Among its key recommendations, this report calls for:
• Simplification and streamlining: the Privacy Act and related laws and regulations are highly detailed and complex, making it difficult for businesses to understand their obligations and for individuals to know their rights. A basic restructuring of the Act is required, focused on high-level principles of general application, to be supplemented by dedicated regulations governing specific fields, such as health privacy and credit reporting.
• Uniform privacy principles and national consistency: the Act should prescribe a single set of Privacy Principles—developed and spelled out by the ALRC in this report—to apply to all federal government agencies and the private sector. It is recommended that these principles also be applied to state and territory government agencies through an intergovernmental cooperative scheme—so that the same principles and protections apply across Australia no matter what kind of agency or organisation is handling the information.
• Regulating cross-border data flows: the basic principle should be that an agency or organisation that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
• Rationalisation of exemptions and exceptions: the Privacy Act should be amended to rationalise the complex web of exemptions and exceptions. Exemptions only should be permitted where there is a compelling reason—and the ALRC recommends removal of the current exemptions for political parties, employee records and small businesses.
• Improved complaint handling and stronger penalties: the Privacy Commissioner’s complaint handling procedures should be streamlined and strengthened, and the federal courts should be empowered to impose significant civil penalties for serious or repeated breaches of the Privacy Act.
• More comprehensive credit reporting: in addition to the limited types of ‘negative’ information currently permitted, it is recommended that some additional categories of ‘positive’ information should be allowed to be added to an individual’s credit file, in order to facilitate better risk management practices by credit suppliers and lenders.
• Health privacy: apart from the general approach to simplification and harmonisation of privacy laws, the ALRC recommends the drafting of new Privacy (Health Information) Regulations to regulate this important field. Recommendations also are made to deal with electronic health records, and the greater facilitation of health and medical research.
• Children and young people: consultations with children and young people indicated that they wish to retain control over the personal information that they post on social networking websites, but were unaware of the extent to which such information remains available even after it has been ‘deleted’. The ALRC recommends that regulators and industry associations intensify efforts to educate young people about these issues.
• Data breach notification: government agencies and business organisations should be required to notify individuals—and the Privacy Commissioner—where there is a real risk of serious harm occurring as a result of a data breach.
• Cause of action for a serious invasion of privacy: federal law should provide for a private cause of action where an individual has suffered a serious invasion of privacy, in circumstances in which the person had a reasonable expectation of privacy. Courts should be empowered to tailor appropriate remedies, such as an order for damages, an injunction or an apology. The ALRC’s recommended formulation sets a high bar for plaintiffs, having due regard to the importance of freedom of expression and other rights and interests.