ALRC Report: Review Of Privacy.Introduction The 'Review of Privacy' (Report) recently published by the Australian Law Reform Commission The Australian Law Reform Commission (often abbreviated to ALRC) is an Australian independent statutory body established to conduct reviews into the law of Australia and advocate options for law reform. (ALRC ALRC Australian Law Reform Commission ALRC Alberta Research Council ALRC Airlift Logistics Readiness Center (USAF) ) recommends a number of significant changes to the Federal privacy regime in Australia. Some of the key changes include the introduction of a statutory cause of action for invasion of privacy invasion of privacy n. the intrusion into the personal life of another, without just cause, which can give the person whose privacy has been invaded a right to bring a lawsuit for damages against the person or entity that intruded. , the removal of some exemptions, and the introduction of 'Unified Privacy Principles' (to govern the handling of personal information by both the public and private sectors). The Report also proposes several changes to the provisions of the Privacy Act 1988 (Cth), such as the removal of the small business and employee records exemptions, the introduction of a 'data breach notification' requirement, and the amendment of the direct marketing and credit reporting provisions. These and other key proposals are discussed below. Statutory Cause Of Action For Invasion Of Privacy There is currently no 'tort of privacy' in Australia. However, the tide seems to be turning, both here and overseas. Increasingly, public and judicial sentiment favour the protection of individuals from unwanted intrusions into their private lives and affairs. The ALRC considers that there is a need for a tort tort, in law, the violation of some duty clearly set by law, not by a specific agreement between two parties, as in breach of contract. When such a duty is breached, the injured party has the right to institute suit for compensatory damages. of privacy, but believes there are inherent problems associated with allowing a tort of privacy to be developed incrementally at common law. It takes the view that the courts will be forced to attempt to fit all the circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact. 2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or that may give rise to an invasion of privacy into a pre-existing cause of action- or to formulate formulate /for·mu·late/ (for´mu-lat) 1. to state in the form of a formula. 2. to prepare in accordance with a prescribed or specified method. a previously unrecognised cause of action or a tort of privacy. The ALRC has also recognised the need for national uniformity in this area and has recommended the insertion insertion n. the addition of language at a place within an existing typed or written document, which is always suspect unless initialled by all parties. of a statutory cause of action for invasion of privacy into the Commonwealth Privacy Act. The ALRC has proposed that the following elements exist to establish liability for an invasion of privacy: the plaintiff had, in all the circumstances, a reasonable expectation of privacy in relation to the relevant conduct or information; and the defendant's invasion of that privacy in relation to that conduct or information is, in all the circumstances, sufficiently serious to cause substantial offence OFFENCE, crimes. The doing that which a penal law forbids to be done, or omitting to do what it commands; in this sense it is nearly synonymous with crime. (q.v.) In a more confined sense, it may be considered as having the same meaning with misdemeanor, (q.v. to a person of ordinary sensibilities sen·si·bil·i·ty n. pl. sen·si·bil·i·ties 1. The ability to feel or perceive. 2. a. Keen intellectual perception: the sensibility of a painter to color. b. . It has also proposed a non-exhaustive list of the types of conduct that will fall within the cause of action, such as: there has been an interference with an individual's home or family life; an individual has been subjected to unauthorised surveillance; an individual's correspondence or private written, oral or electronic communication has been interfered with, misused mis·use n. Improper, unlawful, or incorrect use; misapplication. tr.v. mis·used, mis·us·ing, mis·us·es 1. To use incorrectly. 2. To mistreat or abuse. See Synonyms at abuse. Adj. or disclosed; or sensitive facts relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc an individual's private life have been disclosed. The following defences to the cause of action have been proposed: the act or conduct was incidental Contingent upon or pertaining to something that is more important; that which is necessary, appertaining to, or depending upon another known as the principal. Under Workers' Compensation statutes, a risk is deemed incidental to employment when it is related to whatever a to the exercise of a lawful Licit; legally warranted or authorized. The terms lawful and legal differ in that the former contemplates the substance of law, whereas the latter alludes to the form of law. A lawful act is authorized, sanctioned, or not forbidden by law. right of defence of person or property; the act or conduct was authorised Adj. 1. authorised - endowed with authority authorized lawful - conformable to or allowed by law; "lawful methods of dissent" legitimate - of marriages and offspring; recognized as lawful or required by law; disclosure of the information was of public interest or was fair comment on a matter of public interest; or disclosure of information was, under defamation defamation In law, issuance of false statements about a person that injure his reputation or that deter others from associating with him. Libel and slander are the legal subcategories of defamation. Libel is defamation in print, pictures, or any other visual symbols. law, privileged. Currently, the Privacy Act includes a 'journalism' exception, meaning that media organisations are not subject to the provisions of the Act when engaging in 'journalism'. However, there is no journalism exception proposed in the defences suggested. The introduction of this new cause of action could therefore have a significant chilling effect  This article or section may deal primarily with the U.S. and may not present a worldwide view. on free speech because when reporting
'private' information, media organisations will be forced to
rely solely on a public interest defence to justify publication.
