All images are of AAR staff and partners
Allens Arthur Robinson

Privacy homeOverviewNPPs & codesComplyingLegislation & linksIndustriesNews

  Home »

Print Version
Or use advanced search

News
Archive - 2005
Archive - 2004
Archive - 2003
Archive - 2002
Archive - 2001
 Feedback
 Contacts
 Glossary


News

If you'd like to be added to our mailing lists and alerted when we add new publications to our main site, please go to the subscription page in our main site publications area.

Focus: Privacy

29 October 2007

Partner Catherine Parr, Special Counsel Karin Clark and Articled Clerk Kelly Griffiths report on proposals in the Australian Law Reform Commission's recent discussion paper for the reform of Australian privacy laws as they relate to credit reporting.
View publication 

 

Release of the ALRC's Review of Australian Privacy Law: submissions due 7 December 2007

10 October 2007

Following the release of its Issues Paper about 12 months ago, the Australian Law Reform Commission (ALRC) has now published its three volume (almost 2000 page) Discussion Paper, Review of Australian Privacy Law (Review). The Review contains 301 wide ranging proposals for the reform of Australian privacy law which, if implemented, are likely to affect the way almost every Australian business must handle personal information in future.

The ALRC is now in the final stage of its community consultation, and will receive submissions until 7 December 2007, after which it will make a final report to the Attorney-General by 31 March 2008. Given that the ALRC has stated that more than 85 per cent of its reports have been either substantially or partially implemented1, businesses and other organisations that handle large amounts of personal information should familiarise themselves with the proposals that may affect their operations and consider if they should make a submission to the ALRC.

The following highlights only a few of the more interesting and significant proposals made by the ALRC. Allens Arthur Robinson will publish further information about the proposals and can also be contacted for more information or to assist in the preparation of submissions.

Call for uniformity and a new set of Unified Privacy Principles (UPPs)

The Review calls not only for a new set of UPPs to cover both the private sector and the Commonwealth public sector, but also for the new federal UPPs to override state and territory laws health privacy laws covering the private sector. In order to promote more uniformity, which is likely to be welcomed by many stakeholders, the Review also recommends that the states and territories should enact privacy laws applying to their public sectors that would also be based on the UPPs.

UPPs would generally be based on the NPPs

The Review recommends that the new UPPs would be based largely on the current NPPs (rather than the Information Privacy Principles that apply to the federal public sector under the current Privacy Act 1988 (the Act)), but with some significant modifications. For example, the proposed UPPs would differ from the NPPs in that the UPPs would provide:

  • that if an organisation receives unsolicited personal information, they must destroy it or comply with the UPPs as if they had solicited it;
  • that if practicable, individuals must be informed not only about the fact that personal information has been collected about them, but also the circumstances of collection and, in certain circumstances and on request, also the source from which the information was collected;
  • that privacy policies must contain information about the period for which records about personal information are kept and who can access them;
  • for a separate privacy principle to cover direct marketing which (among other things) would require organisations to take reasonable steps to let individuals know where their personal information was acquired from, upon request;
  • that the 'access and correction' principle provide that where an organisation corrects personal information, it must, on request, take reasonable steps to inform third parties to whom it has previously disclosed incorrect information; and
  • that where an organisation transfers personal information outside Australia on the basis that (for example) the organisation has taken steps to ensure that the information will not be dealt with inconsistently with the UPPs, the organisation continues to be liable for any breach of the UPPs after the transfer.

Scope of 'personal information'

The Review proposes some change to the definition of 'personal information' so that it will be clearer that the definition will include data such as email addresses, Internet Protocol addresses and mobile telephone numbers in certain circumstances (for example, when it is possible for an organisation to link such data with a particular individual).

The Review also proposes that the personal information of persons who have been deceased for 30 years or less should be protected under a new section of the Act, which would provide for a modified version of the UPPs.

Removal and modification of exemptions

The Review recommends that some significant exemptions in the Act should be removed or modified. If adopted these recommendations will greatly increase the application of the Act and any new privacy principles that are enacted.

Small business

The Review proposes that the current small business exemption under the Act, which it notes exempts potentially up to 94% of Australian businesses from the operation of the Act, should be removed. At the same time, it recommends a number of measures that can be taken by the Office of the Privacy Commissioner (OPC) to assist small businesses to comply with the Act.

Employee records

The Review also suggests removing the employee records exemption in the Act. At the same time, it recommends that the Act be amended to provide that a request for access to evaluative material in relation to employment, appointment or the award of a contract or honour, can be denied if disclosure would breach a duty of confidentiality owed to a third party such as a referee.

Media and journalism

The Review proposes in relation to the current exemption for activities in the course of journalism that the term 'journalism' be defined so that it relates to the preparation of material which has the character of news, current affairs or a documentary, or which is commentary or opinion on, or analysis of, such material. It also proposes that better criteria should be established for assessing the adequacy of media privacy standards for the purposes of an organisation gaining the benefit of this exemption.

A new statutory cause of action for invasion of privacy

Another significant recommendation is that the Act should be amended to provide for a new cause of action that would provide individuals with a civil remedy where there has been an 'invasion of privacy', for example, where an individual:

  • has had the privacy of their home or family life interfered with;
  • has been the subject of unauthorised surveillance;
  • has had their private communications interfered with, misused or disclosed; or
  • has had sensitive facts relating to their private life disclosed,

where there is a 'reasonable' expectation of privacy and the 'invasion' is serious enough to cause substantial offence to a person of ordinary sensibilities. If enacted, this recommendation would be likely to radically change the nature of the remedies that Australian individuals are entitled to for any perceived breach of privacy.

Credit reporting

The Review proposes that Part IIIA of the Act, which currently specially regulates credit reporting and credit information, be repealed and that credit reporting be regulated under the general provisions of the Act and the UPPs, but with additional regulations imposing obligations on credit reporting agencies and credit providers in relation to the handling of credit reporting information.

