This page considers proposals for rationalisation of the
Australian privacy regimes, including establishment of
a tort of privacy and of a cogherent national set of Unified
Privacy Principles (UPP).
It covers -
The Australian Law Reform Commission's 2007 Review
of Australian Privacy Law discussion
paper, a three volume document of some 1,977 pages)
drew on community consultation and previous exploration
by federal and state/territory entities (notably the NSW
state Law Reform Commission) in proposing rationalisation
of the Australian privacy regimes.
That rationalisation would provide a substantially uniform
regime, reducing anomalies attributable to different laws
in the Australian jurisdictions, inconsistency in the
development and application of industry codes and government
guidelines, and anomalous exemptions.
As of late 2007 privacy in Australia is a confusing concatenation
and national legislation (often with a sectoral basis),
arrangements (as noted in later pages of this profile,
some states have relied on administrative orders rather
than legislation to deal with privacy in relation to
their public sector bodies)
codes, conceived and administered in favour of consumers
range of public and private sector regulatory bodies,
some of which have been strongly criticised by past
executives as supine or underresourced
exclusions and uncertainties (eg coverage of some state
statutory bodies, quasi-statutory bodies and private
judicial decisions moving unsteadily towards recognition
of community expectations.
is no national tort of privacy, ie a statutory cause of
action for breach of privacy. The European Commission
has criticised the Australian regimes as lacking parity
with international best practice. Other critics have noted
that principles and operational rules for the public and
private sectors are not the same, although both deal with
the same people and often cover the same information,
and commented that in practice the regimes are exception-
rather than principle-based.
The ALRC has thus suggested a national approach, founded
on a single set of Unified Privacy Principles (UPP) and
featuring a statutory cause of action for invasion of
That suggestion has faced criticisms of varying significance,
with unsurprising opposition from the Direct Marketing
Association, comment by the Australian Bankers’
Association that adoption of UPP would be "premature"
and anxiety on the part of the Arts Law Centre that creativity
may be chilled.
The paper proposes that
Privacy Act should be amended to consolidate the current
Information Privacy Principles and National Privacy
Principles into a single set of principles … that
will be generally applicable to agencies and organizations,
subject to such exceptions as required.
UPP would be based on the NPP in the current federal Privacy
They would reflect a new objects clause that articulates
seven national objectives in relation to privacy, including
promotion of the protection of individual privacy, establishment
of a cause of action, promotion of "responsible and
transparent" information handling, facilitation of
electronic commerce and provision of "the basis for
nationally consistent regulation of privacy".
Those objects and thus the new UPP revisit the 1980 OECD
Guidelines, bearing in mind technological development
over the past two decades and continuing disagreement
about conceptualisation of personal privacy and corporate
data protection. The ALRC considers that privacy is not
an unqualified ‘right to be left alone’ ,
whether online or offline.
Adoption of the UPP would not require amalgamation of
current federal information law, for example fusion of
the Privacy Act, Freedom of Information Act
1982, Archives Act 1983 and Spam
The expectation is that national government agencies and
the private sector would be directly covered by single
set of UPP -
Anonymity and Pseudonymity
3 Specific Notification
5 Use and Disclosure
6 Direct Marketing
7 Data Quality
8 Data Security
9 Access and Correction
11 Transborder Data Flows
government agencies would be covered by the same UPP in
legislation in those jurisdictions.
The UPP do not feature a discrete principle regarding
consent, with the paper noting that "treating consent
as a separate privacy principle may inappropriately elevate
consent to being the overriding factor in permitting or
restricting the handling of personal information".
Questions about consent would instead be addressed through
the proposed UPP. Application of the Transborder Data
Flow principle, for example, assumes that data subjects
would be alerted in contracts and pre-contractual arrangements
that fulfilment of the contract may require overseas transfer
of an individual's personal information, with entities
being held accountable where there was transfer in breach
At the national level the UPP would apply except where
primary legislation "imposes different or more specific
requirements in a particular context" or "subordinate
legislation under the Privacy Act imposes different or
more specific requirements in a particular context".
That would accommodate health-specific privacy regulations
(the draft National Health Privacy Code), with
health information being covered by the UPP rather than
quarantined in a discrete health 'silo' administered by
separate agencies and tied to separate privacy objectives.