The Unified Privacy Principles The Privacy Act currently provides for two sets of privacy principles in relation to the handling of personal information - the Information Privacy Principles (IPPs), which apply to federal government agencies, and the National Privacy Principles (NPPs), which apply to private sector organisations. The requirements for both sets of principles are similar but not identical. The NPPs contain additional, and in some respects, more comprehensive obligations. To achieve national consistency, the ALRC has proposed bringing the NPPs and IPPs in line to form a single, unified set of privacy principles (the Unified Privacy Principles (UPPs)). These would apply to both the public and private sectors. As a result, agencies would be subject to a number of requirements including: allowing individuals to deal with the agency on an anonymous basis where this would be lawful and practicable practicable adj. when something can be done or performed. ; rules about sending information offshore (transborder data flows, see below); and specific obligations in relation to the handling of health and other sensitive information. Unlike the NPPs, the IPPs do not currently treat health and other sensitive information as a special subset A group of commands or functions that do not include all the capabilities of the original specification. Software or hardware components designed for the subset will also work with the original. of 'personal information'. The ALRC has proposed that specific requirements should apply to the handling of health information by both agencies and organisations, which would be separately set out under the proposed Privacy (Health Information) Regulations. Relevance And Quality Of Information Currently, the Privacy Act requires that personal information held by organisations be 'accurate, complete and up-to-date'. However, it has been suggested that these criteria are ambiguous, and that it would be desirable to clearly state the purpose for which the personal information was collected, or another purpose permitted under the privacy principles. Accordingly, the ALRC has proposed that the current criteria be amended a·mend v. a·mend·ed, a·mend·ing, a·mends v.tr. 1. To change for the better; improve: amended the earlier proposal so as to make it more comprehensive. 2. to require an organisation to take reasonable steps to ensure the personal information that it handles (with reference to a purpose of collection permitted by the proposed UPPs), is accurate, complete, up-to-date and now, in addition, relevant. The purpose behind the relevance requirement appears to be to prevent organisations from disclosing irrelevant personal information to third parties. For example, a financial planner Financial Planner A qualified investment professional who assists individuals and corporations meet their long-term financial objectives by analyzing the client's status and setting a program to achieve these goals. may collect personal information about a client's finances and marital status marital status, n the legal standing of a person in regard to his or her marriage state. . It would not be necessary for the financial planner to disclose all of this information to a third party organisation for the purpose of buying shares on behalf of the client. By inserting an additional criterion of relevance, the ALRC hopes to restrict the use and disclosure of personal information to only that information which is relevant in the circumstances, although arguably ar·gu·a·ble adj. 1. Open to argument: an arguable question, still unresolved. 2. That can be argued plausibly; defensible in argument: three arguable points of law. this is already implicit in Adj. 1. implicit in - in the nature of something though not readily apparent; "shortcomings inherent in our approach"; "an underlying meaning" underlying, inherent the privacy principles, which require that an organisation only collect personal information that is necessary for the performance of its functions. The proposed amendment also means that, where personal information held by an organisation is no longer relevant to the purpose for which the information was collected (or another purpose under the Privacy Act), it should be removed from the organisation's record or de-identified. This could potentially place an onerous on·er·ous adj. 1. Troublesome or oppressive; burdensome. See Synonyms at burdensome. 2. Law Entailing obligations that exceed advantages. burden on organisations to constantly revise and update their data records. Expansion Of The Definition Of Personal Information - IP Addressees Given the advances in technology that have taken place since the Privacy Act was enacted, the ALRC has reviewed the adequacy of the definition of 'personal information'. Currently, the definition requires that information enables a person's identity to be 'reasonably ascertained'. This potentially excludes IP addresses, mobile telephone numbers, email addresses See Internet address. and biometric bi·o·met·rics n. (used with a sing. verb) The statistical study of biological phenomena. bi addresses from the scope of the Act because arguably alone, they do not enable a person's identity to be reasonably ascertained as·cer·tain tr.v. as·cer·tained, as·cer·tain·ing, as·cer·tains 1. To discover with certainty, as through examination or experimentation. See Synonyms at discover. 2. . However, the development of new technology means that this type of information may enable individuals to be contacted, tracked or profiled, in turn enabling indirect identification. In order to ensure that such information is captured by the ambit of the Privacy Act, the ALRC has proposed the expansion of the current definition of personal information. It would include information 'about an identified or reasonably identifiable individual'. Once information can be linked to an individual, making them 'reasonably identifiable', that information would become personal information for the purposes of the Privacy Act. Consent Agencies and organisations can use and disclose personal information under the Privacy Act where they obtain the concerned individual's consent. 