The Review also makes many other substantial recommendations, such as:

  • that certain limited categories of positive credit reporting be allowed (eg, details of each type of current credit account opened, credit limits and dates credit accounts opened and closed);
  • that the new regulations relating to the privacy of credit information should extend to credit provided to individuals for any purpose and not only to credit provided for domestic, family or household purposes;
  • that the new regulations allow the reporting by an individual of information that they have been the subject of identity theft;
  • that the new regulations do not allow information about presented and dishonoured cheques to be reported; and
  • that credit reporting agencies should only be permitted to list overdue payments of more than a minimum amount.

Powers of the OPC and compliance with the Act

The Review also recommends that the powers of the OPC be extended, so that, for example:

  • the OPC can conduct audits of private sector organisations to check for compliance with the UPPs;
  • the OPC can direct that a privacy impact assessment be conducted in relation to a new project or development that the OPC considers may have a significant impact on the handling of personal information;
  • the Privacy Commissioner can issue a notice to a Commonwealth agency or a private sector organisation (where it considers that the agency or organisation has interfered with privacy) to take specific action and commence proceedings in the Federal Court or Federal Magistrates Court for an order to enforce the notice; and
  • the Privacy Commissioner can compel parties to a complaint, and any other relevant person, to attend a compulsory conference.

The Review also recommends that the Act be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.

Data breach notification

Another interesting reform called for by the Review is the insertion in the Act of a new Part which would require agencies and organisations to notify the Privacy Commissioner and affected individuals when specified personal information has been acquired by an unauthorised person and this may give rise to a real risk of serious harm to any affected individual. Failure to notify the Privacy Commissioner may attract a civil penalty.

top of page

Focus: Telecommunications

7 August 2007

The past two months has seen a crackdown by the Australian Communications and Media Authority on unsolicited electronic messages. Special Counsel Karin Clark and Lawyer Suzanne Komattu-Mathews report on the outcome of three recent decisions under the Spam Act 2003 (Cth).
View publication 

top of page

Focus: Privacy

13 June 2007

Judge Felicity Hampel in the Victorian County Court recently held that the general law now offers protection to 'private information' under both the equitable action of breach of confidence and a new tort of invasion of privacy. Special Counsel Karin Clark, Lawyer Maree Norton and Articled Clerk Adam Butt consider the extent this groundbreaking decision, if upheld, is likely to increase an individual's right to control the publication of 'private information' about themselves.
View publication 

top of page

Information Privacy Bill introduced in Western Australia

26 April 2007

On 28 March 2007 the Information Privacy Bill 2007 (WA) (the Bill) was introduced into the Western Australian Legislative Assembly and received its second reading.

The main objectives of the Bill are to:

  • promote and protect the privacy of personal information through the establishment of Information Privacy Principles to be observed by the public sector when collecting, holding, using or disclosing such information;
  • promote and protect the privacy of health information through the establishment of Health Privacy Principles to be observed by both the public and private sector when collecting, holding, using or disclosing such information; and
  • facilitate the sharing, in appropriate circumstances, of personal information or health information held by the public sector.

According to the explanatory memorandum the Bill, amongst other things, also:

  • creates a right to apply for access to, and amendment of, health records held by the private sector;
  • provides for the making of and approval of information privacy codes of practice and health privacy codes of practice; and
  • provides for the making of complaints relating to alleged interferences with privacy and decisions relating to access and amendment of health records and establish processes for referral and resolution of those complaints.

AAR will provide an update on the progress of the Bill.

top of page

Victorian decision on breach of privacy as an actionable wrong

19 April 2007

A Victorian County Court judge has held that a breach of privacy can be an actionable wrong which gives rise to a right to recover damages 'according to the ordinary principles governing damages in tort'.

In Jane Doe v ABC and ors1, Judge Felicity Hampel found that the ABC was liable to pay over $230,000 to 'Jane Doe' because it had reported her real name as part of a radio news item about the sentencing of her husband, who was convicted of her rape. The judge found that it was established that the broadcast had a significant effect on Doe's recovery from her trauma, inducing post traumatic stress disorder.

Doe brought an action on the grounds of breach of statutory duty, negligence, breach of confidence and invasion of privacy and succeeded on all four grounds.

Breach of statutory duty

The ABC's statutory duty to Doe was based on section 4 (1A) of the Judicial Proceedings Reports Act 1958 (Vic), which prohibits the publishing of information which identifies a person as the victim of a sexual assault. Her Honour found that the ABC's (and its journalists') breach of this law also made the ABC civilly liable to Doe for the injury she suffered as a result of the breach.

Negligence

In dealing with the negligence claim, Hampel J found that the defendants owed Doe a duty of care not to publish information which would identify her, as 'she had a legitimate expectation…that her identity as a victim of sexual assault would not be published, and there was a reasonably foreseeable risk that if they did publish identifying information, she would be injured.' The ABC owed Doe a duty of care because it had the power to widely disseminate her information and was obliged by statute not to do so, distinguishing this case from the kind where, for example, a person spreads information by word of mouth.

Breach of confidence

In dealing with breach of confidence, Her Honour followed the reasoning in leading English cases which have held that there is no longer a requirement for a pre-existing relationship of 'trust and confidence' in order for confidential information to be protected. Instead, confidence may be breached where the information is information 'in respect of which a person has a reasonable expectation of privacy' and a person publishes that information in circumstances where they knew or ought to have known of that reasonable expectation of privacy. In this case, Her Honour held that the information in question was easy to identify as private.

Breach of privacy

In the most ground-breaking part of her judgment, Judge Hampel also held (in addition to finding a breach of confidence) that the relevant breach of privacy was 'an actionable wrong which gives rise to a right to recover damages according to the ordinary principles governing damages in tort'. She determined that the current case was 'an appropriate case to respond, although cautiously, to the invitation held out by the High Court in Lenah Game Meats'2 to do so.

