The Australian Law Reform Commission was asked by the Federal Government to review the current privacy law.
In 2000, the federal Privacy Act 1988 was extended to apply to the private sector. From this time, privacy statements and p olicies appeared on websites and banks often cited ‘privacy law’ as reasons not to provide you with information (often misconceived). This extension of the law from government and banks to the private sector was introduced to bring Australia into line with OECD Guidelines on privacy without which cross-border flows of information would be restricted.
The legislation is heavily criticised as overly complicated but, from an enforcement point of view, toothless. The ALRC has now published its report For your information: Australian Privacy Law and Practice. Perhaps the most significant proposed changes are:
- Simplification of the legislation
- Introducing national consistency, principally by overriding state legislation that duplicates regulation and confuses the end result
- Reducing the complexity and number of exceptions including those exceptions for political parties, employee records and small business.
- Stronger civil penalties for repeated breaches.
- More comprehensive credit reporting including ‘positive’ credit reporting but only when there is an “adequate framework imposing responsible lending obligations in all jurisdictions”
- New special purpose legislation dealing with health-related privacy information
- Obligation to notify an individual if there is a real risk of serious harm occurring as a result of a data breach.
So, if adopted, small businesses (turnover < $3M) will no longer be exempt from compliance. Also, employee records will no longer be exempt.
So, if your business was previously exempt or you relied on the exemption in relation to employee records, watch this space.