'Consent' is defined under the Privacy Act as express or implied consent Consent that is inferred from signs, actions, or facts, or by inaction or silence. Implied consent differs from express consent, which is communicated by the spoken or written word. Implied consent is a broadly based legal concept. , however no further guidance is provided on what is required to obtain it and when consent can be said to have been given. Generally, consent should be given voluntarily, subject to the individual being informed of the nature and reasons for the use or disclosure. Further issues arise in the context of 'bundled consent', where individuals are asked to consent to a range of uses and disclosures of personal information, often in the context of the supply of goods and services In economics, economic output is divided into physical goods and intangible services. Consumption of goods and services is assumed to produce utility (unless the "good" is a "bad"). It is often used when referring to a Goods and Services Tax. . There is a risk that consent provided in these circumstances is not true consent because it is not given willingly, particularly where an individual has not been given the option of choosing which uses and disclosures they agree to. There may, however, be practical reasons for obtaining bundled consent. For example, where an agency or organisation has multiple interactions with an individual (say in the context of an ongoing business relationship, or managing a claim for ongoing government benefits), it may not be practical to obtain consent on each occasion that the personal information is used or disclosed. Rather than provide a statutory definition of consent which could be interpreted too narrowly, the ALRC has recommended that the Privacy Commissioner provide further guidance on what is required to obtain consent in various contexts, including advice on the appropriate use of 'bundled consent'. The ALRC has also made a number of proposals regarding consent in the context of health information. These include: allowing a health service provider to collect health information about a third party from a person (e.g. patient or other health consumer), without the third party's consent where it relates to the person's social, family and medical history and is necessary in the context of providing a health service to the person; where an individual is incapable of giving consent, allowing an 'authorised representative' to give consent on their behalf; allowing a health service provider to disclose health information about an individual who is incapable of giving consent to a person who is responsible for the individual, subject to a number of circumstances being met; and permitting the collection of health and other sensitive information where it is necessary to prevent a serious threat to the life of an individual, and where the individual whom the information concerns is incapable of giving consent. Collection Of Personal Information From Third Parties Another matter which gives rise to issues of consent is the collection of personal information about an individual from a third party. The provisions of the Privacy Act cover personal information obtained about an individual from a third party, where that information is solicited by agencies and organisations. However the requirements for handling unsolicited un·so·lic·it·ed adj. Not looked for or requested; unsought: an unsolicited manuscript; unsolicited opinions. unsolicited Adjective information are less clear. Different obligations apply to public and private sector bodies in relation to unsolicited information. While the IPPs are silent on the collection of personal information from a source other than the individual concerned, NPP NPP Nuclear Power Plant NPP Net Primary Production NPP Net Primary Productivity NPP Notice of Privacy Practices (US HIPAA medical patient privacy) NPP National Priorities Project NPP New Patriotic Party (Ghana) 1.5 requires the individual concerned be made aware of those matters that apply, in relation to the direct collection of personal information (i.e. purpose for which the information is collected and to whom the organisation normally discloses that kind of information, etc). However, the risk of improper
The ALRC has therefore recommended the need for clearer rules about the handling of unsolicited personal information received from third parties. In particular, where an agency or organisation receives personal information about an individual from another person, it should be required to either: destroy the information, without using or disclosing it; or if the information is retained, take reasonable steps to bring to the individual's attention specified matters similar to those that apply to direct collection, and advise the individual of the source of the information on request. Therefore, unless certain exceptions apply, the agency or organisation would need to seek the consent of the person in order to use or disclose the information. It is interesting to note that there is no proposed requirement to seek consent from the source of the information to reveal their identity to the individual, nor advise them if this occurs. The ALRC has also proposed that the requirements in relation to information received from third parties would only apply: in circumstances where a reasonable person would expect to be notified; to the extent that it would not pose a serious threat to the life or health of any individual; and in the case of an agency, except to the extent that it is required or specifically authorised by or under a law not to make the individual aware of one or more of these matters. Data Breach Notification Following the recent introduction by Senator Stott-Despoja of the Privacy (Data Security Protection Breach Notification) Amendment Bill in the Senate, the ALRC now proposes to amend the Privacy Act to impose a new data breach notification obligation on agencies and organisations. Currently, the privacy principles in the Privacy Act only require agencies and organisations to take reasonable steps to maintain the security of the personal information they hold. The ALRC is concerned, amongst other things, about identity theft and identity fraud, particularly given the large amounts of identifiable information that are stored electronically. Also, because identity theft normally occurs where a person's information is accessed in a place they do not control and of which they are often unaware, the person would not have an opportunity to take steps to take action; to move in a matter. See also: Step to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. the effects of identity theft.