This holding in this case, unless overturned on appeal, will clearly expose journalists, media organisations and all publishers to a new range of claims where it can be established that a person's privacy has been breached by the unjustified publication of private information.

It is understood that an appeal has been lodged.

Footnotes

  1. [2007] VCC 281
  2. Australian Broadcasting Corporation v Lenah Game Meats (2001) 208 CLR 199
top of page

Australian Law Reform Commission releases plain-English guide to the Inquiry into the Privacy Act 1988

12 December 2006

The Australian Law Reform Commission (the ALRC) has released a plain-English guide to its Inquiry into the Privacy Act 1988 (Cth). The guide, titled 'Reviewing Australia's Privacy Laws: Is Privacy Passé?', is an overview of the two Issues Papers released by the ALRC in October and December 2006.

The 28 page overview (available at http://www.austlii.edu.au) highlights and summarises in plain English, some of the key issues that the ALRC is exploring as part of the Privacy Inquiry. The overview also contains anonymous comments made by members of the public during the National Privacy Phone-in, conducted by the ALRC on 1-2 June 2006 as part of its Inquiry.

The overview is aimed at members of the general public and was released to reflect the ALRC's interest in gauging the views of all Australians in relation to privacy.

The ALRC will also produce an overview of the Discussion Paper when it is released in mid-2007.

top of page

Australian Law Reform Commission releases Issues Paper on credit reporting provisions in the Privacy Act 1988

12 December 2006

The Australian Law Reform Commission (the ALRC) has launched its second Issues Paper as part of its Inquiry into the Privacy Act 1988 (Cth) (the Act). The Issues Paper, titled 'Review of Privacy – Credit Reporting Provisions', examines the content, operation and regulation of the credit reporting provisions contained in Part IIIA of the Act, associated provisions and the Credit Reporting Code of Conduct. It sets out arguments for and against comprehensive credit reporting and its potential impact on privacy, examines a range of reform options (including the introduction of separate legislation to regulate credit reporting) and calls for public comment on Australia's credit reporting system.

Some of the specific issues being considered by the ALRC include:

  • the relationship between the obligations in Part IIIA of the Act and the National Privacy Principles which also regulate information handling by credit reporting agencies and credit providers;
  • the types of information held in credit information files and credit reports;
  • how credit reporting agencies and credit providers are required to protect personal information; and
  • the system for resolving complaints about credit reporting, including complaints about the accuracy of information on a credit file.

The ALRC has already held some consultations with experts in the credit reporting field as part of its Inquiry. The ALRC will now undertake further consultations in relation to the Issues Paper with a wide cross-section of stakeholders including: credit reporting agencies; representatives of the banking and finance industries and other credit providers; consumer representatives and advocacy groups; state and territory departments of fair trading and other bodies; academics and lawyers with expertise in privacy; and federal, state and territory privacy commissioners.

The closing date for submissions in response to this Issues Paper (available at http://www.austlii.edu.au/) is 9 March 2007.
In mid 2007 the ALRC will release a Discussion Paper, containing a more detailed treatment of the issues raised in the Issues Papers. The ALRC's final Report on the Inquiry is due to be presented to the Attorney-General by 31 March 2008.

top of page

Access Card framework announced

8 November 2006

The Minister for Human Services, Mr Joe Hockey, today released the Federal Government's response to the first Report of the Consumer and Privacy Taskforce into the proposed Health and Social Services Access Card. Many of the Taskforce's recommendations were supported in the Government's response. Among other things, the Government clarified that:

  • the Access Card will be implemented only for the purposes of access to health and social services and at this stage, new functions have been ruled out;
  • there will be a legislative framework for the Access Card that will:
  • define the information to be collected and stored;
  • vest ownership of the Access Card in the consumer; and
  • be consistent with existing laws that protect privacy and information disclosure;
  • features will be built into the Access Card to render it as disability-friendly as possible;
  • a photograph will be mandatory on the Card but people will have the choice of the name they wish to appear on the card as long as the name is not misleading; and
  • the Access Card number will be listed on the card itself, as will the month and year of expiry of the card.

The Privacy Commissioner, Ms Karen Curtis, welcomed the generally positive response of the Government to the Taskforce's recommendations but also called for the Access Card legislation to include strict privacy controls, including limitations on the use of the Card, prevention of unauthorised access to the information on the Card, its chip or the underlying register, prevention of unauthorised uses and disclosures (including data matching) and sanctions and remedies for breaches.

Here is the Privacy Commissioner's response.

top of page

Victorian Privacy Commissioner issues new Guidelines to the Victorian Information Privacy Principles

October 2006

A new edition of the Guidelines to the Information Privacy Principles has recently been issued by the Office of the Victorian Privacy Commissioner. Issued five years after the coming into operation of the Victorian Information Privacy Act 2000, the new Guidelines (at over 170 pages) are much more substantial than the first edition and reflect the case studies, experience and many other developments (both in Victoria and in other jurisdictions) that have occurred in those five years.

As the Victorian Information Privacy Principles are closely modelled on the National Privacy Principles (or NPPs) under the Commonwealth Privacy Act 1988 (rather than the Commonwealth Information Privacy Principles that apply to the Commonwealth public sector) many of the comments, illustrative cases and discussions in the Guidelines are likely also to be valuable to private sector organisations that are bound by the NPPs. As the new Guidelines come after the passing in Victoria of the Charter of Human Rights and Responsibilities Act 2006, which recognises the right to privacy as a human right, the Guidelines also discuss how the new Charter may be relevant to the interpretation and application of the Victorian Information Privacy Principles.

The new Guidelines can be accessed at http://www.privacy.vic.gov.au.

top of page

Australian Law Reform Commission releases Issues Paper in its Inquiry into the Privacy Act 1988

October 2006

In January this year, following the Review of the Private Sector Provisions of the Privacy Act 1988 by the Office of the Privacy Commissioner and the Inquiry into the Privacy Act 2008 conducted by the Senate Legal and Constitutional References Committee, the Attorney-General, Mr Philip Ruddock, asked the Australian Law Reform Commission (ALRC) to conduct an Inquiry into the extent to which the Privacy Act 1988 (the Act) and other laws provide an effective framework for the protection of privacy in Australia.

