Employee records…credit reporting…the invasion of privacy …these are just some of the areas of Australia’s privacy laws the Australian Law Reform Commission (ALRC) has identified for reform. The Commission is seeking feedback on its proposals by 7 December this year.
Changes under the Amendment Act include:
ALRC, at the request of the Commonwealth Attorney-General, conducted a detailed review of Australia’s privacy laws and recommended possible reforms. A discussion paper (Review of Australian Privacy Law, paper number 72) contains 301 proposals for reform.
The review focuses in particular on whether the Privacy Act 1988 (Cth) (the Act) and other related laws provide an effective framework for privacy protection (particularly handling personal information) in Australia. This is especially relevant because of the ever-evolving technological environment (with new advances in storage, communication, information and surveillance) and emerging new areas that may require protection.
Under the Act there are two sets of privacy principles - the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs). These apply differently to the public and private sectors and because of their similarities and differences in some situations both sets of principles will apply to the one organisation.
The ALRC recommends these two sets of privacy principles should be merged into a single set, to be called the Unified Privacy Principles (UPPs).
The Act does not apply to all organisations. There are numerous exceptions, including those for small businesses and the media, as well as exemptions for employee records and political parties. The ALRC recommends the political exemption and the exemption for small businesses be removed, so that businesses with an annual turnover of less than $3 million will need to comply with privacy laws. It recommends that the exemption for the media should be retained but its use is to be clarified to achieve a better balance and to further define ‘journalism’.
Employee Records
The ALRC has recommended the current exemption for private sector employee records be removed. This would require private sector organisations to handle employee records in the same way as other personal information and would give private sector workers the same protection as public sector employees.
However, the ALRC has acknowledged that in some situations it is not desirable for employees to have access to all information which an employer may maintain on them. It is proposed an employer should be able to deny a request for information from an employee where provision of the material would breach an obligation of confidence (for example, where a past employer provides a reference to a potential employee). This will ensure a potential employer can be given a full and frank evaluation of a prospective employee.
Credit reporting, the provision of information on an individual’s credit ‘worthiness’ to banks, finance companies and other credit providers, is usually conducted by credit reporting agencies specialising in collecting and disclosing information about potential borrowers. The agencies operate to provide prompt access to accurate and standardised information about potential borrowers so credit providers are able to manage the risks of lending and guard against identity theft.
The ALRC has recognised that allowing large amounts of information on the credit behaviour of individuals to be stored on private databases could pose a significant risk to privacy, but in turn it may encourage more responsible lending practices and reduce the cost of credit. In considering this, the ALRC has suggested a more comprehensive scheme of credit reporting to allow for an increase in the information that can be included in a credit reporting file. The additional information proposed that may be contained in such a file includes the:
- type of each current credit account opened (e.g., credit card, mortgage);
- date on which each credit account was opened;
- limit of each current credit account; and
- the date on which each credit account was closed.
These changes would bring Australia’s credit reporting system more in line with those in comparable overseas jurisdictions. A review of the changes is recommended after five years.
It is also proposed credit reporting agencies should be required to monitor data quality to ensure information is current, complete and accurate. In addition, if a credit provider wishes to provide information about defaults to a credit reporting agency, it must be a member of an external dispute resolution scheme. This will ensure if a consumer disagrees with a default reported on their credit file, they have an accessible avenue to resolve the complaint. At present some providers are members of external schemes but it is not compulsory. For this scheme to be more effective, it is proposed that if a consumer disputes a default listing, the credit provider (who reported the default) should have 30 days to respond. If they do not, then the default listing should be removed.
Further changes include prohibiting the collection of credit information about persons under 18 years and allowing an individual to report they have been the victim of identity theft.
No common law right to privacy exists in Australia at present. The ALRC has proposed this right should be formally incorporated into the Act to provide a statutory cause of action for invasion of privacy in certain circumstances, such as where:
- there has been interference with an individual’s home or family life;
- an individual has been subject to unauthorised surveillance; or
- sensitive facts about an individual’s private life have been disclosed.
Where there is a reasonable expectation of privacy and the breach is serious enough to cause substantial offence to an ordinary person, damages may be awarded.
A key ALRC recommendation is that the Act should be technologically neutral so it may operate effectively while technologies continue to develop and change. Technological advances have also resulted in the need for different regulation on personal information and identifiers. It is proposed that the definitions of ‘personal information’ and ‘record’ be broadened to cover information such as email and IP addresses in certain circumstances. It is also proposed that charging for an unlisted telephone number should be prohibited.
The ALRC has recommended the new federal privacy laws override any state and territory privacy laws in the private health sector ensuring the need to comply with only one set of privacy laws. Further, the ALRC proposes that states and territories should adopt the new UPPs.
Interested parties can make submissions to the ALRC before 7 December 2007. Submissions can be made confidentially and entered online at: http://www.alrc.gov.au/inquiries/current/privacy/comments.htm or sent to:
The Executive Director
Australian Law Reform Commission
GPO Box 3708
SYDNEY NSW 2001 or info@alrc.gov.au
For further information, please contact
Nicole Stevens-Warton on +61 3 9608 2264 or n.stevens-warton@cornwalls.com.au
or Anna Smits on +61 3 9608 2103 or a.smits@cornwalls.com.au
