Keeping it to yourself: Australian Law Reform Commission review of Australian privacy laws

By Gina Elliott and Danielle Briers.

Key Points:
The public and private sector provisions would be consolidated, based on the current private sector provisions. Various exemptions would be removed, and new obligations would be imposed. A new statutory cause of action of invasion of privacy would be created.

The Australian Law Reform Commission (ALRC) is currently conducting an extensive review of Australia's privacy laws. In its discussion paper, Review of Australian Privacy Law, the ALRC proposes a number of significant changes to Australian privacy law. Some of the key proposals are discussed below.

One set of privacy principles for the public and private sector

The Privacy Act 1988 (Cth) regulates the collection, use, disclosure, quality and security of personal information. The specific rules governing the handling of personal information are set out in the National Privacy Principles (NPPs) for private sector organisations and the Information Privacy Principles (IPPs) for federal and ACT government departments and agencies.

The ALRC proposes that there should be one set of principles (the Unified Privacy Principles) that apply to both organisations and agencies. These would be primarily based on the NPPs. Currently, the IPPs and NPPs are similar in many ways, but there are several key differences. For example, only the NPPs have special rules for the handling of sensitive information and the transfer of information overseas. If the ALRC's proposal comes into effect, these rules would apply to government agencies as well as organisations.

Introducing a statutory cause of action for invasion of privacy

The Act is concerned with protecting the privacy of personal information. It does not protect against invasions of personal privacy such as interference with a person's home or family life or unauthorised surveillance. Nor is there any clearly defined common law cause of action for invasion of privacy in Australia.[1]

The ALRC proposes inserting a statutory cause of action of invasion of privacy into the Act. This would allow an individual to sue another individual, organisation or agency for invasion of privacy.

The plaintiff would need to show that, in all the circumstances:

• the plaintiff had a reasonable expectation of privacy
• the defendant's conduct was sufficiently serious to cause substantial offence to a person of ordinary sensibilities; and
• the defendant's act was either intentional or reckless.

If the plaintiff consented to the defendant's conduct, this would, in most cases, defeat the cause of action. The ALRC did not specify whether lack of consent should be an essential element of the cause of action, or merely a relevant factor in assessing whether the plaintiff's expectation of privacy was reasonable or the defendant's conduct was sufficiently serious.

The ALRC proposes that the Act include a non-exhaustive list of the types of conduct that may fall within the cause of action, including:

• interference with an individual's home or family life
• unauthorised surveillance of an individual
• interference with, or misuse or disclosure of, an individual's correspondence or private written, oral or electronic communication; and
• disclosure of sensitive facts relating to an individual's private life.

Significantly, the cause of action could be established without proof of damage. This paves the way for alternative remedies such as compensation for insult and humiliation or an order requiring the defendant to apologise to the plaintiff.

The proposed cause of action is quite broad - the only concrete limitation is that the conduct must be reckless or intentional (although the ALRC does propose a number of defences, including that the disclosure of information was authorised or required by law, in the public interest, or protected by privilege under defamation law). It will be difficult to assess what types of conduct are covered until the cause of action is tested in the courts. Significantly, the media exemption (discussed below) would not apply to the cause of action, so media organisations sued for reporting private information would have to rely on the more limited public interest defence.

Limiting the media exemption

Conduct by media organisations "in the course of journalism" is currently exempt from the Act, as long as the media organisation is publicly committed to observing published, written standards that deal with privacy in the context of activities of a media organisation.

The phrase "in the course of journalism" is not defined in the Act. The ALRC proposes adding a definition of journalism that would limit the media exemption to conduct done in the course of collecting, preparing or disseminating news, current affairs or documentary, or commentary, opinion or analysis of news, current affairs or documentary. This is designed to exclude other activities undertaken by media organisations such as infotainment, entertainment or advertising. As such, this proposal has the potential to significantly limit the activities covered by the media exemption.

Removing the employee records exemption

Currently, private sector employers are exempt from the Act when dealing with "employee records", provided their conduct is directly related to a current or former employment relationship between the employer and the employee. "Employee records" are records of personal information relating to the employment of the employee. This includes, for example, information about the employee's training, disciplining, performance, resignation, salary, contact details, trade union membership and banking.

The exemption does not apply to:

• acts and practices of an employer that are beyond the scope of the employment relationship (for example, employers cannot sell a list of employees for marketing purposes)
• personal information of unsuccessful job applicants (although pre-employment checks become exempt once an employee is hired); or
• the handling of employee records by the employer's contractors and subcontractors (for example, organisations that provide recruitment, human resources, medical, training or superannuation services under contract to an employer).

There is no corresponding exemption for government agencies. Government agencies are therefore required to comply with the IPPs when dealing with employee records. Privacy legislation in New South Wales, Victoria, Tasmania and the Northern Territory also imposes privacy obligations that apply to employee records held by government bodies in those jurisdictions.

The ALRC proposes removing the employee records exemption. It considers that employee records could contain a significant amount of personal information, including sensitive information, the disclosure of which could harm employees.

The ALRC acknowledges that removing the exemption may discourage employers from providing full and frank references, for fear of that reference being disclosed to the employee by their future employer. To address this concern, the ALRC proposed that an employer should be able to deny an employee's request for evaluative material about the employee where provision of this material would breach an obligation of confidence.

This fails however to address a more pressing concern - that employers may be prevented or discouraged from giving a reference in the first place, as this may be a disclosure of personal information prohibited by the Act. This would be an unwelcome development for businesses looking to hire new employees, as references are an essential part of the hiring process and some employers are already reluctant to give them due to the risk of an action for defamation or negligence.