In response, the ALRC has now issued a wide-ranging and voluminous (over 600 pages) Issues Paper, which canvasses questions such as:

  • whether the National Privacy Principles under the Act are appropriate and how they can be clarified or improved;
  • whether the current exemptions under the Act should be re-visited;
  • whether the powers of the Office of the Privacy Commissioner are appropriate for its role;
  • the difficulties raised by the multi-layered regulation of personal information in Australia;
  • whether health information is appropriately regulated;
  • whether the protection of personal information for children, young persons, and adults with decision-making disabilities should be dealt with expressly in the Act;
  • how new technologies, or new uses of existing technologies, should be accommodated in a privacy framework; and
  • the regulation of the flow of personal information outside Australia, including whether the APEC Privacy Framework provides an appropriate model for the protection of personal information transferred between countries.

The ALRC will now engage in wide-ranging consultation about the questions that it has raised in the Issues Paper, and expects to release a Discussion Paper in mid 2007. It will also issue a separate issues paper on the consumer credit reporting provisions of the Privacy Act in December 2006.

The closing date for submissions in response to the Issues Paper (which can be found at http://www.austlii.edu.au) is 15 January 2007.

The ALRC expects to make its final Report in March 2008.

top of page

Victorian Workplace Privacy law passed

September 2006

The Victorian Parliament has now passed the Surveillance Devices (Workplace Privacy) Act 2006, which amends the Surveillance Devices Act 1999 and extends the 1999 Act's restrictions on:

  • the use of surveillance devices in workplace toilets, washrooms, change rooms or lactation rooms; and
  • the communication or publication of records of workplace activities or conversations that are recorded or monitored by surveillance devices.

According to the second reading speech delivered by the Victorian Attorney-General, Mr Rob Hulls, the new law is the initial stage in the development of a more comprehensive regime to protect privacy in Victorian workplaces. It arose out of one of the key recommendations of the Victorian Law Reform Commission's report, entitled Workplace Privacy Final Report, which was issued in October 2005.

In the meantime, the Victorian Law Reform Commission has also announced that it is now turning its attention to the regulation of surveillance in public places and whether law reform is necessary to ensure surveillance and the publication of photographs without consent is appropriately controlled. The Commissioner has announced that it will release a consultation paper in 2007 that will detail the issues involved and invite submissions from the public.

top of page

Workplace Privacy Reform: Surveillance Devices (Workplace Privacy) Bill (Vic)

13 September 2006

The Surveillance Devices (Workplace Privacy) Bill 2006 (Vic) (the Bill) has been introduced into the Legislative Assembly by the Victorian Attorney-General, Rob Hulls.

The Bill, which amends the Surveillance Devices Act 1999 (Vic):

  • prohibits the use of surveillance devices in workplace toilets, washrooms, change rooms or lactation rooms, unless the use of surveillance is in accordance with a warrant, emergency authorisation, a law of the Commonwealth or the Liquor Control Reform Act 1998; and
  • prohibits, where the use of surveillance devices is permitted, the communication or publication of a record or report of an activity or conversation that was observed, listened to, recorded or monitored by surveillance devices, unless the communication or publication concerns protected information or is authorised by certain laws. Protected information is defined in section 30D of the Surveillance Devices Act 1999 (Vic) and includes any information obtained from the use of a surveillance device under a warrant or emergency authorisation.

In restricting employers from placing workers under surveillance in workplace toilets and change rooms, the Bill implements one of the key recommendations of the Victorian Law Reform Commission's report, entitled Workplace Privacy Final Report (October 2005) (the Report). However, this represents only a limited adoption of the proposals of the Report. Other recommendations of the Report, which are not reflected in the Bill, included a prohibition on employers subjecting workers or prospective workers to genetic testing without authorisation from the regulator and engaging in acts or practices that interfere with the privacy of a worker where the worker is engaged in non-work related activities.

According to the second reading speech delivered by Rob Hulls, the Bill is the initial stage in the development of a more comprehensive regime to protect privacy in Victorian workplaces. Indeed, the measures in the Bill do not cover computer surveillance or tracking surveillance, both of which are regulated by the NSW Workplace Surveillance Act 2005.

In her report into the Review of the Private Sector Provisions of the Privacy Act 1988 (Cth) (the Privacy Act), the Privacy Commissioner noted that as a result of the employee records exemption in the Privacy Act, inconsistent legislation is being enacted by state and territory governments in order to deal with employment privacy issues such as workplace surveillance. The Privacy Commissioner recommended that the Australian government consider setting in place mechanisms to address inconsistencies, including in the area of workplace surveillance, that have come about as result of the various exemptions in the Privacy Act.

The Australian Law Reform Commission (ALRC) is currently conducting an Inquiry into the Privacy Act and is likely to consider the issue of workplace surveillance (together with the Victorian Law Reform Commission's work), given that the Terms of Reference for the Inquiry require the ALRC to consider relevant existing and proposed Commonwealth, State and Territory practices and also the needs of individuals for privacy protection in an evolving technological environment. An Issues Paper in expected to be released by the ALRC in September 2006, with a final report and recommendations to be delivered in March 2008.

top of page

Privacy Commissioner submissions on Access Card

12 September 2006

The Office of the Privacy Commissioner (the Office) has responded to the first Discussion Paper released by the Department of Human Services' Access Card Consumer and Privacy Taskforce (the Taskforce). The Access Card is an initiative to create one card, containing an information chip, to be used by an individual for a number of government services. The aims of the card are twofold; first, to increase user convenience, and second, to reduce the fraudulent use of government services.