The ALRC noted that many stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. , including the Office of the Privacy Commissioner The Office of the Privacy Commissioner is an Australian Government agency created by the Privacy Act 1988. It is an independent regulator responsible for investigating complaints about breaches of the Information Privacy Principles (relating to Australian and Australian Capital , were generally supportive of the new notification requirement, mainly to improve accountability, openness and transparency (1) The quality of being able to see through a material. The terms transparency and translucency are often used synonymously; however, transparent would technically mean "seeing through clear glass," while translucent would mean "seeing through frosted glass." See alpha blending. in the handling of personal information. This would encourage compliance and vigilance VIGILANCE. Proper attention in proper time. 2. The law requires a man who has a claim to enforce it in proper time, while the adverse party has it in his power to defend himself; and if by his neglect to do so, he cannot afterwards establish such claim, the against identity theft and provide a strong market incentive for organisations to secure their databases and avoid the reputational damage that could arise from a breach. Those against the change argue that the current requirements are adequate and further obligations would be unnecessary. Interestingly, the Australian Federal Police The Australian Federal Police (AFP) is the federal police agency of the Commonwealth of Australia. Although the AFP was created by the amalgamation in 1979 of three Commonwealth law enforcement agencies, it traces it history from Commonwealth law enforcement agencies dating back is not in favour of the requirement, and expressed some concern that it would contribute to the already excessive caution exercised by agencies, organisations and individuals in relation to privacy. The ALRC also recognised that many organisations currently report data breaches if they believe it could result in harmful disclosure of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead . The ALRC has concluded that a legal requirement to notify the individual is necessary to avoid the risk of an undersupply un·der·sup·ply n. pl. un·der·sup·plies A supply smaller than what is appropriate or required. tr.v. un·der·sup·plied, un·der·sup·ply·ing, un·der·sup·plies in notification, stating that organisations would not be motivated mo·ti·vate tr.v. mo·ti·vat·ed, mo·ti·vat·ing, mo·ti·vates To provide with an incentive; move to action; impel. mo to inform every individual affected by a security breach because of the potential for reputation damage, lost customers, loss of future profits and exposure to litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. or penalties. It is also of the view that individuals should be notified in order to help them minimise the damage that could be caused, emphasising the importance of early notification. The new law would also provide incentives to improve data security, which is already a requirement in the Privacy Act. Key features of the proposed law are: An agency or organisation is required to notify the Privacy Commissioner and affected individuals when: 'specified personal information' has been, or is reasonably believed to have been, acquired; by an unauthorised person; and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual. This notification threshold test is higher than other overseas models considered by the ALRC, allowing organisations to investigate the data breach and assess whether it would give rise to a 'real potential to serious harm'. Serious harm would include more than just identity theft or fraud (e.g. discrimination, if sensitive medical information was released). The reason for the high threshold proposed is to avoid 'notification fatigue' for individuals and reduce compliance burdens on agencies and organisations; Breach of the requirements, including failure to notify the Privacy Commissioner, would attract a civil penalty. The definition of 'specified personal information' would not just cover financial information but also sensitive information and prescribed pre·scribe v. pre·scribed, pre·scrib·ing, pre·scribes v.tr. 1. To set down as a rule or guide; enjoin. See Synonyms at dictate. 2. To order the use of (a medicine or other treatment). combinations of information, which if disclosed without authorisation, would give rise to a real risk of serious harm, such as drivers licences, proof of age cards, Medicare numbers, accounts, credit or debit card debit card, card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser's checking account. They can also be used at automated teller machines for withdrawing cash from the user's checking account. numbers, security codes or passwords or access codes and sensitive information, which would allow a person's account or true identity to be taken over. Consistent with the ALRC's proposal that the Privacy Act be technologically neutral, the requirement to notify would not be restricted to computerised information. Adequately encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science personal information and acquisition of information in good faith by an employee or agency, otherwise acting for a purpose permitted by the relevant privacy principles would be exempted from the new requirements. The Privacy Commissioner would also have a broad discretion to waive To intentionally or voluntarily relinquish a known right or engage in conduct warranting an inference that a right has been surrendered. For example, an individual is said to waive the right to bring a tort action when he or she renounces the remedy provided by law for such the notification requirement if they consider it would not be in the public interest. The form of notification would be a stand alone communication with prescribed content. The method of notification will be left to the relevant organisation or agency. The notification should occur as soon as reasonably practicable after notification to the Privacy Commissioner. Removal Of Employee Records Exemption Currently, the NPPs do not apply to 'employee records', which are records that contain personal information relating to the employment of a current or former employee (although employers have common law obligations to keep employment records private and confidential). The ALRC has proposed that the employee records exemption be removed from the Privacy Act. It acknowledges that the removal of the exemption may affect the ability of prospective