ACCforum: Australian Law Reform Commission - Privacy Act - ACCforum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Australian Law Reform Commission - Privacy Act Report

#1 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 September 2014 - 05:51 PM

Law Reform Commission seeks right to sue for victims of privacy violations

Major changes to Australia’s privacy laws recommended for those whose ‘private space’ is intruded upon


Paul Farrell, Wednesday 3 September 2014 10.00 BST

Victims of misuses of private information and intrusions into private space in Australia should have a right to sue for violations of privacy, a major report from the Australian Law Reform Commission says.

In a report released on Wednesday the commission recommended the federal government should introduce a right to sue for major breaches of privacy in Australia.

The long-anticipated report suggests substantial changes to Australia’s privacy law to allow victims of abuses of privacy to take legal action, while attempting to balance the right to freedom of speech and ensure that journalists’ ability to report on matters of public interest is not affected.

The key findings from the report include:

The introduction of a federal tort of privacy for either an “intrusion upon seclusion” or a “misuse of private information”.

A court must be satisfied that the public interest in privacy outweighs any countervailing public interests, such as freedom of political expression, freedom of the press, open justice or public health and safety.

The invasion must be serious and needs to be committed “intentionally or recklessly”, but need not cause actual damage. Damages for emotional distress may also be awarded.

The commission recommended that the action allow individuals to have access to a range of remedies, including damages, corrections, apologies and injunctions restraining publication.

Commissioner Barbara McDonald
said: “The ALRC has designed a remedy for invasions of privacy that are serious, committed intentionally or recklessly and that cannot be justified as being in the public interest – for example, posting sexually explicit photos of someone on the internet without their permission or making public someone’s medical records.

“The recommendations in the report also recognise that while privacy is a fundamental right that is worthy of legal protection, this right must also be balanced with other rights, such as the right to freedom of expression and the freedom of the media to investigate and report on matters of public importance.”

The release of the report has come at a time where there have been a number of substantial privacy breaches in Australia. On Monday it was reported that a large number of celebrities had photos of them nude posted online after unauthorised access to their Apple accounts.

Earlier in the year a major data breach also exposed the personal details of almost 10,000 people in detention, including a third of all asylum seekers in Australia. However, the federal government has indicated on several occasions it does not support a tort of privacy.

Australia has a patchwork frame of privacy laws covering the commonwealth, states and territories and governing different aspects of information security. The introduction of a right would, the ALRC says, help “cover the field” further to protect the privacy of Australia.

The Australian Lawyers Alliance spokesman, Greg Barns, said the alliance supported the introduction of a remedy for major breaches of privacy.

“At the moment if a person’s privacy is seriously breached there are very few avenues of address,” he said.

“As we’ve seen over the past week with the pictures of celebrities posted over the internet, this is a burgeoning field in the way people’s rights can be infringed.”

He added the commission’s proposals were “balanced against the right to freedom of expression”, and the action could be invoked where there was “simply no public interest case available”.

“What we’re talking about here is purely breaches of privacy which are done for the purpose of either newspaper or media organisations selling copies, or alternatively simply because a person is high profile in the community or if it is designed to hurt a person,” he said.

The report justifies the recommendation for a statutory tort in part due to the limited developments made in the Australian courts in the past decade to recognise a right to protect privacy. The last time the high court seriously examined the issue was in a 2001 decision where an attempt was made to restrain the ABC from publishing an illegally obtained video that revealed details about the treatment of animals at a “brushtail possum processing facility”.

The ALRC also recommended more substantial powers for the Australian privacy commissioner to investigate complaints about serious invasions of privacy. Changes are also proposed to Australia’s surveillance and listening devices laws, which vary in the states and territories and apply different standards and tests.

The privacy commissioner, Timothy Pilgrim, said in a statement on Wednesday that he welcomed the release of the report.

“This report recognises the changing nature of challenges to privacy in the digital age and engages with a large number of contemporary privacy issues. The [Office of the Australian Information Commissioner] notes the recommendations to expand the powers of the privacy regulator and looks forward to the government’s consideration of the report.”

The shadow attorney general, Mark Dreyfus,
who commissioned the report when in government, thanked Mcdonald and the ALRC president, Rosalind Croucher, for the report.

“The report recommends the creation of a statutory right to privacy allowing Australians to take legal action if they fall victim to a serious invasion of privacy. A right to privacy already exists in the UK, New Zealand, the USA and Canada.”

A recent report of the House social policy and legal affairs committee, chaired by George Christensen, concluded that the government should immediately consider the introduction of a statutory right to privacy.

Dreyfus said: “In opposition senator Brandis stated his opposition to a right to privacy in extreme terms.”

A spokesman for the attorney general, George Brandis, said: “The government has made it clear on numerous occasions that it does not support a tort of privacy.”

The release of the report also comes on the eve of the first hearing of an appeal in the federal court for a group of asylum seekers affected by the asylum data breach that exposed their personal details. The federal court will hear their challenge to an earlier circuit court decision on Thursday.

