1. Introduction

The Australian Government has said that it will provide an update to the Privacy Act 1998 ("Act") in early 2010. As we are well into "early 2010", I recommend that all those holding their breath for the draft legislation release it.

At a very high level, the government intends to amend the Act in two stages. The first stage is a fairly standard (though long awaited) review of the Act. The really interesting issues will be addressed in stage 2. These issues include the removal of the small business exception, the removal of the employee records exemption, the introduction of a legal remedy for a serious invasion of privacy, handling of personal information under the Telecommunications Act 1997, and resolving national inconsistencies of privacy regulation. Unsurprisingly, there has not been any date set for stage 2, and whether there will in fact be any stage 2 may depend on which government is in at the time.

2. Changes

So, what are the proposed amendments in stage one? I‟m glad you asked. Here are some of the highlights.

The National Privacy Principles (NPPs) and the Information Privacy Principles (IPPs) will be replaced by a single set of Uniform Privacy Principles ("UPPs"), which will apply to private organisations and Commonwealth agencies (generally referred to as "organisations" in this article).

Certain acts or practices are authorised "by or under law". The ambit of "law" has been a matter of some discussion. The Privacy Commissioner has taken a fairy broad view (see one of the Privacy Commissioner's decisions, below) and this broad view will now be included in the legislation. Law will include (so it won't be an exhaustive list) Commonwealth, State and Territory Acts and delegated legislation, common law or equitable duties, an order of a court or tribunal, or documents given the force of law by an Act, such as industrial awards. To avoid parties contracting out of their obligations under the Act, contracts will be specifically excluded from the definition of "law".

The receipt of unsolicited personal information has challenged some organisations in the past (see one of the Privacy Commissioner's decisions, below). Accordingly, upon receipt of unsolicited personal information, an organisation must decide, as soon as practicable, whether or not it will keep it. If not, the organisation must promptly destroy the unsolicited information. If the organisation decides to keep it, must comply with all the UPPs, including notifying the relevant individuals that their personal information has been collected.

There is a general exemption that personal information can be disclosed if an individual's life or health is in imminent danger. The government proposes to remove the "imminent" requirement, which it now sees as too restrictive.

Many of us in the past have received unsolicited phone calls or correspondence, and wanted to know how they got our details. One of the proposed amendments to the Act will allow us to find out. If an organisation engages in direct marketing with an individual who is not an existing customer, the organisation must advise the individual where it got their personal information if the individual asks.

If an organisation has disclosed personal information to someone else (where entitled to), and the individual subsequently updates or corrects it, the organisation that disclosed it in the first place will have to update that information with everyone it disclosed the information to in the first place. I for one will be very interested to see how this is actually going to work.

Organisations will remain accountable for personal information transferred outside Australia (including to a related body corporate) other than in restricted circumstances (required by law, consent, subject to equivalent laws). The previous exception, where there overseas party is subject to a binding contract to protect the personal information, will be removed. The government's reasoning is that the individual can't take action in relation to a breach of such a contract. I know from personal experience that this is a very useful and much-used exception; again, I suspect that this may create problems in practice, particularly where an organisation needs to transfer personal information to areas that do not have particularly strong privacy protections, such as Asia, the US or South America.

Credit reporting is a major area of contention - see several of the Privacy Commissioner's decisions, below. The changes to the Act will mean that organisations will also be prevented from disclosing credit reporting information to foreign credit providers, and will not be obliged to maintain information about foreign credit. In addition, to allow credit providers an independent and easily attainable source of information about an individual's willingness (or ability) to repay, the information that can be included in credit reference records will be expanded to include the type of credit account (eg. mortgage, personal loan, credit card etc), the date on which a credit account was opened and closed, the limit of the credit account and the person's repayment performance history over the immediately preceding two year period including the number of repayment cycles that the individual was in arrears.

3. Examples

However, enough of this legal background. How about where organisations have got it wrong in the past. How did they get it wrong, and what happened? Here is a summary of some of the cases that the Privacy Commissioner investigated last year.

  1. Some of these cases highlight that a breach of the Act can have an important impact on the individual, particularly where the personal information was not checked.

    A Commonwealth agency investigated the conduct of an employee, including preparing a report of that individual's work attendance. The employee claimed the attendance record was incorrect, and that no reasonable effort had been made to ensure it was correct. The Commissioner compared the attendance report with the individual's time sheet and building access records, and looked at how the agency checked the attendance information before finalising the report. The Commissioner found the attendance report contained inaccurate personal information which the agency could have avoided if it had re-checked the dates. It was a particularly severe breach of the Act because the attendance report was used in making a decision about the employee's conduct. A conciliation took place, followed by a payment to the individual.

    A Commonwealth agency sent a letter confirming details of an individual's new name (changed by deed poll to escape domestic violence) and address to the individual's previous address (where they suffered the domestic violence). The individual incurred medical and removal costs because of the disclosure, and while the agency admitted the mistake, it refused to pay for the individual's costs. The Privacy Commissioner conciliated the matter, the individual provided more evidence of costs incurred, and the agency paid an amount in compensation.
  2. Some of the cases show that no matter how much privacy training you have, "stuff happens". Computer or human glitch, you sometimes have to watch out for the unexpected.

