All organisations handle personal information. Some of that personal information can be a very valuable asset.
The way organisations handle personal information is a key business issue, and failure to handle it properly can create significant business risks.
There is not just the risk of a breach of law. There is also the risk of good customer or stakeholder relations being prejudiced and trust reduced, with a commensurate reduction in the volume and nature of personal information that individuals are willing to share.
Research has shown that privacy protection is becoming increasingly important to Australians and privacy law is one of the fastest developing areas of law. This website provides you with an introduction to some of the law’s key elements.
Allens Arthur Robinson's privacy team brings together expertise from a range of fields, including e-commerce, telecommunications, banking, insurance, credit reporting, biotechnology and health, workplace relations, superannuation, funds management and trade practices. We welcome your enquiries about how we can: help you to develop compliance solutions and obtain maximum benefit from customer databases; advise on issues affecting the Internet and new media industries; facilitate workshops to educate and train staff; help you to outsource data processing functions; or help to harmonise privacy obligations across other jurisdictions.
The current system
In December 2001, the Privacy Act 1988 (Cth) (the Act) was amended to establish a national scheme to regulate private sector organisations' handling of personal information.
The amendment was designed to bring Australia into line with international standards on personal information and to instil confidence in how Australian businesses handle personal information. The Federal Government also aimed to address concerns about the development and take-up of online business and e-commerce.
It introduced the NPPs, which regulate how private sector organisations may collect, keep, use and disclose personal information. The NPPs are based on the National Principles for the Fair Handling of Personal Information (the Principles), which the Federal Privacy Commissioner introduced in 1998. The Principles were initially a voluntary scheme for the private sector, developed after extensive consultation with business and consumers, and based on Organisation for Economic Co-operation and Development Guidelines.
The NPPs are legally binding.
Reform of Australia's privacy laws: what's ahead?
In January 2006, the then Attorney-General, Mr Philip Ruddock, asked the Australian Law Reform Commission (the ALRC) to conduct an inquiry into the extent to which the Act and other laws provide an effective framework for the protection of privacy in Australia. The ALRC issued a wide-ranging issues paper in October 2006, followed by a very detailed discussion paper in September 2007.
After extensive consultation, the ALRC issued its final report in August 2008, with 295 recommendations for reform of Australia's privacy laws. We summarised the ALRC report’s recommendations in a series of Focus articles in 2008: ALRC releases privacy law report; The new Unified Privacy Principles; Credit reporting and credit information; Privacy Commissioner's new guide on notification of data breaches; Reforming privacy and health information.
On 14 October 2009, the Federal Government released the first stage of its response to the ALRC's report into privacy law, addressing 197 of the ALRC's 295 recommendations, of which 141 have been accepted either in full or in principle, and a further 34 accepted with qualifications. We summarised the Federal Government's response in a Client Update in October 2009 and discussed in Focus articles in November 2009 the implications for clients in relation to credit reporting data and health information.
In June 2010, the Federal Government released an Exposure Draft of the Australian Privacy Principles that propose to replace the NPPs and the Information Privacy Principles, and referred the Exposure Draft to the Senate Finance and Public Administration Committee, which plans to report by July 2011. We discussed the implications of the Draft Australian Privacy Principles in our Focus article.
While the Australian Privacy Principles will be the cornerstone of an amended (or replaced) Act, it is intended that there will be three further releases of draft provisions to amend it, as part of this first stage of reforms. These provisions:
- relate to the privacy of consumer credit information, including more comprehensive credit reporting;
- relate to the protection of health information; and
- strengthen the Privacy Commissioner's powers to conduct investigations and promote compliance with the Act. The Office of the Privacy Commissioner has been integrated into the newly created Office of the Australian Information Commissioner.
The Government has indicated that stage two of the reforms will be released once its first stage has been progressed. Stage two will consider other recommendations from the ALRC Report, such as reviewing the exemptions for employee records and small businesses, the introduction of a statutory cause of action for a serious invasion of privacy and serious data breach notifications