#2 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 12 September 2014 - 05:52 PM

Serious Invasions of Privacy in the Digital Era (ALRC Report 123)

Published on 3 September 2014.

In this Inquiry the ALRC was asked to design a statutory cause of action for serious invasions of privacy, and also to consider other innovative ways in which law may reduce serious invasions of privacy in the digital era.

This final report was tabled on 3 September 2014.

A Summary Report is also available.

This publication is available for purchase in book format.

Download PDF »
Download EPUB »

#3 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 21 October 2014 - 02:03 PM

This is equally as relevant to NZ as we share many of the same companies and services with Australia.

Abbott government data storage plan lacks privacy safeguards, says iiNet

Telco releases the categories of data the government wants it to store and outlines its concerns about cost and data security

Katharine Murphy, deputy political editor

Follow @murpharoo Follow @guardianaus, Thursday 9 October 2014 05.15 BST


The Abbott government intends to make telcos and internet companies store customers’ private data for two years – but industry players say the government has declined to mandate or even spell out any special security arrangements to ensure consumer privacy is protected.

iiNet has released a paper reflecting the consultations the company is having with the attorney general’s department about the mandatory data retention scheme the Abbott government is proposing as part of its tough counter-terrorism measures.

The company says in discussions thus far, security issues have been off the table. iiNet has raised some alarm at this prospect. “Retaining the proposed data set for two years involves significant security risk, and significant associated cost to manage this risk,” it says.

The company says government officials have provided “no guidance” on the security protocols that would apply to storing people’s private communications data.

“No guidance has been provided on other practical issues such as whether communications providers will be free to seek the lowest cost solutions,” iiNet says in its summation of the consultations. “For example, will offshore cloud storage be acceptable or will the data be required to be stored in Australia?”

The company – which argues that blanket data retention equates to mass surveillance – notes that “the retention of a vast set of personal information would likely prove to be an appealing target for hackers all around the world – creating a risk of identity theft in the event of a data breach.”

Reassuring people that their private data will be stored safely would appear to be a critical component of building public support or confidence in such a scheme.

But John Stanton from the telco industry body, the Communications Alliance, told Guardian Australia on Thursday that government officials had not yet spelled out any specific security requirements applying to the proposed scheme.

“We’ve discussed that with the attorney general’s department and there’s no [security] requirement at this stage,” he said. “It’s an issue I imagine we’ll have to revisit.”

Draft legislation to create the mandatory data retention scheme could be produced for parliamentary consideration within two weeks – yet key industry players have no idea who will pay for the costs associated with the scheme.

Stanton said no information had been forthcoming, and the “industry was continuing to press for clarity on cost”.

iiNet said not only would Australians face privacy risks associated with having their communications information stored, they would have to carry the cost if the government didn’t intend to pay for the scheme.

“There has been no suggestion by the government that it would reimburse or even contribute to the substantial costs incurred by providers in complying with a mandatory data retention regime,” the company says in its paper. “In these circumstances, consumers will ultimately bear these costs.”

iiNet also notes that thus far, federal officials have not proposed to narrow the range of bodies that can currently access consumer metadata. Consumer data has not only been accessed by police and intelligence agencies in recent years, but by groups like the RSPCA, local councils, the Tax Practitioners Board and the Victorian taxi directorate.

There have been calls to narrow the range of people who can have access to stored data – including by parliament’s joint intelligence committee when mandatory data retention was first proposed in 2013.

The government has not released a private industry consultation paper where it spells out the categories of information it wants telcos and ISPs to capture.

But iiNet has released the full list in its paper. The categories of data include:

Subscriber name
Additional authorised or registered users
Address – residential, business, post office, billing and payment, service installation
Account or service identifier – IP address, email address, phone number, international mobile subscriber identity, other network identifiers
Any bundled services or additional accounts
Date of birth
Financial, charging, billing and payment information
Account status or billing type – including whether account has been suspended for failure to pay and post/prepaid status of the service
Identification and verification data – may include passport number, Medicare number, other credit cards, rates statement
Available bandwidth
Upload/download volumes
Records of successful, tariff communications time, date, duration of communication
Records of unsuccessful, untariffed communications – time, date where communications is incomplete (eg unanswered)
Any identifier which uniquely describes the service at the time of the successful or attempted communication, including date & time marking.
The source identifier for communications terminating on a provider’s network or service (excluding URLs)
The destination identifier for communications terminating on another provider’s network or service (excluding URLs)
Type of service – eg. ADSL, cable
Type of application – eg. VOIP, instant messaging, email
Additional features – call waiting, bandwidth allocation, upload/download allocations
Physical and logical location of device – at start of call, at end of call


#4 User is offline   hukildaspida 

  • Advanced Member
  • PipPipPip
  • Group: Member
  • Posts: 3353
  • Joined: 24-August 07

Posted 16 July 2015 - 01:23 PM

A short guide to privacy law: Part 1

You can't afford to overlook the importance people place on their privacy
Guy Betar (CIO) 15 July, 2015 14:43

There is a growing focus in the community on privacy and personal information, and that will no doubt continue as data becomes an increasingly valuable commodity in big business.