employers to engage in full and frank discussion with a job applicant's previous employer. To address that concern, an exception is proposed that allows an agency or organisation to deny a request for access to 'evaluative material' (material compiled solely for the purpose of determining the suitability, eligibility, or qualifications of an individual for an offer of employment, a contract, scholarship or similar benefits). Employers will face a number of other difficulties if the employee record exemption is removed. The most immediate risk will be employees having full access to their personnel files. In the new regime employers will be required to provide an employee, upon request, with his or her entire personnel file and other sensitive records integral to the effective operation of the employer's organisation and human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. department. Employers will be required to take reasonable steps to allow the employee to correct employee records that the employee believes are not accurate. In addition, if there is a workplace investigation into suspected misconduct MISCONDUCT. Unlawful behaviour by a person entrusted in any degree: with the administration of justice, by which the rights of the parties and the justice of the, case may have been affected. 2. by an employee, the removal of the exemption will create significant hurdles for employers both in avoiding any subsequent litigation by an aggrieved ag·grieved adj. 1. Feeling distress or affliction. 2. Treated wrongly; offended. 3. Law Treated unjustly, as by denial of or infringement upon one's legal rights. employee (or ex-employee) and in protecting witnesses to an investigation. The removal of the exemption will also affect business sales and purchase processes. Business sales are often market sensitive, and as such, are kept confidential until a deal is reached. In these circumstances, it is not practical to gain the consent of employees before providing their employment information to prospective purchasers as part of the due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. process. The Privacy Commissioner has already issued an Information Sheet on best privacy practice when buying and selling a business, which recommends that only aggregate information regarding employees is provided to prospective purchasers. However, this information may not be sufficient for the purchaser to properly assess any risks in buying the business, especially in relation to senior employees. If the employee record exemption is removed, careful consideration of how this information is provided to a prospective purchaser will be required. Further, employers that use an off-shore company to administer payroll functions, or who have an overseas parent company that requires access to Australian employees' personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details , will also have to take additional steps to ensure that these overseas organisations comply with the proposed new UPPs. Removal Of The Small Business Exemption Currently, 'small businesses' with an annual turnover of less than $3million are exempt from the operation of the Privacy Act. 'Small businesses' include businesses, non-profit bodies and unincorporated Adj. 1. unincorporated - not organized and maintained as a legal corporation unorganised, unorganized - not having or belonging to a structured whole; "unorganized territories lack a formal government" associations. It is suggested that up to 94% of businesses are protected by this exemption. The original reason for the exemption was that the regulatory burden and compliance cost for small businesses to abide by To stand to; to adhere; to maintain. See also: Abide the privacy requirements, was considered too onerous and that many small businesses are considered low-risk when it comes to violations of individual privacy. The ALRC proposes removing the small business exemption providing five key justifications: comparable jurisdictions (e.g. the United Kingdom, Canada and New Zealand New Zealand (zē`lənd), island country (2005 est. pop. 4,035,000), 104,454 sq mi (270,534 sq km), in the S Pacific Ocean, over 1,000 mi (1,600 km) SE of Australia. The capital is Wellington; the largest city and leading port is Auckland. ) do not exempt small businesses from privacy laws requirements; the removal of the exemption will make Australia more compliant with the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community directive and could promote trade with the European Union; modification of the small business threshold, either by increasing the turnover threshold or changing the measuring unit Noun 1. measuring unit - a unit of measurement measuring block unit, unit of measurement - any division of quantity accepted as a standard of measurement or exchange; "the dollar is the United States unit of currency"; "a unit of wheat is a bushel"; "change to employee numbers, will not be an appropriate solution; some small businesses such as debt collectors debt collector n → cobrador(a) m/f de deudas debt collector n → agent m de recouvrements debt collector debt n , ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. providers, private detectives and tenancy A situation that arises when one individual conveys real property to another individual by way of a lease. The relation of an individual to the land he or she holds that designates the extent of that person's estate in real property. operators are involved in some of the most intrusive in·tru·sive adj. 1. Intruding or tending to intrude. 