The report follows the 128 page report by the Senate Environment & Communications References Committee on The adequacy of protections for the privacy of Australians online report [PDF] noted earlier this year.
The F&PA Committee makes 29 recommendations -
R1 - that the Department of the Prime Minister & Cabinet re-assess the draft Australian Privacy Principles with a view to improving clarity through the use of simpler and more concise terms and to avoid the repetition of requirements that are substantially similar.
R2 - that reconsideration be given to the inclusion of agency specific provisions in the Australian Privacy Principles in the light of the Office of the Privacy Commissioner's suggestion that agency specific matters should, in the first instance, be dealt with in portfolio legislation.
R3 - that the Office of the Australian Information Commissioner develop guidance on the interpretation of 'personal information' as a matter of priority.
R4 - that the Office of the Australian Information Commissioner develop guidance on the meaning of 'consent' in the context of the new Privacy Act as a matter of priority.
R5 - that the Government, in consultation with the Office of the Australian Information Commissioner, give consideration to the provision of a transition period for entities to fully comply with the implementation of the new Privacy Act.
R6 - that a note be added at the end of APP 1(5) which indicates that the form of an entity's privacy policy 'as is appropriate' will usually be an online privacy policy.
R7 - that the wording of APP 2(2)(a) be reconsidered to ensure that the exception to the anonymity and pseudonymity principle cannot be applied inappropriately.
R8 - that in relation to the collection of solicited information principle (APP 3), further consideration be given to:• whether the addition of the word 'reasonably' in the 'necessary' test weakens the principle; andR9 - that the term 'no longer personal information' contained in APP 4(4)(b) (ie re receiving unsolicited information) be clarified.
• excluding organisations from the application of the 'directly related to' test to ensure that privacy protections are not compromised.
R10 - that the drafting of APP 7 (direct marketing) be reconsidered with the aim of improving structure and clarity to ensure that the intent of the principle is not undermined.
R11 - that the note to APP 7(1) be redrafted to better reflect the position outlined in the Government response.
R12 - that the Australian Information Commissioner develop guidance in relation to direct marketing to vulnerable people.
R13 - that the structure of APP 7(2) and APP 7(3) in relation to APP 7(3)(a)(i) be reconsidered.
R14 - that a note be added to the end of APP 8 making reference to section 20 of the new Privacy Act.
R15 - that the Department of the Prime Minister & Cabinet develop explanatory material to clarify the application of the term 'disclosure' in Australian Privacy Principle 8.
R16 - that the Office of the Australian Information Commissioner develop guidance on the types of contractual arrangements required to comply with APP 8 and that guidance be available concurrently with the new Privacy Act.
R17 - that, when the Australian Government enters into an international agreement relating to information sharing which will constitute an exception under APP 8(2)(d), the agency or the relevant minister table in the Parliament, as soon as practicable following the commencement of that agreement, a statement indicating -• the terms under which personal information will be disclosed pursuant to the agreement; andR18 - that further consideration be given to the wording of the law enforcement exception in APP 8(2)(g) to ensure that the intention of the provision is clear.
• the effect of the agreement on the privacy rights of individuals.
R19 - that section 19, relating to the extraterritorial application of the Act, be reconsidered to provide clarity as to the policy intent of the provision.
R20 - that the Department of the Prime Minister & Cabinet develop explanatory material in relation to the application of the accountability provisions of section 20.
R21 - that the term 'reasonably necessary' be replaced with 'necessary' in APP 9(2)(a), (b) and (f).
R22 - that the Office of the Australian Information Commissioner undertake a review of agency voluntary data-matching guidelines, including emerging issues with the use of government identifiers, and that the outcome inform further consideration of the extension of APP 9 to agencies.
R23 - that proposed APP 10(2), pertaining to the quality of personal information disclosed by an entity, be re-drafted to make clear the intended use of the term 'relevant'.
R24 - that a definition of the term 'interference' used in proposed APP 11(1)(a), pertaining the security of personal information, be provided or a note included in the legislation to explain its meaning in this context.
R25 - that the Australian Information Commissioner provide guidance on the meaning of 'destruction' in relation to personal information no longer required and the appropriate methods of destruction of that information.
R26 - that, in relation to the proposed exceptions provided for in APP 12(3)• the Australian Information Commissioner provide guidance in relation tothe application of the 'frivolous and vexatious' exception (APP 12(3)(c));R27 - that a note be added to proposed APP 12(4)(a) to clarify that a reasonable period of time in which an organisation must respond to a request for access would not usually be longer than 30 days.
• clarity be provided as to the stage at which the negotiations exception in APP 12(3)(e) may be invoked; and
• further consideration be given to the exception in APP 12(3)(j) in relation to commercially sensitive decisions to ensure that the rights currently provided for
in the Privacy Act 1988 are not diminished.
R28 - that APP 12(8) be amended so that it is made clear that access charges imposed by organisations should only be charged at a level reasonably necessary to recoup costs incurred by the entity.
R29 - that the decision to omit the term 'misleading' in APP 13 (correction of personal information), relating to the correction of personal information, be reconsidered.
