Privacy Law and Policy Reporter
The Committee therefore recommends that a mechanism be included in the Bill to allow otherwise exempt small businesses, if they choose, to opt in to the coverage of the Bill and be subject to the jurisdiction of the Privacy Commissioner or an approved code adjudicator.
The Committee recommends that clause 16D be amended so that the delayed application of the National Privacy Principles does not apply in relation to small businesses that provide a health service.
The Committee therefore recommends that a new subclause be inserted after subclause 6D(4) of the Bill which clarifies that the small business exemption does not extend to acts or practices of a small business operator in relation to an employee record.
The Committee therefore recommends that the Government clarify that, in respect of the small business exemption, to collect or disclose personal information for any motive, including for example a malicious or altruistic motive, without the consent of the individual concerned should attract the application of the National Privacy Principles.
The Committee recommends that the current definition of ‘employee record’ (which will be given the protection of the NPPs) in section 6(1) read: ‘employee record’, in relation to an employee, means a record of personal information relating to the employment of the employee other than an exempt employee record. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following: (a) the terms and conditions of employment of the employee; (b) the employee’s personal and emergency contact details; (c) the employee’s hours of employment; (d) the employee’s salary or wages; (e) the employee’s membership of a professional or trade association; (f) the employee’s trade union membership; (g) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; (h) the employee’s taxation, banking or superannuation affairs.
The Committee recommends that a new definition of ‘exempt employee record’ be inserted in clause 6(1) reading as follows: ‘exempt employee record’ in relation to an employee, means a record of personal information relating to the employment of the employee and consisting of the following: (a) the engagement, training, disciplining or resignation of the employee; (b) the termination of the employment of the employee; (c) the employee’s performance or conduct.
The Committee recommends that clause 7B(3) be amended as follows: ‘An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to: (a) a current or former employment relationship between the employer and the individual; and (b) an exempt employee record held by the organisation and relating to the individual;
The Committee recommends that the operation of this exemption be monitored and specifically reassessed in the next review of this legislation.
The Committee therefore recommends that, in order for a journalist or media organisation to obtain the benefit of the media exemption under this legislation, he, she or it must subscribe to a code developed by a media organisation or representative body or, in the absence of such a code, a model code prepared by the Privacy Commissioner.
The Committee further recommends that the Privacy Commissioner conduct an education campaign to inform the public about the special provisions applying to the media.
The Committee recommends that clause 7C (1)(c) be amended by deleting ‘... another aspect of the political process’ and replacing it with ‘... in parliamentary or electoral matters.’
The Committee recommends that clause 7C (2) (b) (iii) be amended by deleting ‘the participation in another aspect of the political process ...’ and replacing it with ‘the participation in the parliamentary or electoral process.’
The Committee recommends that a new provision be inserted to provide that clause 7C does not allow a political party or political representative to sell or disclose personal information collected by the political party or political representative in the course of their duties to anyone not covered by the exemption.
The Committee recommends that the Government encourage all relevant parties to reach an agreed position on the major issues raised in the evidence to this inquiry, such as the harmonisation of privacy principles applicable to the public and private sectors, as a matter of urgency.
In the meantime the Committee recommends that health information be included in the Bill subject to its comments in Chapter 7.
The Committee recommends that the basis for this harmonisation be the access standards set out in the ACT Health Records (Privacy and Access) Act 1997. That is, a patient should have a right of access to his or her medical records unless:
The Committee recommends that as from the date of commencement of the legislation a further period of grace of three years be extended to holders or users of existing information in respect of information held at that time.
If, at the conclusion of three years, organisations have not used that information, the Committee recommends that they should be required either to delete it or seek explicit consent from the subject of the information to continue to hold it.
The Committee recommends that the National Privacy Principles apply to tenancy databases from the date of commencement of the Bill and the Government ensure that tenancy databases do not gain the benefit of the small business exemption.
The Committee recommends that the Bill be amended to make clear that every time personal information is used for the secondary purpose of direct marketing the organisation must provide an opportunity for the individual to opt-out of further communications. The offer to opt-out must: (a) be prominently placed on the direct marketing material (b) be accompanied by a street address and telephone number in Australia; (c) be accompanied by an email address if the original communication was made via email; and (d) if the organisation sending the material has them, be accompanied by its ACN and ABN numbers.
The Committee recommends that the Privacy Commissioner establish guidelines for use by companies in determining the extent of information they should provide to consumers pursuant to National Privacy Principle 1 about the nature of their corporate groups and the information that will be shared with the members of that group.
The Committee recommends that clause 13B of the Bill be amended to ensure that if an organisation that is not required to comply with National Privacy Principle 1 discloses personal information to a related body corporate, the collecting organisation is required to comply with National Privacy Principle 1 prior to disclosure.
The Committee therefore recommends that clause 18BF(1)(b) be amended to require the Privacy Commissioner to consult with all affected stakeholders before making guidelines relating to making and dealing with complaints under approved privacy codes.
Source: House of Representatives Standing Committee on Legal and Constitutional Affairs Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (June 2000).