In its submission, the Office emphasises the need for a multifaceted approach in protecting the privacy of individuals, particularly where there is the potential to alienate people from using government services such as Medicare, which is currently used by 9 million individuals. People who are likely to be alienated (eg, people with a mental illness or people who have potentially stigmatising conditions such as HIV/AIDS) may be reluctant to participate in government support schemes without assurance that their private information is protected and will not be misused. In particular, the Office proposes a four element approach for implementing mechanisms to ensure privacy protection.

  1. Fundamental System Design

    These elements include the card design, the architecture of the system and setting parameters in which information is collected and how the information is accessed. Recommendations by the Office include the following.

    • Individuals being able to choose whether or not their photograph is printed on the face of the Access Card or stored in the chip. The Office submits that individuals should have the choice to decide whether the cost and inconvenience of being re-photographed if their card is lost or stolen is outweighed by privacy concerns from having their photo stored in the chip. Whatever the individual's choice, they should be informed as to the consequences, for example, where an individual chooses to not have their photo printed on the card, that they will be required to present supplementary evidence of identity eg a driver's license.
    • Strong risk mitigating strategies being invoked in the areas of design, technology, legislation and oversight if a database is created for storing photographs of a large proportion of the adult Australian population.
    • Only organisations that are explicitly authorised to access the information are able to. An example of unnecessary access to information is where an entitlement agency officer can view personal medical information of the individual. The Office submits that information could be stored in 'open' or 'closed' zones of the card and that the individual understands the implications of each.

  2. Technological Measures

    Technological measures include data security initiatives and the provision of limits to the integration of the Access Card system to established systems. In particular, the Office recommends the following.

    • Encryption software which is specific to the Access Card system to prevent situations where the central database of photographs is used for a purpose other than preventing multiple registrations for government entitlements. An example submitted by the Office of a different purpose is a situation where a closed circuit television network uses facial recognition technology to compare faces of people in a crowd against the stored database of photographs.
    • Limiting the collection and storage of optional information to avoid creating pressures where the use of optional information is inappropriate. The Office also submits that storing optional information can lead to function creep, ie the incremental expansion of the purpose of the Access Card. A technological measure to ensure limited information is collected and stored is to have a small storage capacity on the chip. This physical limitation would ensure, for example, that the government's current promise to not store an individual's health record on the Access Card will be complied with.
    • Data linking between government departments being the exception rather than the norm, but where data linking is necessary, that it involves the consent of the individual. The Office recognises the importance of sharing data between government departments but also submits that data linking between departments has the potential to create one centralised database. A preventative measure to data linking and function creep is the encryption of an individual's Access Card number. Each government department would have a unique encryption key resulting in the Access Card number being different for each department, therefore preventing cross department searches for an individual's Access Card number.

  3. Legislative Measures

    A legislative framework that establishes the scope of the use of the Access Card, eg an individual's right to access and correct their personal information, and to provide prohibitive sanctions for the misuse of the card or information. The Office submits that the legislation, at a minimum, should offer the following.

    • Limiting the purpose for which the physical card can be used, and introducing penalties for tampering with the photograph or chip.
    • Preventing unauthorised access or misuse of the information on the card or chip.
    • Preventing unauthorised or misuse of the information stored in the database.

  4. Oversight Mechanisms

    The Office submits that stringent accountability measures, for example an audit and independent complaints handling mechanism, are important in promoting confidence and assurance in the system.

Overall the submission made by the Office attempts to balance the individual's privacy rights with the aims of the Access Card. The Access Card is scheduled to be phased in from 2008 until 2010.

top of page

New Biometrics Privacy Code approved

The Privacy Commissioner has announced the approval of the Biometrics Privacy Code (the Code) which is to come into operation from 1 September 2006. The Code was developed by the Biometrics Institute and subscription to the Code will only be available to members of the Institute, who can choose to be bound by it. Government agencies may choose to follow the Code (or to prefer tenderers who are subscribers to the Code) but they will not be legally bound to comply with it.

As required by section 18BB of the Privacy Act 1988 (the Privacy Act), the standards in the Code are at least equivalent to the NPPs. One area in which the standards in the Code exceeds the standards set for the private sector in the Privacy Act is where a biometric is included in an employee record, or a biometric has a function related to that employee record. Where this occurs, the Code will override the employee records exemption in the Privacy Act and apply to employee records in which a biometric is stored or which are protected by a biometric.

In addition, the Code incorporates three principles which supplement its other principles that are equivalent to the NPPs.

Supplementary Principles

Principle 11 supplements the privacy principle in NPP 4 with respect to protection of biometric information. The Principle states that biometric information should (wherever practicable) be encrypted immediately after collection, the original biometric information should be destroyed after encryption, and that (wherever practicable) biometric information should be stored only in encrypted form. Principle 11 also regulates the length of storage time for biometric information, where it should be held, and access to biometric information.

Principle 12 enhances NPPs 1 and 2.4. For example, Principle 12 states that enrolment in biometric systems must be voluntary (unless required by law) and that enrolled individuals must be informed of any change in the scope or purpose of the system. Secondary analysis or function creep of biometric information is not permitted without the express informed consent of the individual. In addition, individuals will have the opportunity to have their information removed upon request, where possible.

Principle 13 also enhances NPP 1 in that it requires Code subscribers to disclose the purpose for which a biometric system is being deployed. In addition Principle 13 provides for the implementation of third party auditing to ensure compliance with all aspects of the Code. It also provides that a Code subscriber must consider 'end to end' privacy management issues when providing a product or service to an information technology system. This enhances and supports NPP 4 and requires Code subscribers to take a holistic view of managing privacy across an enterprise.

Another unique provision of the Code is that Code subscribers are required to be aware and take account of the relevant national and international standards for information protection and biometric systems which may prevail from time to time.

Administration

The Code will be administered by the Biometrics Institute Secretariat, under the direction of the Biometrics Institute Board. An Independent Code Review Panel will also be established, which will comprise an independent chairperson and an equal number of consumer and industry representatives which the Biometrics Institute Board may nominate from time to time.