The Big Brother spectre is a real and growing perception, and business cannot afford to ignore the importance people place on the integrity of their privacy.

Privacy Commissioner, Timothy Pilgrim, has quite broad sweeping powers to act on complaints as well as instigating his own investigations.

The Commissioner recently worked with the Data Protection Commissioner of Ireland and Office and the Privacy Commissioner of Canada, to investigate the consequences of a major data breach involving Adobe’s facilities in Ireland.

Part of Adobe’s network in Ireland held some 1,700,000 records of Australian customers. The Australian Commissioner found that Adobe failed to take reasonable steps to protect all of the personal information it held.

So it’s worth keeping in mind that although you may be liable for damages and other penalties for beaching the Privacy Act, the damage to reputation from the incident and the government’s publicised investigation and findings, may have a far greater effect on your business and bottom line.

Brand Post Making sense of business rules management

More from Progress Software

So, who is obliged to comply with the Privacy Act?

If your business collects personal information, and your annual turnover is greater than $3 million, then as a general rule you must comply with the Act’s requirements. Even if you are well aware of this general obligation, with the changes to the Act that took place in 2014, chances are you need to review your compliance and your privacy policy to ensure you are up to date.

As a simple statement, the Act prohibits ‘interfering’ with the privacy of an individual. It also specifically provides that interfering with an individual’s privacy occurs when conduct breaches an Australian Privacy Principle (APP).

The next important questions are: What is ‘personal information’, and how does the Act affect those that collect and handle it?

Personal information is information or an opinion about an individual who can be identified, or who is reasonably identifiable. The truth or correctness of the information or opinion is not relevant.

Read more The real risks of moving to the cloud

There is a sub-category of personal information called ’sensitive information’, which is subject to more stringent controls under the Act. Sensitive information relates to race, ethnic origin, religious beliefs and related matters.

The principal obligations for the collection and handling of personal information are set out in the APPs. Some of the key obligations under the APPs are considered below.

You have to take reasonable steps to ensure you can deal with inquiries or complaints when you are collecting and handling personal information. You also have to have an up-to-date and readily available privacy policy. The APPs contain a list of specific matters that your privacy policy must include (APP1).

You can only collect person information where it is reasonably necessary for your activities, and you can only collect sensitive information with the consent of the individual concerned (APP3). Again, there are certain limited exceptions, and these need to be considered carefully before relying on them.

You have to take reasonable steps to notify the individual of your organisation’s details, and the reasons you are collecting their personal information (APP5). Personal information may only be used for the purpose for which it was collected, unless consent is obtained from the individual (APP6), or one of the exceptions in APP6 is satisfied.

Read more Metadata not about ‘big brother’ watching you: AFP

It is important to understand that the effect of the APPs extends beyond Australia. To disclose personal information outside of Australia, you must take reasonable steps to ensure the offshore recipient does not breach the APPs in respect of that information (APP8).

The privacy obligations are not one time only responsibilities. Once collected, there are ongoing responsibilities to ensure the information is kept up to date, is accurate and complete (APP10).

In addition to keeping the information up to date, you are also obliged to take reasonable steps to protect it (APP11). Under that same APP, where you have personal information you no longer have a use for (i.e. authorised use), then you cannot passively retain it – you have a positive obligation to destroy it or de-personalise it.

It is worth looking at another example to consider how important these requirements may be. The Privacy Commissioner is currently investigating yet another data breach incident, this time involving Westnet, a subsidiary of iiNet.

It appears a hacker comprised a database containing Westnet customer information, and then offered that information for sale online.

Read more Companies need a culture of privacy and risk management: NSW Privacy Commissioner

The Commissioner would no doubt be investigating to see if Westnet had taken reasonable steps to protect the information. iiNet has itself referred to the information compromised as “old customer information stored on a legacy system”. It would be ironic in the extreme if this statement, no doubt intended to tone down alarm over what was compromised, led to a further investigation into whether APP 11 had been breached.

There is a general obligation to provide individuals access to their personal information that you hold, with some exceptions (APP12).

The final obligation under the APPs is to correct personal information you hold, where there is reason to suspect it is not correct or up to date (APP13).

You need to give time and resources to understanding your Privacy responsibilities and ensuring you comply with them. A failure to do so may have consequences well beyond breaches of the Act, which is in itself serious enough.

Some safeguards worth considering are to have an individual appointed within your organisation as responsible for privacy matters and compliance. You need to conduct regular reviews of compliance and your privacy policy, and have an audit trail of those reviews. This should include being clear about what information your organisation actually collects, who collects it, where it is held, and what is done with it.

You need to be sure you understand all of your obligations, and where there is any uncertainty, seek appropriate advice.

Guy Betar is a corporate/IT lawyer with more than 20 years’ experience. He is currently special counsel at Salvos Legal and can be contacted by email at [email protected]

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Share this topic:

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users