11 December 2020
66. Should there continue to be separate privacy protections to address specific privacy risks and concerns?
67. Is there a need for greater harmonisation of privacy protections under Commonwealth law?
a. If so, is this need specific to certain types of personal information?
Privacy protections in other legislation
13.1 The Privacy Act is well-established as the primary Commonwealth privacy regulatory regime. The APPs are central to this framework and are the cornerstone of the regulation of privacy in Australia.
13.2 As noted in the Issues Paper, several Australian laws other than the Privacy Act also relate to privacy. The Commissioner has a range of regulatory responsibilities under various Commonwealth laws, which include the:
- Telecommunications Act 1997: this has several provisions that deal with personal information held by carriers, carriage service providers and others.
- Telecommunications (Interception and Access) Act 1979: this prohibits the interception of communications passing over a telecommunications system.
- National Health Act 1953 and legally binding privacy guidelines issued under that Act. These regulate the handling of Medicare and pharmaceutical benefits information.
- Data-matching Program (Assistance and Tax) Act 1990 and legally binding guidelines issued under that Act. These regulate the use of tax file numbers in matching personal information held by the Australian Taxation Office and assistance agencies such as the Department of Human Services and the Department of Veterans' Affairs.
- Part VIIC of the Crimes Act 1914: this relates to criminal records covered by the Commonwealth Spent Convictions Scheme, which provides protection for individuals with old minor convictions in certain circumstances.
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006: this imposes a number of obligations on the financial sector, gambling sector, bullion dealers and other professionals or businesses that provide particular 'designated services'.
- Healthcare Identifiers Act 2010: this establishes the Healthcare Identifiers Service and prescribes how healthcare identifiers will be assigned and how they can be used and disclosed.
- My Health Records Act 2012: this creates the legislative framework for the My Health Record system.
- Student Identifiers Act 2014: this establishes a national online record of students’ education and training attainments and qualifications, as part of the Unique Student Identifier scheme.
13.3These laws generally require the Commissioner to perform certain duties or activities or require certain agencies to consult with the Commissioner on privacy matters.
13.4 In addition, the OAIC has specific monitoring and advice related functions under the Privacy Act, which include, but are not limited to:
- examining proposed enactments that would require or authorise acts or practices that might otherwise interfere with privacy and ensuring that any adverse effects of a proposed enactment on the privacy of individuals are minimised, and
- providing reports and recommendations to the Minister in relation to any matter concerning the need for, or desirability of, legislative or administrative action in the interests of the privacy of individuals.
13.5 The OAIC regularly exercises these functions by providing privacy advice to government and other organisations on a wide range of issues and proposals. The OAIC publishes submissions made on various issues on its website.
13.6 The OAIC acknowledges that there are policy considerations that will justify separate Commonwealth privacy regimes and stronger privacy protections in certain circumstances. As outlined above, the OAIC actively performs various regulatory responsibilities under these regimes or has otherwise engaged in the development of the regime through its monitoring and advice functions. If privacy protections are included in other legislative regimes, it is critical that the Commissioner has full jurisdiction over enforcing those protections to ensure that privacy regulation is clear, consistent and effective.
13.7 In addition, where different regulators exercise different functions under various laws, it is important for regulators to work together to avoid any unnecessary or inadvertent overlap and uncertainty for consumers and industry. To this end, the OAIC has entered into memorandums of understanding (MOU) with other regulators including the ACCC, ACMA, ADHA and IGIS. The OAIC has also entered into MOUs with international counterparts, including the UK ICO, the Data Protection Commissioner of Ireland and the Personal Data Protection Commission of Singapore.
13.8To ensure that the OAIC can efficiently and effectively cooperate with other regulators and entities (such as other government agencies) during investigative and regulatory activities, it is critical that relevant information can be shared where necessary. Currently, the Commissioner must consider obligations under s 29 of the Australian Information Commissioner Act 2010 (Cth) (AIC Act), to ensure that disclosing information acquired in the course of exercising powers and functions is not a criminal offence. Under that provision, the only exemptions to disclosure are:
- disclosure is for exercising the same function/powers for which it was acquired
- the disclosure is for another lawful purpose, or
- with consent.
13.9 This limits the ability of the Commissioner to share information and cooperate with other regulators or law enforcement bodies during the course of exercising functions. Accordingly, the OAIC considers that the Privacy Act should be amended to provide an express power for the Commissioner to share information with other bodies where necessary, including other regulators, law enforcement and complaint handling bodies (including State or Territory or foreign bodies if they have functions to protect the privacy of individuals).
13.10More broadly, in order to permit effective information sharing, amendments to s 29 of the AIC Act are required to introduce additional exemptions to the broad prohibition on the disclosure of information by the Commissioner and OAIC staff to maximise the discretion of the Commissioner to disclose information where appropriate. Such exemptions could include where the Commissioner considers that the disclosure is in the public interest.