The Code does not implement its own industry complaints system; but rather mandates that subscribers have their own complaints system and ensure that complainants will be able to refer their complaints to the Privacy Commissioner if a complaint has not been satisfactorily resolved within 30 business days. The Code can be accessed through the Biometrics Institute website.

top of page

Federal Privacy Commissioner publishes case notes 10-18, 2006

The Office of the Privacy Commissioner has recently published a number of interesting new Case Notes, covering the following issues:

  • Tenancy Database company found not to have taken reasonable steps to ensure that listed information was up to date
  • Request for access to health information prepared for insurance company upheld
  • Improper disclosure of personal health information
  • Absence of audit trial in a large automated billing system found inadequate
  • Generic listing categories used by a tenancy database company found inadequate
  • Improper disclosure of personal information
  • Security of personal information of cardholder
  • Improper listing of a payment default on a consumer credit information file
  • Improper listing of a default on a guarantor's consumer credit information file

For more, see our summaries or full case notes published on the Commissioner's website.

top of page

'Do Not Call Register' laws are passed

The Minister for Communications, Information Technology and the Arts, Senator Helen Coonan announced on 22 June 2006 that the legislation to create a National Do Not Call Register had passed through Parliament. As a result, a new National Do Not Call Register is expected to be up and running in 2007.

In brief, the laws will allow a National Do Not Call Register to be established so that:

  • individuals will be able to avoid most unwanted telemarketing calls by placing their private or domestic phone numbers on the Register;
  • the register will protect land as well as mobile numbers; and
  • registration will be available free of charge.

However, a number of exemptions from the legislation will be available to certain organisations and persons, including:

  • charities;
  • registered political parties;
  • independent members of parliament;
  • candidates for election to parliament;
  • religious organisations;
  • educational institutions; and
  • government bodies.

The Do Not Call Register will be established and regulated by two Acts, the Do Not Call Register Act 2006 and the Do Not Call Register (Consequential Amendments) Act 2006.

In brief, the Do Not Call Register Act 2006 (Act) sets out the legislative regime to enable individuals to opt-out of receiving unsolicited telemarketing calls. Under the Act, the Australian Communications and Media Authority (ACMA) is responsible for implementing and overseeing compliance with the Register. To that effect, ACMA is provided with the powers to issue formal warnings, infringement notices and an ability to initiate court proceedings.

The Do Not Call Register (Consequential Amendments) Act 2006 requires ACMA to develop industry codes and standards relating to telemarketing calls, including minimum contact standards (about matters such as times when telemarketers can call and the information they must give). These standards will apply to all telemarketers, including those that are exempt from the general prohibitions under the main Act.

top of page

Privacy Reform: Privacy Legislation Amendment Bill 2006

The Privacy Legislation Amendment Bill 2006 (Cth) (the Bill) has been introduced into the House of Representatives by the Attorney-General, Phillip Ruddock MP.

The Bill has two key aims, namely to ensure on a permanent basis that medical practitioners are not in breach of the Privacy Act 1988 (Cth) (the Privacy Act) by collecting information from the Prescription Shopping Information Service (PSIS) and to clarify the treatment of genetic information under the Privacy Act.

Information from the PSIS

The Bill ensures that the collection of information about patients under the Prescription Shopping Information Service by doctors is allowed under the Privacy Act. The Bill does this by inserting an amendment into the National Health Act 1953 (Cth) that provides that such collections are authorised for the purposes of the National Privacy Principles (or NPPs), in particular for the purposes of NPP10, which relates to the collection of sensitive information. While the Federal Privacy Commissioner has issued temporary public interest determinations that currently allow such collections, the Bill will have the effect of authorising them on a permanent basis.

Genetic Information

The Bill also implements some of the reforms of the Australian Law Reform Commission and Australian Health Ethics Committee's report, entitled Essentially Yours: The Protection of Human Genetic Information in Australia (March 2003) (the Report). The Bill amends the definition of health information to include genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. A genetic relative is defined as a person related by blood, such as a sibling, parent or descendant. The Bill also inserts a catch all definition of genetic information to ensure that it is sensitive information even if it is not health information (for example, genetic information about parentage or kinship). This will ensure that all forms of genetic information will have the additional protection that is afforded to 'sensitive' information under the NPPs.

The Bill also allows an organisation that is a health service provider to disclose the genetic information of an individual (without the individual's consent) to a genetic relative of the individual if the organisation:

  1. reasonably believes that the information could be used or disclosed to lessen or prevent a serious threat to the life, health or safety of the genetic relative (such threat need not be imminent); and
  2. complies with any genetic information guidelines issued by the National Health and Medical Research Council (NHMRC) and approved by the Privacy Commissioner.

The Bill empowers the Privacy Commissioner to approve guidelines issued by the NHMRC that relate to the use and disclosure of genetic information for the purposes of lessening or preventing a serious threat to the life, health or safety of an individual or their genetic relative.

Once the Bill is passed, it will be interesting to see the details of the Guidelines to be issued by the NHMRC, which will need to balance an individual's privacy rights with the rights of genetic relatives to access the individual's personal genetic information, if a health service provider believes that disclosure is warranted in the particular circumstances.

top of page

Federal Privacy Commissioner publishes case notes 5-9, 2006

The Office of the Privacy Commissioner has recently published a number of interesting new Case Notes, covering:

  • Transfer of personal information by an Australian company to a foreign holding company
  • Disclosure of Tax file Number by taxation accountant
  • Inadvertent disclosure of Tax File Numbers
  • Collection and retention of sensitive information
  • Collection and disclosure of personal information by a utility company and industry group

For more, see our summaries or full case notes published on the Commissioner's website.

top of page

Privacy concerns in the report of the Senate Legal and Constitutional Committee on the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005

On 09 February 2006, the Senate referred the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005 (the Exposure Bill) to the Senate Legal and Constitutional Committee (the Committee) for inquiry and report by 13 April 2006. The Committee has released its report and has noted that the Exposure Bill, in addition to posing numerous concerns for industry, has particular implications for the privacy of individuals.