    A passer-by found a scrapbook in a shopping centre car park with stories, and personal details, of customer incidents put together by staff at a retailer's call centre. The retailer stated it was unaware of the scrapbook, and had privacy protections in place, including induction, on-going staff training and a quality control team that monitored customer calls. To prevent a similar occurrence, the retailer counselled and formally warned all employees involved in the scrap book, implemented additional privacy training and updated its training material to refer specifically to the incident.

    A number of medical documents, including personal and sensitive information, were found scattered in a public park next to a private medical centre. The medical centre, which had already started its own investigation, found that a lock on a medical waste bin, kept at the back of the medical centre, had been broken. Several other facilities at or around the park had also been vandalised. Due to the sensitivity of the information, the Privacy Commissioner and the medical centre discussed a number of steps to keep the personal information secure, including having secure fencing installed around the medical centre, moving the secure bin inside the medical centre, upgrading the lock, and obtaining a shredder so documents could be securely destroyed on-site.

    A credit provider listed a default on an individual's consumer credit information file which was statute barred, and failed to notify the relevant credit reporting agency once it knew that the default was statute-barred. The issue arose because of computer glitches. The credit provider apologised to the individual, removed the debt from the credit file, revised its process for identifying statute-barred debts and trained its staff on managing statute-barred debts.
  3. Other cases highlight that the application of the Act isn't just mechanical compliance, sometimes you have to think about it – like when you get unsolicited information, receive information in confidence, or take on an unauthorised role...

    A party to a joint bank account amended the signature authority on the bank account after a dispute, and advised the bank of the dispute. A relative of the other signatory later contacted the bank and discussed further details of the dispute. Based on this unsolicited information the bank unilaterally modified the signature authority, without attempting to verify the information. The bank argued that it did not collect information from the relative because it did not ask for it - the information was unsolicited. However, the Commissioner took the view that collection can occur from any source and by any means. There was also a collection because the bank had acted on the information. The Commissioner also found that it was reasonable and practicable to collect the personal information from the individual, rather than a third party. This was a particularly serious breach of the Act because it had an effect on the complainant's finances. The bank compensated the individual for its interference with that individual' privacy.

    An individual applied to acquire a car dealership. The individual' referees provided information about the individual on the condition that it be treated confidentially. When the application was unsuccessful, the individual sought access to the referee's information, which the car dealership refused on the basis that doing so would be a breach of its duty of confidence to the referees. The Privacy Commissioner's view is that common law and equitable obligations constitute law' for the purposes of the Act. Accordingly the car dealership was not only entitled to refuse access because providing access would be unlawful, but was required or authorised by law to deny such access.

    A health service provider listed an unpaid debt with a credit reporting agency. The individual affected claimed the debt was not related to "credit" as defined by the Act and Determinations. The health service provider argued that according to its research, it was a credit provider. The Privacy Commissioner considered the health service provider didn' have a sufficient credit relationship with the individual, and was not a credit provider in accordance with the Determinations. In addition, given the potentially serious financial consequences of listing the payment default, the Commissioner was of the view that the health service provider should have undertaken additional steps, such as seeking legal advice or contacting the Commissioner's Office. The health service provider removed the payment default, stopped reporting overdue accounts to a credit reporting agency, and paid compensation to the individual.
  4. And in other cases, the action leading to the breach of privacy is just a little bit careless...

    An individual lodged a claim with their insurance company for damage done to their home, and was not satisfied with the repairs, and wrote to the insurance company to let them know. When the repairer then contacted the individual, angry about the statements made in the letter, the individual claimed the insurance company had inappropriately disclosed a copy of the letter to the repairer. The Privacy Commissioner found that the individual would reasonably expect the insurance company to disclose the substance of the complaints, but would not have expected that a full copy of their letter would be disclosed directly to the repairer. The insurance company apologised and agreed to amend its staff training program in relation to customer complaints.

    An individual, who was under mistaken surveillance (it should have been their relative under surveillance!), requested access to their photos and recordings collected by the organisation who requested the surveillance. The organisation didn' respond, and upon investigation claimed that it had never received any correspondence in relation to the matter. However, the organisation subsequently destroyed all personal information about the individual held by it and its solicitors, and no further action was taken.

    An individual worked for a large cleaning company for several years before resigning. After the resignation, an organisation to which the individual owed money contacted the cleaning company seeking information about the individual. The cleaning company disclosed personal information to the organisation, including the individual' address and financial details. The cleaning company relied upon the employee records exemption as the reason for not complying with the NPPs. However, the Privacy Commissioner found that the disclosure was not related to the individual's employment was therefore not exempt. The matter was conciliated, the cleaning company apologised to the individual and agreed to develop and implement privacy training for its staff.

So, from the interest in the amendments to the Act, and from the complaints made to the Privacy Commissioner (I have summarised just a few), it seems that the answer to the title of this article, who cares about privacy, is that we do.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.