31 August 2007

The Privacy Commissioner, Karen Curtis, has today released a list of 'essentials' for privacy law reform in Australia. They are drawn from submissions the Office has made to the Australian Law Reform Commission (ALRC) review of privacy.

"The ALRC will shortly be releasing a discussion paper and I look forward to continuing this important debate about how to best protect and promote privacy into the future," said Ms Curtis.

"Our overarching desire for privacy regulation is that it be consistent across all Australian jurisdictions, and easily understood, so that organisations do not have difficultly complying with the law and individuals are clear about their rights."

Keep principles-based and technology neutral privacy law

We would like to see privacy law continue to be principles-based.

A principles-based approach to regulation encourages organisations to understand the objectives behind the law and is better at accommodating technological change. When organisations understand the principles of the law, they can put in place their own steps to comply with it in a way that makes sense to their business.

No lessening of current levels of privacy protection

Any reforms to Australia's regulatory regime for privacy should not weaken existing privacy protections.

Where specific privacy risks arise, we believe that the Privacy Commissioner should be empowered to make binding codes to allow for higher standards of protection where appropriate.

Create a single set of principles

Currently the Privacy Act contains two different sets of principles - one for the public sector and one for the private sector. We would like to see confusion and overlap minimised by replacing these two sets with a single set of principles.

Foster national consistency of privacy regulation

In Australia we have a Commonwealth Privacy Act and some state and territory privacy laws. We would like to see not only national consistency of these laws but also uniformity of principles.

Remove uncertainty around privacy regulation in the private health sector

Currently, there is confusion about possible regulatory overlap in this area between the Privacy Act and some state and territory laws. We believe the Commonwealth Privacy Act should ''cover the field' for the regulation of private sector health service providers.

Simplify credit provisions

The Credit Reporting Provisions in the Privacy Act were created before the introduction of the National Privacy Principles. We believe that it would be simpler to regulate the credit industry via a combination of the privacy principles and a binding industry code.

Minimal exemptions to the Privacy Act

We believe that it will simplify regulation if exemptions to the Privacy Act are minimised. Where exemptions are continued, a clear public interest should exist to support that continuation.

Move towards data security breach notification

The Office supports the introduction of compulsory notification of data security breaches in certain circumstances. Such an obligation should be proportional to the severity of the breach. By notifying people in a timely manner, organisations give people an opportunity to take any necessary steps to protect their personal information.

The Privacy Commissioner's submissions to the ALRC review of privacy are available at www.privacy.gov.au/law/reform.