The report noted that submissions to the inquiry were presented by the Office of the Privacy Commissioner, the Australian Privacy Foundation, the Office of the New South Wales Privacy Commissioner, the NSW Council for Civil Liberties and Liberty Victoria. These organisations provided the Committee with a perspective on the possible impact of the proposed Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) regime on the privacy and civil liberty rights of individuals.

The concerns raised by the organisations related to:

  • the lack of adequate consultation on privacy issues prior to the release of the Exposure Bill;
  • the need for a Privacy Impact Assessment (PIA) for the Exposure Bill;
  • the wide range of entities collecting information under the regime;
  • the type and extent of information to be collected under the regime (of particular concern is customer identification information, 'Know Your Customer' information, 'suspicious matters' reporting obligations and secrecy provisions);
  • information collected pursuant to the regime being used for secondary purposes and provided to government agencies (including welfare and support agencies) by the Australian Transaction Reports Analysis Centre (AUSTRAC);
  • the application of the Privacy Act 1988 (Cth.) (the Privacy Act) to AUSTRAC, government agencies and the various service providers that would become reporting entities under the Exposure Bill. Of particular concern is the fact that 'small businesses' are generally exempt from complying with the National Privacy Principles (NPPs) in the Privacy Act, and
  • the rules regulating the retention of information gathered by reporting agencies pursuant to regime.

In response to these concerns, the Committee has taken the view that:

  • the apparent lack of formal consultation with privacy, civil rights and consumer representative groups in the development of the regime to this point is problematic, and may have resulted in some fundamental privacy, consumer and civil rights issues being overlooked. The Committee hopes that these issues will be addressed through the parallel discussion groups established by the Attorney-General's Department;
  • due to the far ranging-nature of the provisions contained in the Exposure Bill, a PIA would be beneficial in achieving a more balanced approach to the AML/CTF regime, and the Committee strongly suggests that such an assessment be conducted;
  • a PIA should include a review as to whether the privacy protections in the Privacy Act are sufficient for the purposes of the information being handled by reporting entities;
  • if the privacy protections in the NPPs are not sufficient for the purposes of reporting entities, then adequate privacy protections could be included in the AML/CTF regime itself. If privacy protections in the NPPs are found to be adequate, then the Government should ensure that all reporting entities (including small businesses which are currently exempt from the NPPs) are made subject to the privacy obligations equivalent to those contained in the NPPS; and
  • if government agencies (including welfare and support agencies) are to be given access to data held by AUSTRAC, the Exposure Bill should contain a clear objective statement acknowledging that government agencies can utilise and access data from AUSTRAC for their own purposes, even if those purposes are not related to AML/CTF.

Additional comments were made by the Australian Democrats who are deeply concerned about the "landslide of privacy incursions made possible by the recent changes in the name of combating terrorism". The Democrats support the Committee's recommendation that an independent PIA be conducted and are of the view that Privacy Impact Assessments should be used to analyse all legislative changes that may infringe the privacy rights of Australians.

top of page

ACMA registers an internet industry code on spam

6 April 2006

The Australian Communications and Media Authority (ACMA) has registered the Internet Code of Practice - A Code for Internet and Email Service Providers, which will be effective as from 16 July 2006. The new Code applies to internet service providers and email service providers in Australia as well as email service providers that are located outside Australia but who provide email services in Australia.

The Code, registered under Part 6 of the Telecommunications Act 1997, will impose on these internet and email service providers a range of new obligations, including:

  • to provide subscribers with information about how to miminise spam and their obligations to comply with the Spam Act 2003;
  • to provide spam filtering options to subscribers;
  • to ensure that their Acceptable Use Policies prohibit the use of their networks for spamming;
  • not to have open relay or open proxy servers;
  • to retain the right in their Acceptable Use Policies to scan their own networks for subscribers' misconfigured mail and proxy servers;
  • to comply with certain standards in relation to spam complaints and to have documented complaints handling processes.

The Code also recommends that service providers consider and implement best-practice actions that can be taken to assist in the reduction of spam, and gives a number of examples of what are currently thought to be best practice.

The Code can be found at www.acma.gov.au. It is intended to be reviewed one year from registration.

top of page

Australian Do Not Call Register to be created

6 April 2006

The Minister for Communications, Information Technology and the Arts, Senator Helen Coonan, announced on 4 April that a national, legislated Do Not Call Register will be created to protect consumers from nuisance telemarketing phone calls.

The announcement said that it is anticipated that the Register will cost over $33 million to set up and will be operational by 2007. While the Australian Government will commit $17.2 million to its costs, it is planned that the remainder of the costs will be met by telemarketeers, who will need to pay a fee to access the Register.

Senator Coonan also announced that:

  • the Register will apply to all telemarketers operating in Australia, as well as overseas telemarketers who represent Australian companies;
  • individuals and small businesses can register to opt out from receiving unsolicited telemarketing calls, free of charge;
  • specified public interest bodies such as charity groups and people undertaking social research will be exempted;
  • exemptions will also apply to companies with an existing business relationship with an individual, for example with existing accounts or contracts;
  • national minimum contact standards will be applied to all telemarketeers (including those exempted from the Register) which will cover permitted calling hours, minimum information requirements and termination of calls.

Senator Coonan also said that based on international experience the Government expects that there will be one million registrations in the first week of operation and four million after the Register's first year.

top of page

The Privacy Commissioner has recently published four case notes about complaints that it had finalised

28 March 2006

1. Failure to take reasonable steps to protect

In the recent case note of B v Australian Government Agency [2006] PrivCmrA 2 (see Complaint Case Note), the Commissioner reported on its investigation of the security of employment information held by a Government agency. The issue arose because other staff had access to computer files containing confidential e-mails and reports regarding an individual's employment records. The agency had an obligation under Information Privacy Principle 4(a) to take reasonable steps to protect personal information from unauthorised access, use, modification or disclosure and against other misuse.