Businesses will face a number of other difficulties if the employee records exemption is removed. For example:

• Staff would have full access to their human resources file upon request, which could significantly impact upon businesses' human resources operations.
• Businesses would need to take reasonable steps to allow employees to correct their personal information, and obtain consent whenever they use personal information for a purpose other than the purpose for which it was collected. This could significantly add to businesses' compliance burden and costs.
• Removing the exemption may interfere with the ability to conduct due diligence when buying a business. For example, a potential buyer may want to access records relating to the business, including employee records, in order to determine whether it will buy the business and/or retain existing staff. It would not generally be practicable for the vendor to obtain each employee's consent to the disclosure of these records, particularly given that business sales are often confidential in their early stages.

Removing the small business exemption

Currently, organisations with an annual turnover of less than $3 million (small businesses) are generally exempt from the Act. There are specific exemptions to this, and small businesses can opt in so that the Act applies to them. As at 3 December 2007, 173 small businesses have opted in.

The small business exemption was introduced to minimise compliance costs for small business and because it was thought that many small businesses do not pose a high risk to privacy.

The ALRC proposes removing the small business exemption. It considers that it may no longer be valid to assume that small businesses are unlikely to hold significant amounts of personal information, or deal with personal information inappropriately. Some small businesses, such as internet service providers, debt collectors and real estate agents, hold large amounts of personal information. The increasing use of technology by small businesses may also increase privacy risks.

To help small businesses minimise their compliance costs, the ALRC proposes that the Privacy Commissioner provide assistance and support, including free templates, educational materials and programs, and a telephone helpline, before the exemption is removed.

The former Coalition Government indicated in 2005 that it supported the retention of the small business exemption, which struck "an appropriate balance between the risk of privacy breaches and over regulation of small businesses. Removal of the exemption would be inconsistent with the Government’s commitment to workplace reform and cutting red tape."[2] It remains to be seen how the new Labor Government will respond to this recommendation if it remains in the ALRC's final report to the Attorney-General.

Data breach notification

The Act requires government agencies and organisations to take reasonable steps to maintain the security of personal information they hold. It does not, however, require them to notify individuals whose personal information has been compromised. Data breach notification requirements are becoming more prevalent overseas, particularly in the United States, in light of the increasing risk of identity theft and identity fraud.

The ALRC proposes that a data breach notification requirement be added into the Act. It is thought that letting people know their personal information has been breached can help to minimise the damage caused by the breach. Many stakeholders who made submissions to the ALRC expressed general support for a data breach notification law, for example because it would:

• provide a strong incentive for organisations to secure databases adequately to avoid reputational damage arising from negative publicity of reported data breaches
• encourage attention to compliance and vigilance against identity theft; and
• improve accountability, openness and transparency in the handling of personal information by agencies and organisations.

Under the proposal, government agencies and organisations would be required to notify the Privacy Commissioner and affected individuals when:

• "specified personal information" has been, or is reasonably believed to have been, acquired by an unauthorised person; and
• the government agency/organisation or the Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual ("serious harm" in this context is not limited to identity theft and identity fraud but could include, for example, discrimination where sensitive medical information has been released).

The ALRC proposes that there be a definition of "specified personal information" which prescribes what combinations of information would give rise to a real risk of serious harm if it were released without authorisation. By way of example, the ALRC suggests that "specified personal information" could include information which includes an individual’s name or address, in combination with any of the following:

• driver’s licence or proof of age;
• Medicare number;
• account numbers, credit or debit card numbers, or other unique identifiers together with any security code, password or access code that would permit access to the individual’s information; or
• sensitive information (as defined in the Act).

Failure to comply with the notification requirement may attract a civil penalty.

Sending personal information overseas

The Act is primarily concerned with protecting personal information in Australia. Given the increased prevalence and ease of transferring information overseas, and the fact that not all countries have laws protecting the privacy of personal information, the Act also regulates the transfer of personal information overseas by organisations. Broadly, it specifies 6 circumstances in which an organisation can conduct such a transfer, including that:

• the individual has given their consent;
• the organisation reasonably believes that the recipient of the information is subject to a law, binding code or contract that imposes substantially similar privacy protections to the Act; or
• the organisation has taken reasonable steps to ensure that the information is not held, used or disclosed inconsistently with the Act.

As mentioned above, these restrictions do not currently apply to government agencies. The ALRC proposes extending them to government agencies. It considers that individuals should be assured that when an agency transfers their personal information outside Australia, it will be protected to the same standard as it would be under Australian privacy laws. The ALRC says this is particularly necessary given that government agencies often have powers to compel the collection of personal information.

The ALRC proposes however that government agencies should be allowed to transfer personal information overseas for various law enforcement purposes, including extradition and mutual assistance.

The ALRC also proposes that a government agency or organisation that transfers personal information overseas should remain liable if the information is handled in a way contrary to the Act once it has been transferred overseas, unless the transfer was for law enforcement purposes or the agency/organisation:

• obtained the individual's consent to the transfer; or
• reasonably believed that the entity receiving the information was subject to a law, binding code or contract that imposed substantially similar privacy protections to the Act.

Where to from here?

The ALRC is due to report to the Commonwealth Attorney-General by 31 March 2008 with its final recommendations. Given the wide-ranging scope of the ALRC's review and the breadth of the proposals canvassed in the Discussion Paper, the ALRC's recommendations may ultimately result in significant changes to the regulation of privacy in Australia. So watch this space!

[2] Australian Government Attorney-General’s Department, Government Response to the Senate Legal and Constitutional References Committee Report: The Real Big Brother: Inquiry into the Privacy Act 1988 (2006), 5 and 10.

For further information, please contact Gina Elliott.