2. Geology Of or relating to igneous rock that is forced while molten into cracks or between other layers of rock. 3. Linguistics Epenthetic. invasions of privacy, regardless of the size of the business (i.e. focus should by on the types of activities undertaken by the business rather than its size); and up to 20% of complaints from December 2001 to January 2005 received by the Privacy Commissioner were deemed to fall within the small business exemption and therefore could not be investigated. The ALRC acknowledges that removal of the exemption would mean additional costs for small businesses to comply with privacy laws, such as obtaining legal advice, training staff on privacy requirements, maintaining security in respect of the personal information held and dealing with customer requests for access and correction of their personal information. The ALRC proposes that the Privacy Commissioner provide businesses with assistance and support to minimise compliance costs, before removing the exemption. This support would include free templates, educational materials and a national hotline. Changes To The Media Exemption - Defining 'Journalism' Acts and practices of a 'media organisation' undertaken 'in the course of journalism' are exempt from the operation of the Privacy Act provided that the organisation is publicly committed to observe privacy standards that have been published in writing, either by the organisation, or by a person or body representing a class of media organisations. Under s 6(1) of the Privacy Act, a 'media organisation' is defined as an organisation (which includes an individual) that collects, prepares or disseminates to the public, news, current affairs current affairs npl → (noticias fpl de) actualidad f current affairs current npl → (questions fpl d')actualité f , information or documentaries, or commentaries and opinions on, or analyses of, such material. The central justification for the exemption has been the public interest, ensuring that the free flow of information to the public through the media is maintained. The phrase 'in the course of journalism' is not defined in the Privacy Act. A proposed definition of 'journalism' was abandoned in 2000 so that the ordinary meaning of the word would apply instead. The ALRC has now recommended that a definition of 'journalism' similar to that proposed in 2000 be inserted into the Privacy Act. This is based on concerns that the lack of statutory definition allows the media exemption to apply too broadly, covering content such as infotainment (INFOrmation enterTAINMENT) Refers to all the information and entertainment services delivered to the home, which are essentially telephone, TV and Internet access. , entertainment and advertising. 'Journalism' would be defined as 'the collection, preparation for dissemination dissemination Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there or dissemination of the following material for the purpose of making it public: material having the character of news, current affairs or a documentary; or material consisting of commentary or opinion on, or analysis of, news, current affairs or a documentary. The ordinary meaning of the terms 'news', current affairs' and 'documentary' would continue to apply, as the ALRC considered defining them would be impracticable. However, it appears that the insertion of a definition of journalism into the Act has the potential to significantly curtail cur·tail tr.v. cur·tailed, cur·tail·ing, cur·tails To cut short or reduce. See Synonyms at shorten. [Middle English curtailen, to restrict the activities that would come within the current media exemption and thereby limiting the ability of media organisations to publish content which includes personal information in certain contexts. Direct Marketing Use and disclosure of personal information for direct marketing purposes are currently addressed in NNPP NNPP Naval Nuclear Propulsion Program NNPP NIMA NITFS Program Plan 2.1. The ALRC proposes introducing a discrete direct marketing principle. The effect of the proposal is minimal and is unlikely to significantly alter the practices of organisations currently conducting direct marketing. Under NPP2.1, if personal information is collected for the primary purpose of direct marketing, then provided that adequate consent has been given, the data can be used or disclosed for direct marketing with no further obligations on the organisation, or as one submission stated, 'almost without restraint'. If, however, the personal information was collected for another purpose, then it may only be used for the secondary purpose of direct marketing if a number of factors are satisfied: it is impracticable for the organisation to seek consent before use; the organisation will not charge the individual to action an opt-out request; the individual has not previously requested not to receive direct marketing; and each piece of direct marketing contains an opt-out notice and the contact details of the organisation. The proposed direct marketing principle would require all organisations conducting direct marketing to obtain consent from the individual or meet the above requirements, regardless of the purpose for which the information was collected. The ALRC appears to have accepted the view of the Law Council which submitted that: 'There appears to be no valid policy reason why an organisation which collects information for the primary purpose of direct marketing should be free to use that information in a way which organisations which collect it in the context of a relationship with the individual are not free to use it'. Other changes that the proposed direct marketing principle would make include: where an individual requests not to receive further direct marketing communications Marketing communications (or marcom) are messages and related media used to communicate with a market. Those who practice advertising, branding, direct marketing, graphic design, marketing, packaging, promotion, publicity, sponsorship, public relations, sales, sales , the organisation must comply with this requirement within a reasonable period of time; and where an individual requests it, the organisation must take reasonable steps to inform them of the source from which their personal information was obtained. Consistent with its recommendations that public and private sector privacy principles be made uniform, the ALRC is considering whether the direct marketing principle should apply to agencies as well as organisations. No conclusion has been reached on this issue and the ALRC has called for further input from stakeholders. Information Sent Overseas The primary focus of the Privacy Act is to regulate the handling of personal information within Australia. However, due to the regular transfer of information across national borders, the provisions of the Privacy Act also regulate the overseas transfer of personal information by an organisation. Section 5B of the Privacy Act applies to acts done, or practices engaged in, outside Australia, if the information relates to an Australian citizen or permanent resident. The requirements currently only apply to private sector organisations. The ALRC argues that the requirements should also apply to public sector agencies, as these agencies can compel Compel - COMpute ParallEL the collection of personal information. Agencies would therefore remain accountable for the