement of the Act. The Commissioner will be able to handle complaints and gather information more effectively, compel appearances or production of documents, accept enforceable undertakings, and seek civil penalties for serious or repeated breaches of the Act. A new development will be a three-tiered scheme for binding Privacy Codes. Binding codes can be developed by organisations or agencies voluntarily, but the Commissioner will also be able to request a group of organisations or agencies to develop one where it would serve the public interest. If they fail to comply, the Commissioner can impose a mandatory code on the group. The Commissioner will be able to direct an agency to provide a Privacy Impact Statement. For the private sector, the Commissioner will be empowered to conduct Privacy Performance Assessments of personal information records to see if they are abiding by the Privacy Principles.
• provide for the enhanced use of data for the purpose of credit reporting while including additional specific protections to ensure such data is used appropriately. In order to allow credit providers to undertake a more robust assessment of an individual’s credit risk, the Government will make changes which allow five positive datasets - the type of each active credit account, date of opening and closure of account, account credit limits and credit repayment history- to be included on an individual’s credit report.
• improve health sector information flows and provide additional guidance for the use of health information; enact new rights to request transfer of records and to be told what will happen to health records if a provider closes down or changes hands
• support and facilitate research in the public interest by simplifying regulation,while protecting community expectations of personal privacy. A harmonised set of rules for Government and private sector researchers will replace the two sets of binding guidelines on non-consensual handling of personal information; and the research provisions will be expanded to allow such handling for any research in the public interest, not just for health and medical research. Two important parameters of the current regime will also be maintained: the public interest in research must ‘substantially outweigh’ the protection of privacy – requiring a clear choice in favour of the research; and the National Health & Medical Research Council and the Privacy Commissioner will retain primary responsibility for issuing and approving the research rules.
  
• new and consistent provisions on cross-border data flows. Agencies and organisations will remain accountable for personal information which is transferred overseas unless there is: informed consent of the individual; a legal requirement or authorisation for the transfer; strong public interest grounds; or, the other country has a law or a binding scheme, similar to the Privacy Principles, that will protect the information. Such a law or scheme must be enforceable by the individual. A mere contract binding the overseas party would not be enough to remove accountability for the information if it is offshore and there is no viable remedy for the individual.
• through guidance and legislative amendment make clear that the Privacy Act (not the FOI Act as is the case at present) is the primary avenue for access to, and correction of, an individual’s own personal information. The Privacy Act will be the key Commonwealth law for the collection, handling, disclosure and accessing of personal information. The focus of the FOI Act is intended to be on access to documents held by government other than an individual’s own personal information. However, in recognition that there will be circumstances where documents held by agencies contain a mixture of: (a) an individual’s personal information; (b) the personal information of third parties; and (c) non-personal information, in such a way as to make it difficult to release only the individual’s personal information, or that individuals may make access requests for files that contain such a mixture of information, the Government agrees that rights to access some personal information should be retained under the FOI Act. Agencies will need to establish administrative processes for dealing with the different access and correction requests that will arise under the Privacy and FOI Acts, having regard to the types of records and information they hold. Guidance on the interaction between the two Acts will be critical for agencies.
  
• work with the states and territories to harmonise privacy law across the nation. The first stage response will create a platform from which the Government can pursue national harmonisation through discussion with the states and territories. Ultimately, the aim will be a consistent set of privacy standards for the Commonwealth, state and territory public sectors, as well as the private sector. The Federal Government will be looking to the states and territories to repeal privacy laws including health privacy laws that apply to the private sector. Additional national consistency issues will be considered in the second stage response.

Of the 197 recommendations addressed in this first stage, the Government

• accepted 141, either in full or in principle;
• accepted 34 with qualification; and
• noted 2 recommendations.

20 recommendations were not accepted. While opinions will differ, only two struck me as noteworthy: rejection of the recommendation to extend privacy protection to personal information held about a deceased individual dead for 30 years or less; and rejection as unnecessary of action to ensure that federal legislative instruments establishing public registers containing personal information set out clearly any restrictions on the electronic publication of that information.

The Australian Law Reform Commission was pleased with the "giant tick" for its recommendations.

Next steps: the Government intends to release an exposure draft bill reflecting these changes to be sent to a Parliamentary Committee for consultation early in 2010, before returning to Parliament with a final bill. Once the first stage has progressed, the Government will then begin considering the ‘second stage response’ to the ALRC’s remaining 98 recommendations. ‘Second stage’ issues include proposals to clarify or remove exemptions; data-breach notification; a statutory cause of action for serious invasions of privacy; telecommunications privacy; decision making issues (such as authorised representatives and children’s privacy); and further national harmonisation.