The Act and UPP are expected to be resilient, with few
changes over time; treatment of health privacy through
the proposed Privacy (Health Information) Regulations
is seen as allowing a flexible response to changing circumstances.
More broadly the use of regulations derived from the UPP
is an attempt to reconcile conflicting advice to the ALRC
that the Act should
technology-neutral broad principles
rules for practical application
provide certainty without being so narrowly restricted
as to be superseded by commercial/technological developments
attention to the letter rather than the spirit of the
National comprehensiveness and consistency would be provided
through the expectation that any state/territory privacy
laws regulating the public sector should apply the proposed
UPPs, and contain uniform provisions relating to a number
of key issues – such as definitions, the making
of determinations by the regulator, and data breach notifications.
Reform of state/territory law (and the administrative
arrangements that in some states are a surrogate for a
privacy enactment) would see elimination of overlaps,
inappropriate exclusions and uncertainties on a jurisdiction
by jurisdiction basis. Articulation of the UPP can thus
be seen as a mechanism for harmonisation (facilitated
through an intergovernmental entity), not an attempt to
erode state power.
One driver for review of the privacy regime has been disquiet
about exemptions in federal and state/territory privacy
enactments. The ALRC proposes elimination of some amendments
(eg the UPP would cover small business, employee records,
registered political parties and state incorporated bodies)
but retention of exemptions for some government agencies.
Exemptions for defence and intelligence agencies are retained,
with the paper essentially proposing formalisation of
ad hoc practice by the relevant federal ministers and
agencies. Harmonisation of court policies is recommended;
exemption of federal tribunals in relation to adjudicative
functions is left in the air. In contrast the ALRC suggests
that exemption of the ABC, SBS and other agencies –
derived from their FOI Act exemption – should be
removed, providing parity with private sector media organizations.
It asks whether the federal parliamentary departments
should be exempt, indicating that the rationale for exemption
It notes that a range of state/territory statutory authorities
and government business enterprises are currently not
covered by privacy legislation in those jurisdictions.
The paper accordingly suggests that – pending enactment
of state/territory legislation reflecting the UPP –
the national Act should be amended to apply to all state
incorporated bodies except where covered by state law
or exempted on public interest grounds (adverse effect
on the particular government) by the Minister.
Just as adventurously, the ALRC notes that no comparable
overseas jurisdictions have an exemption for small business,
commenting that it is “not convinced that exemption
for small business is either necessary or justifiable”.
Simplification of the Privacy Act should minimise the
compliance costs that have been claimed to prevent extension
of the Act to small business. The paper similarly notes
that there is no sound policy reason why privacy protection
for employee records is only available to public sector
employees and not private sector employees. Treating employees’
personal information differently from other personal information
is also unjustifiable
It goes on to comment that maintaining the exemption may
result in further regulation by states/territories, thus
“contributing to fragmentation and inconsistency
in workplace privacy regulation”. National adoption
of the UPP would minimise proliferation of those silos
– with protection on the basis of principle rather
than where a person works – and facilitate recognition
by the EU of the Australian regime. Employee privacy should
be addressed through the overarching Privacy Act, not
through a fix quarantined in the Workplace Relations Act
From a principles perspective neither journalism nor politics
occur on a separate planet. The paper comments that
the interests of promoting public confidence in the
political process, those who exercise or seek power
in government should adhere to the principles and practices
that are required of the wider community.
with non-exemption in the UK, Canada and other jurisdictions
it accordingly recommends removal of exemption for registered
political parties and for political acts and practices.
It proposes tightening of the ‘journalism’
exemption, which would not override the statutory cause
of action for invasion of privacy, and inclusion of the
key word ‘adequately’ in dealing under s 7B(4)(b)(i)
of the Privacy Act, thereby ending a requirement that
the effectiveness of self-regulation is irrelevant.
A private investigation industry spokesperson complained
in 2006 that asking investigators not to use illicit surveillance
methods “is like asking a carpenter to put cupboards
up without using a hammer, nails, screws or a saw”.
Unsurprisingly, the ALRC rejected suggestions of a new
exemption for that industry, instead recommending that
governments consider regulation. It similarly found “no
compelling reason” for exemption of valuers or archivists.
next page (the
1988 national Privacy Act)