handling of that information and should be prevented from transferring the information to entities operating in countries with lower privacy protection standards. There are broadly six circumstances in which the transfer of information overseas is currently permitted: the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that upholds the requirements of the Privacy Act; the individual has consented to the overseas transfer of information; the transfer is necessary to fulfil ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. a pre-contract request by the individual or a contractual agreement between the parties; the transfer to a third party is necessary to perform or conclude a contract that is in the interests of the individual; the transfer is for the benefit of the individual and it is impracticable to obtain consent for the transfer however, this would likely be supplied if requested; or the organisation has taken reasonable steps to ensure that the information is not held, used or disclosed inconsistently with the Privacy Act. The ALRC's proposal seeks to clarify options (1) and (6) where a 'reasonable belief' or 'reasonable steps', are required to ensure a similar level of privacy protection exists in other countries. It is suggested that seeking legal advice would help an organisation establish the reasonable belief and take reasonable steps. To assist an organisation in determining when the regulations are similar, and therefore a transfer overseas would be acceptable, the ALRC proposes that the Australian Government publish a list of laws or schemes that provide similar protection to that offered by Australian privacy laws. In addition, when an organisation relies on grounds (3) to (6) above, the ALRC proposes that organisations be accountable for the way the information is dealt with, which means that, in some circumstances where personal information is sent overseas, the organisations would remain liable for the handling of that information. Credit Reporting The Report contains an extensive review of the credit reporting rules set out in Part IIIA IIIA Internet Information Infrastructure Architecture IIIA Integrated Intelligence Information Application IIIA International Imaging Industry Association of the Privacy Act. These rules are more technical and prescriptive pre·scrip·tive adj. 1. Sanctioned or authorized by long-standing custom or usage. 2. Making or giving injunctions, directions, laws, or rules. 3. Law Acquired by or based on uninterrupted possession. in nature than the NPPs. The most significant recommendation in the Report relates to the broadening of the types of information that can be included in a 'credit information file'. The current regime contains strict limits on the types of information that can be included in a credit information file about an individual. This type of information would normally be regarded as 'negative' in nature, such as details about defaults by a customer in meeting their obligations under a credit contract. The ALRC has stopped short of recommending that the limitations on what can be included in a credit information file be scrapped, and instead has recommended expanding the categories of information that may be included in a credit information file to the following: type of each current credit account opened (e.g. mortgage, personal loan or credit card); date of which each current credit account was opened; limit of each current credit account (eg initial advance, amount of credit approved, approved limited); and date on which each credit account was closed. The ALRC has acknowledged that there is little support for the proposition that a more comprehensive credit reporting regime will improve the risk assessment process for lenders. However, it recognises that there was a divergence divergence In mathematics, a differential operator applied to a three-dimensional vector-valued function. The result is a function that describes a rate of change. The divergence of a vector v is given by of views about how this additional information would be used. One view is that a more comprehensive credit reporting regime will reduce the level of defaults. Alternatively, the level of defaults could remain relatively unchanged but the additional information may reduce the number of applications that are rejected, because credit providers would have access to more information and accordingly it may become easier for some applicants to obtain access to credit. The ALRC recommendations follow years of debate about perceived limitations in the credit reporting regime in Part IIIA. The recommendations can be contrasted with the views of the Victorian Government in the Victorian Consumer of Credit Review of 2006, to the effect that there was insufficient evidence insufficient evidence n. a finding (decision) by a trial judge or an appeals court that the prosecution in a criminal case or a plaintiff in a lawsuit has not proved the case because the attorney did not present enough convincing evidence. to support a more comprehensive credit reporting regime. The Report also contains a number of other recommendations relating to credit reporting. These include: a requirement for credit reporting agencies to monitor data quality and establish controls to ensure that information used or disclosed is accurate, complete, up-to-date and relevant; that any credit provider wishing to provide information on defaults to a credit reporting agency be required to be a member of an external dispute resolution scheme; that collection of credit information about persons under the age of 18 be prohibited pro·hib·it tr.v. pro·hib·it·ed, pro·hib·it·ing, pro·hib·its 1. To forbid by authority: Smoking is prohibited in most theaters. See Synonyms at forbid. 2. ; and that individuals be permitted to make an notation notation: see arithmetic and musical notation. How a system of numbers, phrases, words or quantities is written or expressed. Positional notation is the location and value of digits in a numbering system, such as the decimal or binary system. on their credit information file where they have been the victim of identity theft. A further recommendation with potentially broad implications is the removal of the distinction between the different rules that apply, depending on whether credit is being obtained for commercial purposes on the one hand or personal, domestic or household purposes on the other. The latter category is currently subject to more onerous controls. Deceased deceased 1) adj. dead. 2) n. the person who has died, as used in the handling of his/her estate, probate of will and other proceedings after death, or in reference to the victim of a homicide (as: "The deceased had been shot three times. Persons The Privacy Act regulates the collection, use and disclosure of the personal information of individuals. 