Because of the Privacy Act

My daughter attends a childcare centre in my local area. One day, the carer commented on how well she was playing with a special friend. When I asked who the special friend was, I was advised that the name of the child, even the first name, couldn’t be released to me due to the provisions of the “Privacy Act”. This is crazy. (National Privacy Phone-In Comment, June 2006.)

Reluctance by government agencies and private sector organisations to share personal information has emerged as a key concern in the Australian Law Reform Commission’s review of Australia’s privacy laws. The main law that the Australian Law Reform Commission (ALRC) is reviewing is the federal Privacy Act, which was introduced in 1988.

The ALRC has heard numerous examples of agencies and organisations using “because of the Privacy Act” as an excuse for not providing information. In many cases, such as the one outlined above, the Privacy Act would not have prohibited the sharing of the information.

Agencies and organisations have told the ALRC that inconsistent, fragmented and multi-layered privacy regulation can cause confusion about how to comply with privacy laws. This confusion can result in agencies and organisations adopting an overly cautious approach to sharing information. This reluctance to share information can be exacerbated where agencies or organisations are subject to two or three layers of federal and state privacy regulation.

On September 12, 2007, the ALRC released a blueprint with 301 proposals for overhauling Australia’s complex privacy laws. Review of Australian Privacy Law (Discussion Paper 72) is just under 2,000 pages, and is the product of the largest consultation process in ALRC history. The ALRC is seeking public comment on all the proposals, before making its final recommendations for reform to the federal Attorney-General at the end of March 2008.

Reducing complexity in privacy regulation

The ALRC has made several proposals to help reduce the complexity of privacy regulation in Australia and achieve national consistency.

First, the ALRC proposes that the Privacy Act apply to the Commonwealth public sector and to all of the private sector, to the exclusion of state and territory privacy legislation.

Second, the ALRC has proposed that the current system of two sets of privacy principles - one for the public sector, one for the private sector - should be replaced with a unified set of privacy principles to apply to the Commonwealth, states and territories in both the private and public sectors.

Third, important definitions in the Privacy Act - such as the definition of “personal information”, “sensitive information” and “record” - should be updated to deal with new technologies and new methods of collecting and storing personal information and should be uniform across federal, state and territory privacy legislation.

“Light touch” regulation

The ALRC has considered whether the current “light-touch” approach of the Privacy Act is appropriate. This approach is based on the idea that it is better to help organisations to comply with the Act, rather than punishing those few organisations that do not comply. The ALRC agrees that while education, guidance and advice are critical to help prevent non-compliance, it is also important that the Privacy Commissioner have sufficient powers to deal with serious or repeated contraventions of the Act. The ALRC proposes that the Privacy Commissioner should be given greater power to order an agency or organisation to take steps to improve its information-handling practices to bring it into compliance with the Act and the Commissioner should have the option of seeking civil penalties in the most serious cases.

Sending information overseas

If I deal with a company in Australia, I most certainly do not want that company passing my details overseas, where laws about privacy are even weaker. I also have a right to know when paying online whether my payment details are being sent overseas, as I view this as a huge security risk. (National Privacy Phone-In Comment, June 2006.)

The transfer of personal information overseas, such as when customer call centres are outsourced to other countries, was another concern raised before the ALRC. The ALRC has proposed a comprehensive transborder data flow principle to regulate the flow of personal information overseas, a key feature of which is that unless the individual consents to the transfer or the organisation or agency reasonably believes that the body receiving the information is subject to similar privacy requirements to the Privacy Act, the organisation or agency will be accountable for ensuring that the outsourcer handles the information consistently with the Privacy Act.