13.11 The amendments proposed above would ensure that duplicative investigation and regulatory responses – both domestically and globally – are avoided and limited resources are directed appropriately.
13.12It should also be noted that the Privacy Act contains existing mechanisms that may be used to address specific privacy risks and concerns, meaning a separate legislative regime may not always be necessary. As noted in Part 3 of this submission, Part IIIB of the Privacy Act allows for the creation of APP codes, which must set out how one or more of the APPs are to be applied or complied with, and the APP entities that are bound by the code. Codes do not replace the relevant provisions of the Privacy Act but operate in addition to the requirements of the Act. A code cannot reduce the privacy rights of an individual provided for the in the Privacy Act. Importantly, an APP code may be expressed to apply to any one or more of the following:
- all personal information or a specified type of personal information
- a specified activity, or a specified class of activities, of an APP entity
- a specified industry sector or profession, or a specified class of industry sectors or professions
- APP entities that use technology of a specified kind.
13.13 However, while the existing code-making framework can be utilised to provide more specificity and certainty around the application of certain APPs, the OAIC considers that it should be amended to provide the Commissioner with greater flexibility and discretion to develop APP codes as recommended at Recommendation 14.
13.14 In addition, as per the OAIC’s recommendation 15, a general power to make legally-binding rules would provide the Commissioner with the ability to provide the regulated community with additional certainty in how to address certain privacy risks and concerns, by providing greater specificity and particularisation around the application of the APPs where necessary.
Recommendation 67 Ensure that the Commissioner has full jurisdiction over enforcing any privacy protections that are included in other legislative regimes.
Recommendation 68 Amend the Privacy Act to provide an express power for the Commissioner to share information with other bodies where necessary, including other regulators and government agencies, law enforcement and complaint handling bodies (including State or Territory or foreign bodies if they have functions to protect the privacy of individuals).
Harmonisation of privacy laws
13.15 One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information.
13.16 The APPs promote national consistency of regulation by providing a minimum set of standards that are applicable to both Australian Government agencies and private sector organisations covered by the Act. As noted above, the APPs are principles-based and technologically neutral, giving entities flexibility to tailor their personal information handling practices to their business models and the diverse needs of individuals.
13.17 The Privacy Act also contains important rights, obligations and enforcement mechanisms to protect the personal information provided to the Australian Government agencies and private sector organisations that are subject to its jurisdiction, including access to redress mechanisms, monitoring and oversight by an appropriate regulator and data breach notification requirements.
13.18 The OAIC considers that harmonisation of privacy protections should generally be a key goal in the design of any federal, state or territory laws that purport to address privacy issues. Consistency in regulation across jurisdictions will also reduce compliance burdens and cost and provide clarity and simplicity for regulated entities and the community.
13.19 More broadly, Commonwealth, State and Territory governments are increasingly working together on national initiatives that involve sharing information across jurisdictions. In many instances, these initiatives rely on jurisdictions across Australia having privacy frameworks that are equivalent to the protections afforded by the Commonwealth Privacy Act.
13.20; As noted in Part 1, above, we suggest that national consistency of privacy regulation should be a key goal of Council of Attorneys-General (CAG). Alignment of rights and obligations with the Privacy Act would ensure that Australians’ personal information is subject to similar requirements whether that personal information is handled by an Australian Government agency, a state or territory government agency, or private sector organisations.
Recommendation 69 Ensure that harmonisation of privacy protections is a key goal in the design of any federal, state or territory laws that purport to address privacy issues.
Recommendation 70 Ensure that the privacy protections in any laws that purport to address privacy issues are commensurate with those under the Privacy Act.
 Privacy Act 1988 (Cth), s 28A(2)
 Privacy Act 1988 (Cth), s 28A(2)(c)
 Privacy Act 1988 (Cth), s 28B(1)(c)
 This would align with the secrecy provisions of other international privacy regulators such as the UK Information Commissioner’s Office and the New Zealand Privacy Commissioner. For example, the United Kingdom’s Data Protection Act 2018 (DPA) is similar to the AIC Act in its prohibition on the disclosure of information by the UK Information Commissioner and staff of the Information Commissioner’s Office. However, the DPA contains an exception to this prohibition where, having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest. Similarly, s 206-208 of the Privacy Act 2020 (NZ) enable the Commissioner to disclose information in a wide range of circumstances including where information ‘in the Commissioner’s opinion ought to be disclosed for the purposes of giving effect to this Act.’
 OAIC (2013), Guidelines for developing codes (accessed 17 November 2020).
 Privacy Act, s 26C(4).