Speech by Karen Curtis, Privacy Commissioner, to the Melbourne Law School on Privacy Law Reform, Melbourne, 5 March 2008. 

Introduction

I begin by acknowledging the traditional owners of this land their Elders, both past and present and their connections with this land.

I thank Professor Bryan for the invitation to speak today. I am pleased to have the opportunity to speak to this group of current and future members of the legal profession about privacy regulation in Australia.

This afternoon, I propose firstly to give you an overview of federal information privacy regulation, and secondly to outline the most essential areas for privacy law reform.

I. Overview of federal privacy law

The Office

My role as Australian Privacy Commissioner is primarily to administer the Privacy Act 1988. In practical terms, this is achieved through the three functional units of my Office primarily located in Sydney which deal with education, policy advice, and complaint handling and auditing. The Office comprises some 68 staff.

Our strategic plan articulates our vision as an Australian community in which privacy is valued and respected.

Our purpose is to promote and protect privacy in Australia.

Our functions are outlined particularly in the six pages of Section 27 of the Privacy Act. Perhaps most fundamental for the role of a regulator are the specific statutory functions under the Privacy Act in relation to complaint handling and investigation.

Where possible, my Office has a facilitative approach to its regulatory functions. We seek to work with agencies and organisations to encourage compliance with the Privacy Act. In resolving the 1,200 or so complaints received annually, we attempt to conciliate an acceptable outcome to both parties.

Where such an outcome is not possible the Commissioner may make a determination that can, if necessary, be enforced by the Federal Court or Federal Magistrates Court. The relatively small number of determinations that have been made is an indication of the success my Office has had in resolving complaints through conciliation.

Importantly though, the Privacy Commissioner has an educative role - to encourage the adoption of privacy standards more broadly across our community, and an advising role - to give advice to federal and ACT Government agencies, as well as the private sector as to how privacy can be promoted in their functions and activities.

I have placed great emphasis on the policy development and policy advising role of the Office. My firm view is that it is much easier and more productive to influence the development of policies and initiatives in the formative stage rather than trying to add privacy considerations on at the end.

Considering privacy at the conclusion of a process may often require a combative approach rather than constructive and does not result in better privacy outcomes for Australians. It is a much better public policy outcome to have privacy 'built in' rather than 'bolted on'.

My Office encourages agencies and organisations to meet their minimum compliance obligations and indeed work towards implementing best privacy practice.

At the same time, it was Parliament's clear intent, consistent with international instruments, when enacting the Privacy Act that the Privacy Commissioner recognise that the right to privacy is not absolute, but must be pursued with regard to other important and sometimes competing rights and interests such as the right to free speech and the right of business to achieve its objectives efficiently.

In pursuing our functions whether they be promoting, educating, advising or regulating, my approach in my 3
½ years as Commissioner has been not to overcomplicate privacy. Privacy law should be about commonsense, courtesy and respect.

It should be an enabler and enhancer and not seen as a burden for either business or government. Indeed, for all those with obligations, 'good privacy is good business'.

Overview of the Privacy Act

Coverage

The Privacy Act in some way covers all of us within in Australia. Very few of us wouldn't interact with the health sector, the financial sector or the ATO or Medicare!

The legislation gives protection for personal information that is handled by federal and most ACT Government agencies, private sector organisations which have an annual turnover of more than $3 million, and all health service providers (regardless of turnover).

The Act also regulates the reporting of individuals' credit information and tax file numbers.

Significantly, with some exceptions in the ACT, the Privacy Act does not cover State or Northern Territory agencies (including universities). In some cases, these jurisdictions have their own privacy laws.

As I shall discuss later, addressing the complexities and overlaps between Federal, state and territory privacy laws is a key issue for privacy law reform.

Meaning of 'personal information'

Privacy in Australian law is primarily about information or data protection.

The focus of federal privacy regulation is information privacy as opposed to other notions of privacy, such as bodily or territorial. [1]

In turn, the boundaries of 'information privacy' are determined by the meaning of 'personal information'.

The Privacy Act does not list what is personal information. The definition of personal information refers to information or opinion about an individual whose identity is apparent or can be reasonably ascertained.

This notion of what can be 'reasonably ascertained' is significant. Clearly, whether an individual's identity can be ascertained depends on the context in which the information is held.

With newer, smarter technologies it becomes more difficult to assume that the identity of an individual cannot be ascertained from particular types of information that superficially may appear to be de-identified.

Indeed in the digital age information about individuals is now more able to be much more easily captured, aggregated and much more widely distributed than ever before.

Across the internet, in electronic databases, through mobile telephones, by email, credit cards, and even via interaction with toll roads and global positioning systems, we leave a trail of information about ourselves like never before

Principle-based and technology neutral regulation

Coupled with the key concept of personal information, the underlying framework of the Privacy Act is that the Act provides for principle-based, technology-neutral regulation.

Principle based law rather than prescriptive black letter law is about shifting the regulatory focus from process to outcomes[2].

Principle based law seeks to encourage agencies and organisations to understand the policy underpinning the law and adapt their practices accordingly.

Principle based law allows organisations and agencies the flexibility to develop their own solutions according to their own circumstances, and encourages them to recognise the importance of good privacy practice, including as a potentially valuable source of competitive advantage. My Office provides guidance materials on a range of topics to support them in applying the law.

Our principles are based on the OECD Guidelines for the Fair Handling of Information which were written in the late 1970s and adopted by the OECD in 1980. They were written in a technologically neutral way, and have remained remarkably relevant since then.

The technological neutrality of the Act overcomes the challenge of constantly seeking to update the statute base as new technologies emerge, or as new uses are found for existing technologies.

The Privacy Principles

Within this framework of principle-based, technology neutral law, the Privacy Act has two sets of general principles.

Since its enactment in 1988 the Privacy Act has set out 11 Information Privacy Principles (IPPs) for Federal and ACT Government agencies that govern how those agencies handle personal information including its collection, use and disclosure, security and destruction.

Since 2001, the Act has included ten National Privacy Principles (NPPs), which also regulate the way private sector organisations collect, use, disclose and store personal information.

The NPPs principles are similar, though not identical to the IPPs.

For example, they include obligations about transborder dataflows, data retention, and provide specific regulation of sensitive information, such as health information. The NPPs also give individuals rights to access personal information and where necessary to have it corrected.

Having two sets of principles is not ideal and the time has come for them to be merged into one set.

II. The future of privacy regulation

I will now share with you some thoughts on the future of privacy regulation in Australia.

2008 is an auspicious year for privacy regulation and for my Office. This year marks the 20th anniversary of the Privacy Act. It is a platinum year!

It seems fitting that it is also the year that the Australian Law Reform Commission (ALRC) will deliver its report on its review of privacy laws in Australia.

The past 20 years has been witness to much change, from technological developments and the increased interconnectedness of the global economy, through to changing social attitudes and ever better informed consumers. The ALRC's review offers a timely opportunity to assess the effectiveness of our privacy regime.

Together with similar reviews being conducted in NSW, Victoria and New Zealand, the review is a clear signal that governments recognise privacy as a valuable and necessary right. Laws must be kept up to date and relevant to ensure that proper protections are afforded to the privacy of personal information in the 21st century.

These inquiries come at a time of renewed public interest in privacy issues, and renewed concerns about how personal information should be handled in an age of developing technology, globalised information exchange, ease of travel, increased public surveillance and a more prominent role for national security matters.

In 2007, my Office released the findings of a study of community attitudes towards privacy as a follow-up to similar studies we have conducted in 2001 and 2004. The responses to the survey confirm that privacy is an issue of increasing concern to the community.[3]

For example, the research found that 50% of respondents have become more concerned about providing information online than they were three years ago. There were also increased levels of concern relating to identity theft; and, notably, 67% of respondents said that they provide false information over the internet in order to protect their privacy.  An overwhelming 96% of respondents considered that organisations monitoring activity on the internet (that is recording information on the sites you visit without your knowledge) is a misuse of personal information.

The review process

So how does an ALRC process work?

I note that Professor David Weisbrot, President of the ALRC spoke to you last October on genetic privacy and ethics. I'm sure he spoke about the ALRC - its role and its processes. So I'll only say a few words on the ALRC's privacy review process.

In January 2006 in response to a recommendation made by me in our March 2005 review of the private sector provisions, the ALRC received terms of reference from the then Australian Attorney-General for an inquiry into the extent to which the Privacy Act 1988 and related laws continue to provide an effective framework for the protection of privacy in Australia.

The ALRC consulted in writing in two stages:

• firstly, by publishing two issues papers in late 2006[4] ; and
• secondly, by publishing a more detailed three-volume 1976 page discussion paper in September 2007[5], which set out 301 proposals and 46 questions relating to privacy law reform.

The ALRC also has an advisory committee that has met twice during the life of the review, with a further meeting to be held later in March. I am a member of that committee.  The ALRC has also held public meetings and targeted consultations with key stakeholders.

In December 2007, my Office made the last of three submissions to the Inquiry. This submission, of almost 800 pages, addressed each of the ALRC's proposals and questions and provides a coherent and comprehensive statement of my Office's views on what privacy regulation should look like in the future.

Following the ALRC's final report of its findings, which is now due to be presented to the Attorney-General by 30 May, any subsequent legislative changes will be determined by the Government's response to the ALRC proposals.

My Office looks forward to assisting the Government in forming this response.  While I am pleased to discuss and promote my views on opportunities and challenges for privacy law reform, it is important to recognise that any changes to the privacy regulation are ultimately a matter for the Government and, then, Parliament.

Having said this, I would now like to outline what I believe are some of the key issues for privacy law reform. In raising these issues with the ALRC, I have sought to highlight the importance of ensuring that regulation is pursued that is, to the greatest degree possible, defined by its consistency, simplicity and clarity.

As I said at the outset, privacy law should be about commonsense, courtesy and respect. Laws are more likely to be obeyed and rights are more likely to be exercised if they are easily understood and able to be applied consistently and simply.

While arguing for consistency, simplicity and clarity I want to make it clear that this in no way means any weakening of existing protections. To the contrary, our suggestions for reform all seek to enhance existing protections and are also consistent with our strategic vision of an Australian community in which privacy is valued and respected.

I propose to address nine key specific areas of reform.

1. Keep it principles-based and technology neutral

My Office believes that it is important that the Privacy Act continue to be principles-based. As I have mentioned, this approach avoids inflexible and burdensome regulation that can often result from more prescriptive law.

In addition to a principles-based approach, my Office has argued for the continuing technological neutrality of the Privacy Act, and the ALRC has supported this notion to date.[6]

Technological neutrality is intended to recognise the inherent tensions in keeping statute law up to date with and able to respond to dynamic technological development; accordingly, the Privacy Act does not generally specify distinct types of technology to which it applies.

Technological neutrality does not however mean ignoring or being unresponsive to technological change.  It is my view that we can have technological neutrality of privacy laws while still having laws that are technologically relevant.

I will return to this shortly to discuss the idea of empowering the Commissioner to make binding codes which are specific to certain technologies.

2. Create one set of principles

One way that regulatory complexity can be reduced is through the creation of a single set of privacy principles in the Privacy Act.

As I have noted, we currently have two sets of privacy principles - the IPPs and NPPs. I repeat my earlier suggestion - the value of having two sets of principles has long passed and there are real potential benefits to be gained by merging these into a single set of obligations.

One example of the difficulties arising from having two sets of principles is where an agency undertakes commercial activities. The agency could find it has obligations under both the public and private sector principles and may need to invest significant time and effort in ensuring that its activities meet the requirements of the appropriate set of principles depending on which activity it is engaging in.

Likewise, where a private sector organisation is contracted to undertake work for an agency, it needs to comply with both sets of principles.

Accordingly, having initially made the call for one set of principles in March 2005, I strongly support the ALRC's proposal that the IPPs and NPPs should be brought together into a single set of 11 principles, tentatively called the 'Unified Privacy Principles' that would generally apply to both agencies and organisations. [7]

The creation of a single set of privacy principles will reduce compliance difficulties, particularly for those businesses contracting to agencies. Consistency and simplicity of regulation will also empower individuals to understand and exercise their privacy rights.

3. Have national consistency in privacy laws

A third key issue for privacy law reform is how best to promote national consistency between the Privacy Act and other laws, including those of the states and territories.

National consistency with other Commonwealth and State laws would minimise government and private sector compliance burdens while maximising privacy outcomes, and allow individuals to exercise their privacy rights without confusion or difficulty.

I note that the ALRC has not proposed that state government agencies should be covered by the Privacy Act. What the ALRC has proposed, and what I support, is a cooperative federal-state approach in which the amended Privacy Act would form the basis for privacy legislation at the state and territory level.[8]

The ALRC has proposed that this model be given effect through dialogue held within the Standing Committee of Attorneys-General.

4. Improve clarity in the private health sector

Health information handling and the confusion resulting from regulatory overlap has been a significant focus of the ALRC review process.

At the national level, the handling of health information is regulated by the Privacy Act.

However, some states and territories have developed privacy legislation for their public sectors, with Victoria, NSW, and the ACT also enacting laws to regulate the handling of health information in the private sector.

Since 2005 I have argued for the removal of potential confusion for health service providers and consumers arising from overlapping legislation.  Consequently I agree with the ALRC's proposal that federal privacy law should override state and territory legislation in relation to private sector health providers.[9]

5. Powers of the Commissioner

In relation to the powers of the Commissioner, my Office generally considers that the Privacy Act contains appropriate provisions to support the Commissioner's role in promoting and protecting privacy.

However, we believe that the strong focus in the current Act on individual complaints should be balanced with improved provisions for dealing with systemic privacy issues - this could be achieved through amendments to the existing powers available regarding privacy codes and privacy audits.

Creating codes where specific privacy concerns emerge

The ALRC has proposed, and my Office agrees, that the Commissioner should be empowered to make binding codes that go to certain industries, practices or technologies that may heighten privacy risks. 

At present, the Privacy Act allows the Privacy Commissioner to approve privacy codes that are specific to an organisation, industry or type of activity. These codes must be at least the equivalent of the statutory privacy principles, and replace the NPPs in regard to the regulated organisation or activity.

The ALRC has proposed a different model to this, whereby privacy codes would be in addition to the proposed single set of principles, which have the interim title of the "Unified Privacy Principles", and go to matters of detail relating to specific technologies or practices.

Giving the Privacy Commissioner the power to make binding codes would provide an effective means of proactively responding to recurrent privacy issues within a particular sector.

Binding codes might, for example, be appropriate for specific issues such as where face recognition technology is combined with CCTV, or where Radio Frequency Identification is used to collect personal information.

These codes would be subject to mandatory consultation periods and to the scrutiny and disallowance of Parliament.

Audits

Currently, as the Privacy Commissioner I have powers to conduct audits of federal and ACT government agencies, credit providers and credit reporting agencies under the Privacy Act. The ALRC has proposed that the Commissioner be empowered to also conduct audits of private sector organisations.[10]

My Office supports this proposal in part, but has suggested the introduction of a qualified audit power for the private sector whereby the Commissioner may conduct an audit.

This would allow the Office to conduct audits of organisations where there are reasonable grounds to believe that the organisation is engaging in practices that contravene the privacy principles in the Act or pose new and significant risks to personal information they hold.

6. Introduce data breach notification

The mishandling of personal information is not a problem to be taken lightly. In the wake of recent major data breaches in the United Kingdom, I have again called for mandatory notification of significant data breaches by organisations or agencies.

As you may be aware from media reports, in November of last year, two CDs containing twenty-five million records of people claiming or receiving child benefits were lost in transit. The personal information lost included national insurance numbers and bank account details.

This incident led the British Prime Minister to promise additional powers for the United Kingdom Information Commissioner - the importance of which was possibly underscored by the more recent loss of two UK Defence Department CDs containing the details of 600,000 defence force applicants.[11]

These are perhaps two of the highest profile data breaches that have occurred throughout the world in recent years.

The ALRC has also supported the idea of a data breach notification requirement.[12]

By notifying people of a significant breach in a timely manner, organisations give people an opportunity to take any necessary steps to protect their personal information. A requirement to notify significant data breaches would also encourage organisations and agencies to take steps in the first place to secure the personal data they hold.

However, as with all things, it is the detail of how such a requirement is established that will be crucial, so as to ensure that it neither imposes an unreasonable burden for agencies and organisations, nor results in unnecessary or alarmist notifications to individuals.

My Office considers that notification should be limited to circumstances where a breach is assessed as giving rise to a real potential for serious harm to an individual. Determining what constitutes 'serious harm' will be a key issue for any mandatory notification requirement.

I flag with you that in advance of the ALRC delivering its final report, the Government responding and the parliament legislating any changes to privacy laws, that I am developing a voluntary information security breach notification guide to assist agencies and organisations.

This is partly in response to what has been occurring internationally but also in response to requests from agencies and organisations for advice as to what they should do in particular circumstances.

We will be releasing a draft guide for consultation within the next month and I would welcome any comments.

7. Minimise exemptions

Exemptions to the Privacy Act are another key issue for possible law reform.

The list of organisations and agencies currently exempt from the Act includes small businesses that are not health service providers or trade in personal information, media organisations in the performance of journalism, and employee records held by organisations. A range of national security, intelligence and other bodies are also exempt from the Act.

My Office believes that to achieve uniformity and consistency of application of the privacy legislation, exemptions to the Privacy Act should be minimised, and only established where there are clear and compelling public policy reasons for doing so.

Employee Records

One area where there seems the potential to remove an exemption is in the case of employee records.

Employers can often hold significant amounts of personal information about their staff, which may include sensitive information. The absence of protection for employee's sensitive information seems particularly inconsistent with the recognition and protection that is given to sensitive information throughout the Privacy Act.

In the Office's 2007 Community Attitudes survey, 86% of those surveyed thought employees should have access to information employers keep about them.[13]The removal of this exemption is likely to be consistent with good employee relations practices as it accords with the community's expectations of how this information should be handled.

Small Business

After careful consideration, on balance my Office believes that the small business exemption should be retained.

In our view, removing this exemption may impose a regulatory burden that is not proportionate to the privacy risks. Many small businesses do not hold significant amounts of personal information.

At the same time, it should be noted that small business exemption is not absolute. Small businesses can fall within jurisdiction if they trade in personal information or are contractors to federal government agencies.[14]

There is also a regulation making power in the Act which permits small businesses to be treated as if they were organisations.

This has most recently been used to prescribe residential database operators as organisations. In our submission we have raised the prospect of other sectors dealing with a lot of personal information such as childcare centres and ISPs being brought into the coverage of the Act.

In general though, it is our view that on balance for the majority of small (particularly micro) businesses not already covered by the NPPs it would be a disproportionate response to any privacy risks to impose a compliance burden.

Indeed imposing a regulatory burden on them may be counter-productive.

8. Simplify Credit Reporting

The Privacy Act regulates the reporting of individuals' credit information by credit reporting agencies and credit providers.

Although credit reporting provisions were introduced almost 20 years ago, the community continues to have strong concerns about the privacy of their financial information. The handling of individual's personal credit information can have significant effects on whether they can access credit, not just for large items like home loans, but also for smaller transactions like personal loans or where credit is advanced to receive domestic utilities such as water, electricity and phone.

Our community attitudes research consistently shows that people are more reluctant to divulge details about their finances than any other type of information.[15]

My Office's key objective in promoting reform of credit reporting regulation is to promote consistency and simplicity and our most recent submission outlines in great detail measures which we think would achieve this. I won't go through each of these with you today.

Expansion of credit reporting process?

However, one issue that has been a primary concern in regard to credit reporting is the question of more comprehensive credit reporting, or what is sometimes called 'positive credit reporting'.

Currently, the Act mainly permits the collection and disclosure of personal information that detracts from an individual's credit worthiness - such as the fact that an individual has defaulted on a loan.

There has been a push by some stakeholders to expand the types of information that may be collected and disclosed in the credit reporting process to permit the reporting of information relating to an individual's current credit commitments or repayment performance including where you haven't defaulted on a loan.

In our view, at this stage, the available information about the effects of comprehensive credit reporting systems does not provide clear evidence of social or economic advantages significant enough to justify the resulting loss of individual's privacy, choice and control.

My Office has suggested that independent research is required to determine what if any model of more comprehensive credit reporting would be appropriate to the Australian context.

9. Introduce Statutory Cause of Action

The final key issue that I will discuss today is the proposal for a statutory cause of action for invasions of privacy.  This issue is discussed in some depth in the ALRC's discussion paper and was also a topic examined in the recent examination by the NSW Law Reform Commission.

I anticipate that this may be of particular interest to this audience, and so I will spend some time examining the details of this proposal.

As I have noted, the focus of the Privacy Act is on how agencies and organisations collect and use personal information. It does not deal with other aspects of privacy, such as a right to enjoyment of home or family life, or a right to freedom from surveillance. Nor does it cover actions taken by individuals(as opposed to organisations or agencies).

Currently, individuals must rely on a patchwork of common law and statutory measures to provide some protection to their sense of personal space, including, for example, defamation, nuisance and trespass to land.  This may mean that individuals have to rely on elements of other actions which may be ill-suited to the circumstances of their grievance.

My Office supports the ALRC's proposal to introduce a statutory cause of action into the Privacy Act, which would give individuals the right to bring actions in court for a breach of privacy. The cause of action would not be limited to information privacy as is currently the case with the Privacy Act.

This would be consistent with Australia's obligations under article 17 of the International Covenant on Civil and Political Rights (ICCPR)[16]. It would clearly establish privacy as an important human right that warrants specific recognition and protection, in a way that meets the community's expectations and what is frequently its broader understanding of the term 'privacy'.

As the ALRC has noted, the proposed statutory cause of action would avoid an incremental introduction of such a right, as is arguably currently occurring through the common law.[17]

Over time a tort of privacy could be developed by the courts determined by the particular facts of the cases that come before them. Obviously this incremental development of law is not as systematic or as able to take into account all of the public policy considerations that a legislative proposal does as it goes through Parliament.

Coverage of the statutory cause of action

The ALRC has proposed that the statutory cause of action should cover federal government agencies, organisations, and individuals. State and territory public sector agencies would be covered, until such time as the states and territories enact uniform privacy legislation.

My Office agrees with this approach.  Clearly, it would be preferable to introduce a statutory cause of action in a uniform manner across Australia to avoid fragmentation, inconsistencies and 'forum shopping'. I note that this was the impetus behind the recent introduction of uniform state and territory defamation laws. [18]

Types of invasion of privacy to be covered

As I have noted, the proposed cause of action is broader than simply information privacy.

The ALRC has proposed that the Privacy Act should contain a non-exhaustive list of the types of invasion of privacy that fall within the cause of action.

My Office supports this approach. It allows for flexibility in the development of the law and its application to different contexts. At the same time it would provide some guidance as to the scope that such an action would cover.

The examples listed by the ALRC include: interference with an individual's home or family life; unauthorised surveillance; interference, misuse or disclosure of sensitive information; and disclosure of sensitive facts about an individual's private life.