The Agency promptly admitted the breach when the Commissioner intervened and the Commissioner applied its conciliation power under section 27(1)(a) of the Privacy Act to resolve the matter. The Agency offered an apology, transferral of the data to a more secure location and payment for the individual to receive counselling as a result of the distress suffered.

2. Unnecessary collection of Personal Information

In the recent case note of D v Banking Institution [2006] PrivCmrA 4 (see Complaint Case Note), the Commissioner reported on the case where a bank customer complained about being required to supply their marital status as part of an application to open a bank account, on the basis that this information was not necessary for one or more functions or activities of the bank as required by National Privacy Principle 1.1.

The bank agreed that the information was not necessary to assess eligibility for a bank account but indicated that its computer system would need to be changed to facilitate such non-disclosure, and that this would take some time. The bank offered to enter a status of 'single' but note on the file that this may not reflect the actual status of the account holder. The individual was not satisfied and complained to the Commissioner. The Commissioner worked in consultation with the bank to ensure its computer system was upgraded so that information about marital status was no longer required to open a bank account. The bank committed to providing quarterly reports to the commissioner on its progress. Further, the banking institution resolved to raise the issue with the industry body as it appeared that collecting such information was common practice across the industry.

3. Denial of access to personal information

In the case note of C v Insurance Company [2006] PrivCmrA 3 (see Complaint Case Note), the complainant sought access to information about them collected by their insurers in the course of an investigation of a claim made by them. The insurance company refused access to some of the documents sought, claiming that releasing those documents would compromise the privacy of third parties and would reveal commercially sensitive information.

NPP6.1(c) allows an organisation to withhold access to information where providing access would have an unreasonable impact on the privacy of third parties. The case note indicates that in considering whether this exception applies, the Commissioner may consider factors such as:

  • whether the individual would expect their information to be disclosed (including whether any assurance of confidentiality was provided);
  • the extent of the impact on the third party's privacy;
  • whether there were any public interest reasons for providing access to the information that would outweigh any expectation of confidentiality; and
  • whether masking the identifying details of the third party would sufficiently protect the privacy of the third party.

In this case, the Commissioner's view was that providing access to some of the documents would have an unreasonable impact on the privacy of third parties and that masking the names of the individuals, who had provided witness statements in relation to the events that led to the insurance claim, would not be sufficient to prevent their identification. Hence, the insurance company could rely on NPP6.1(c) to refuse access to these documents. However the Commissioner also found that access could be provided to some other documents that identified third parties if their identifying information was masked.

NPP6.2 provides that where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation can give an explanation for the decision rather than direct access to the information. In this case, the Commissioner was of the view that the organisation could rely on NPP6.2 in relation to documents that described the type of information the insurance company considered important in assessing insurance claims during an investigation. However the Commissioner also found that in respect of some other documents that contained commercially sensitive components, access could be provided to the majority of the document with the commercially sensitive components masked.

The insurance company agreed to the Commissioner's recommendations and the complaint was closed.

4. Improper listing of a payment default on consumer credit information file

In the case note of A v Credit Provider [2006] PrivCmrA 1 (see Complaint Case Note) the issue for consideration was whether a credit provider had given the complainant a notification under paragraph 2.7 of the Credit Reporting Code of Conduct prior to its listing a payment default on the complainant's consumer credit information file held by a credit reporting agency. Paragraph 2.7 of the Credit Reporting Code of Conduct provides that before a credit provider lists a default, 60 days must have elapsed since the payment was due and the credit provider must have written to the individual advising of the overdue amount and asking for payment.

While the complainant was in fact 60 days overdue in the payment of the account, the notification incorrectly stated that the account was only 30 days in arrears. (There was also dispute about whether other correspondence requesting payment of the amount due was sent prior to the default listing.)

The Commissioner formed the view that the account statements received by the complainant did not clearly notify the default status of the accounts and the information contained in them were misleading in the circumstances. Hence paragraph 2.7 of the Credit Reporting Code of Conduct had not been satisfied.

The credit provider agreed to remove the default listing from the individual's credit file. The complainant claimed they had been refused credit by several credit providers and requested compensation for loss and damage, including humiliation. The Commissioner conciliated the matter, which concluded with a confidential settlement between the parties.

top of page

Australian Law Reform Commission to review Privacy Act 1988

1 February 2006

The Attorney-General, Philip Ruddock, announced yesterday that the ALRC has been given a new reference to review the Privacy Act 1988. This follows two recent reports by the Privacy Commissioner and the Senate Legal and Constitutional Committee which both recommended that a comprehensive review of the Privacy Act be undertaken. The reference to the ALRC asks it to consider matters such as those recent reviews, current and emerging international law and obligations in this area, any relevant constitutional issue, the need for privacy protection in any evolving technological environment and the desirability of minimising the regulatory burden on business in this area.

The privacy inquiry will be led by Associate Professor Les McCrimmon, who has noted that given the technological environment of the 21st century, it is time to review how well existing privacy laws are working and dealing adequately with emerging areas such as internet use and off-shore call centres. The ALRC has announced that it plans to produce at least two consultation papers (an issues paper to be released in September 2006 and a more detailed Discussion Paper in May 2007) and seek input from anyone with an interest in privacy, before providing its final report to the federal government, which is due by 31 March 2008.

The full terms of reference of the Act can be seen at www.alrc.gov.au, where individuals can also register their interest in the Inquiry and ask to receive copies of the consultation papers as they are published.

The Privacy Commissioner, Karen Curtis, has welcomed the new reference to the ALRC.

top of page

For more see our news archive - 2005.


AAR home | Privacy home | Top of page | Disclaimer | Privacy | Sitemap
Allens Arthur Robinson - a leading international law firm
© 2008 Allens Arthur Robinson, Australia | contactus@aar.com.au

 Allens Arthur Robinson - Clear Thinking