'Individual' is generally defined as a natural (i.e. living) person. The exception to this is in Part VIA (declared emergencies and disasters), where personal information of an individual includes an individual who is not living. This means that the Privacy Act currently offers very little privacy protection for deceased individuals. Particular problems arise in relation to the access and correction of personal information concerning deceased persons. Access to personal information of deceased persons held by Australian Government agencies is governed gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. by the Freedom of Information Act 1982 (Cth) and the Archives Act 1983 (Cth), with similar state and territory legislation applying to personal information held by state and territory agencies. However, access to personal information in the private sector is inconsistent both across jurisdictions and industries. The ALRC has proposed that access to personal information of deceased persons held by agencies continue to be governed by the FOI FOI Freedom Of Information FOI Totalförsvarets Forskningsinstitut (Swedish Defence Research Agency) FOI The Swedish Defence Research Agency FOI Field of Interest FOI Full of It FOI Fruit of Islam Act and the Archives Act. In relation to private sector organisations, the ALRC has proposed that the Privacy Act be amended to include a new Part which specifically deals with the handling of personal information of deceased individuals who have been dead for 30 years or less. This new Part would reflect the proposed Unified Privacy Principles in relation to use and disclosure, access by third parties, data quality and data security. In relation to use and disclosure, the ALRC has proposed that where consent is required, the organisation should consider whether there would be an unreasonable use or disclosure in relation to any person, including a deceased person. The ALRC has not proposed that organisations be required to consult with the individual's family or legal personal representative in determining whether the use or disclosure would be unreasonable, but in the absence of further guidance on what would be considered unreasonable, it would probably be preferable to do so as far as is reasonably practicable. Further proposals by the ALRC in relation to the personal information of deceased persons include: permitting organisations to use or disclose genetic information to a genetic relative of a deceased person where it is necessary to lessen less·en v. less·ened, less·en·ing, less·ens v.tr. 1. To make less; reduce. 2. Archaic To make little of; belittle. v.intr. To become less; decrease. or prevent a serious threat to the life, health or safety of a genetic relative; and allowing certain persons to lodge a complaint with the Privacy Commissioner in relation to alleged interference with the privacy of a deceased individual. Young People And Decision Making At present, Federal legislation does not specifically address the privacy rights of children and young people. The ALRC proposes requiring organisations to assess the capacity of all individuals between the ages of 15 and 18 to make privacy decisions. In relation to children aged 14 and under, privacy decisions would be made by the individual's 'authorised representative'. This would be done by applying a set of assessment criteria. Specifically, it proposes that an individual would be found incapable of making privacy related decisions, if, despite the provision of reasonable assistance by another person, he or she is incapable, by reason of maturity, injury, disease, illness, cognitive or physical impairment Impairment 1. A reduction in a company's stated capital. 2. The total capital that is less than the par value of the company's capital stock. Notes: 1. This is usually reduced because of poorly estimated losses or gains. 2. , mental disorder mental disorder Any illness with a psychological origin, manifested either in symptoms of emotional distress or in abnormal behaviour. Most mental disorders can be broadly classified as either psychoses or neuroses (see neurosis; psychosis). Psychoses (e.g. or any other circumstance Circumstance or circumstances can refer to:
This proposal is likely to impose a significant burden on organisations that market to and communicate with children and young people, particularly in an online environment where personal information is regularly collected. There are a number of other proposals in the Report relating to privacy and young people, including Privacy Commissioner guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. and other educational tools, which have significant implications for schools and other organisations that regularly deal with young people. Conclusion The proposed changes will have a considerable impact on agencies and organisations across Australia. Accordingly, the ALRC is accepting submissions from the public on all aspects of the Report until 7 December 2007. Please contact us if you would like assistance in preparing a submission to the ALRC regarding any of the Report's proposals. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Minter Ellison This article or section may contain original research or unverified claims. Please help Wikipedia by adding references. See the for details. This article has been tagged since September 2007. Aurora Place Aurora Place is the common name of Renzo Piano's award winning office tower and residential block on Sydney's Macquarie Street. Its official name is the ABN AMRO building, after its principal tennant. 88 Phillip Street Sydney New South Wales New South Wales, state (1991 pop. 5,164,549), 309,443 sq mi (801,457 sq km), SE Australia. It is bounded on the E by the Pacific Ocean. Sydney is the capital. The other principal urban centers are Newcastle, Wagga Wagga, Lismore, Wollongong, and Broken Hill. 2000 AUSTRALIA Tel: 299218888 Fax: 299218123 E-mail: mondaqmail@minterellison.com URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. : www.minterellison.com Click Here for related articles (c) Mondaq Ltd, 2007 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion