SYDNEY – The Australian Law Reform Commission has concluded its largest ever research and public consultation exercise ever by recommending a re-write of the nation’s 20-year-old privacy laws to keep pace with the information age.
The three-volume, 2,700 page report recommending 295 changes to privacy laws and practices that would be implemented in two stages over the next three years.
Commission president Professor David Weisbrot told Computerworld that Australia’s current Privacy Act, legislated in 1988, was created in a completely different environment before technologies like the Internet, e-commerce and social networking greatly augmented the challenge of safeguarding the flow of personal information.
“The commissioners who were in charge of the report at that time wouldn’t have had a mobile phone or a PC on their desk, no digital cameras, no e-tags, e-mail, no e-anything. There were no high-speed computers for individuals or private industry with which they could do data matching and data mining, and no high-tech surveillance cameras,” he said.
Since then, the information we gather has stayed the same but technology has allowed us to access, control and manipulate that information in a much easier way; electronic medical records and health information, online banking, finance and credit history, personal information on public and corporate databases, and social networking sites are just a few examples of technologies revolutionizing the relationship between public databases, individual privacy and third party users.
Weisbrot said the most significant recommendation for reform is a complete restructuring and simplification of the statutory framework of the Privacy Act, so it is focused around 11 uniform principles as opposed to separate principles for government and private sectors, which left many individuals and businesses wading through massive amounts of complex material to find what laws apply to them.
“We’re saying lets flip it around – lets make it general with higher-order principles that will cover most situations most of the time. Then if you’re dealing with some specialized area like health information or credit reporting, you supplement that area with rules that are dedicated specifically to regulate that area,” he said.
The first stage of reforms, set to be implemented within a year’s time, will address this process of simplifying and streamlining the Privacy Act, while the second stage, which will include statutory course of action for data and privacy breaches, will be looked at in 12-18 months time.
One area of IT that will feel the impact will be human resources departments, where employee data will no longer be exempted from the law under the ALRC’s recommendations.
Another key principle the ALRC proposed covers the regulation of cross border data flows, with the basic principle that an agency or organization that transfers personal information outside the country remains accountable for it, except in certain specified circumstances.
Government agencies and business organizations will also be required to notify individuals and the Privacy Commissioner where there is a real risk of serious harm occurring as a result of a data breach.