My Office has suggested that consideration is given to whether the statutory cause of action should also cover bodily and territorial privacy. We remain open to considering the full implication of such a step.

Limitations on the statutory cause of action

As might be expected, there is not universal support for the proposed statutory cause of action.

Media organisations, in particular, are concerned that a statutory cause of action for breach of privacy would stifle the free flow of information. Significantly, the existing media exemption would not apply to the proposed cause of action.

This is a legitimate point of view.  However, there are a number of safeguards built into the ALRC's proposals, which I believe, should allay such concerns.

Firstly, the plaintiff would need to show that in all the circumstances:

• the plaintiff had a reasonable expectation of privacy; and
• the defendant's conduct was sufficiently serious to cause substantial offence to a person of ordinary sensibilities; and
• the defendant's act was either intentional or reckless.

Secondly, the ALRC proposes that there would be a number of defences, including that the information disclosed was a matter of public interest or was a fair comment on a matter of public interest.

The proposed defence of fair comment or public interest is an important one, which reflects the fact that privacy is not an absolute right and should be balanced with other human rights and social interests including freedom of expression.

Conclusion

I have only been able to touch on some of the areas that the Office believes are most important in privacy law reform. Indeed it is hard to condense 786 pages into a 30 minute presentation!

I encourage you to have a look at the full submissions made by the Office, which are available on our website at www.privacy.gov.au/.

I would also encourage you to review the material on the ALRC's website at www.alrc.gov.au.

As I noted previously my Office looks forward to assisting the Government in forming its response to the ALRC's recommendations, and then for assisting in any parliamentary processes that may occur with the introduction of new legislation.

The inquiry presents a once in a generation opportunity to influence the shape of privacy law in Australia, and it is my hope that we will achieve world's best privacy law.

[1] A well established typology of different forms of 'privacy' is:

• Information privacy - involving rules for the handling of personal data
• Bodily privacy - protection of our physical selves against invasive procedures
• Privacy of communications - security and privacy of mail, telephones etc
• Territorial privacy - setting limits on intrusions into domestic and other environments.

See Banisar D, 2000, Privacy and Human rights: an international survey of privacy laws and developments, Electronic Privacy Information Center, Washington DC. Available at www.privacyinternational.org/survey/.

[2] Discussion Paper 72, ALRC, p550

[3] Available at http://www.privacy.gov.au/materials/types/download/8820/6616

[4] Issues Paper 31 - Review of Privacy in October 2006 and Issues Paper 32 - Review of Privacy: Credit Reporting Provisions

[5] Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[6] Proposal 7-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[7] Proposal 3-2, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[8] Proposal 4-4, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[9] Proposal 4-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[10] Proposal 44-6, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[11] It has been reported that "The stolen data includes passport details, national insurance numbers, family details and doctors' addresses for people who submitted an application to the forces, the ministry said. The laptop also contained bank details for at least 3,500 people." See, ComputerworldUK, 20 January 2008 available at http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=7088.

[12] Proposal 47-1, Discussion Paper 72, Australian Law Reform Commission, Review of Australian Privacy Law, 2007.

[13] Available at: http://www.privacy.gov.au/materials/types/download/8820/6616

[14] See section 95B of the Privacy Act.

[15] Available at: http://www.privacy.gov.au/materials/types/download/8820/6616

[16] Article 17 of the ICCPR states:

• 1. No one person shall be subjected to arbitrary or unlawful interferences with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation
• 2. Everyone has the right to the protection of the law against such interference or attacks.

[17] The door to the development of a tort of privacy through the common law system has been left open by the High Court's decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Limited. To date, two lower courts have also held that such a cause of action is part of the common law of Australia.

[18] See SCAG Working Group of State and Territory Offices (2004) Proposal for Uniform Defamation Laws,

http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(03995EABC73F94816C2AF4AA2645824B)~Uniform+Defamation+States+Territories.pdf/$file/Uniform+Defamation+States+Territories.pdf