The Tasmanian Law Reform Institute has released its Final Report on the Review of Privacy Law in Tasmania, following the Issues Paper
of March 2023.
The Report makes 63 recommendations for reforms.
The Institute comments that he Final Report
adopts a broad working definition of privacy ([2.2]) which
covers the overlapping categories of information privacy, privacy of communications, bodily privacy,
and territorial privacy. Bodily and territorial privacy are collectively known as ‘rights to seclusion’,
which is the right to have one’s physical self and one’s environment free from intrusion.
Currently, there is no comprehensive privacy regulation in Tasmania. Rather, privacy protection is
fragmented across different laws that protect different types of privacy in different specific
circumstances ([2.5]). Different legislation may interact to affect privacy protections (Part 2). The
applicability of regulations at the Australian federal level under the Privacy Act and the international
level create further complexity in the landscape of privacy protection. Accordingly, in answer to the
overarching question guiding this project, the TLRI’s view is that existing privacy laws in Tasmania
are not adequately protective.
In contemplating appropriate reforms, the TLRI considers that consistency of the Tasmanian
information privacy legislation with the Commonwealth and other State and Territory legislation is
desirable. This is a key issue identified in reviews elsewhere in Australia, and in submissions to this
Final Report. Consistency reduces confusion, promotes information sharing and enables Tasmania to
learn from the experiences in other jurisdictions.
A statutory tort for serious invasions of privacy
In addressing the gaps in privacy protection, together with the fragmented landscape of protection under
both legislation and general law, the TLRI considers that there is a case for creating a civil statutory
cause of action (and remedy) for certain interferences with privacy. The TLRI considers that the
introduction of a statutory tort for serious invasions of privacy would address a significant gap in
privacy protection in Tasmania that appears unlikely to be addressed in common law in the immediate
term. This view is consistent with recommendations of multiple national and State-based reviews in
recent years.
A statutory tort to be enacted in a standalone Commonwealth Act, with cross-vesting of federal
jurisdiction, would be the most appropriate way to introduce such a protection. However, the TLRI
considers that, if the Commonwealth does not adopt the proposal of the ALRC and the Privacy Act
Review in the near future, further consideration should be given to the introduction of Tasmanian
legislation to create a statutory civil cause of action, or statutory tort, of privacy.
Personal Information Protection Act 2004 (Tas)
The primary privacy framework in Tasmania is the Personal Information Protection Act 2004 (Tas)
(‘PIPA’), which binds government agencies and their contractors. It protects government-held
information, primarily through prescribing 10 ‘Personal Information Protection Principles’ (‘PIPPs’)
by which the entities must abide. While a detailed piece of legislation, there are multiple gaps in its
scope, operation, and enforcement that can jeopardise privacy. To address these gaps, the TLRI makes
recommendations relating to the scope of the information protected by:
• amending the definition of personal information;
• inserting into the PIPA a non-exhaustive list of circumstances to which PIPA personal
information custodians will be expected to have regard in assessing whether identity is
‘reasonably identifiable’;
• inserting a definition of ‘de-identified’; and
• aligning the definition of ‘sensitive information’ by adding biometric information and genetic
information about an individual that is not otherwise health information to the PIPA definition
.
The TLRI also make recommendations about removing exemptions or exceptions under the PIPA
relating to employee information and public information. Currently, these types of information receive
less than the general level of legislative privacy protection (see [4.12]).
The TLRI also considers that a definition of law enforcement information should be included in the
PIPA and that the Ministerial exemption mechanism based on a public benefit assessment in the PIPA
should be amended. Further, it is the TLRI’s view that exemptions for information handling in
emergency situations should be provided for in the PIPA (see [4.15]).
In addressing the alignment of the Tasmanian privacy principles with the Commonwealth Act, the TLRI
recommends a number of changes to the PIPPs and other provisions of the PIPA to enhance consistency
and clarity for both individuals and personal information custodians and to respond more
comprehensively to privacy risks associated with the increasing proliferation and sophistication of
digital technology (see Parts 5–7). These reforms are in the areas of the collection, use and disclosure
of personal information, data quality, security, access and correction, and complaints, monitoring, and
enforcement (see Parts 5 and 6).
The TLRI notes the concerns raised in multiple submissions about the privacy risks associated with
emerging technology, such as facial recognition and automated decision-making. The TLRI agrees with
the findings of the Commonwealth Privacy Act Review and other recent projects (such as the AHRC’s
Human Rights and Technology project) that the risks associated with these technologies justify reforms
to privacy legislation. There is considerable scope to strengthen the PIPA complaints process, and to
make provision for remedies for breaches of the PIPA, in order to enhance privacy protections for
individuals and foster personal information custodians’ compliance with the PIPA. The TLRI considers
that strengthened data breach notification measures should be implemented in Tasmania; this is
discussed in more detail in Part 8. Additional resources would need to be made available to assist
personal information custodians to comply with data breach notification requirements.
Other legislative provisions outside the Personal Information Protection Act 2004 (Tas) (‘PIPA’)
that impact the privacy of government-held information
Rights relating to the handling of personal information and the right to information held by government agencies are closely related. Yet, unlike in other jurisdictions, there is a lack of clarity as to the
relationship between the privacy protections in the PIPA and freedom of information rights in the Right
to Information Act 2009 (Tas) (‘RTI Act’). There is also uncertainty regarding the interaction of the
PIPA with other legislative schemes that have provisions restricting the sharing of government-held
information or providing for access to information. Accordingly, it is the TLRI’s view that there should
be a close examination of the relationship between the provisions of the PIPA and other Tasmanian
legislation with a view to obtaining greater harmonisation and consistency between them (see Part 9).
Other legislation provides protection against multiple forms of harm to privacy interests but these are
generally limited to activities or circumstances in which specific interferences with privacy might occur.
These include stalking, harassment, image-based abuse (previously called ‘revenge pornography’),
governmental or workplace surveillance, and handling of health information.
In relation to the issue of the adequacy of the surveillance legislation applying in Tasmania ([10.2]–
[10.11]), the TLRI notes that generally the approach under the Listening Devices Act 1991 (Tas) and
the Police Offences Act 1935 (Tas) provides a broad safeguard for individual privacy. Nevertheless, the
TLRI considers that there is scope to expand existing surveillance protections contained in the Listening
Devices Act 1991 (Tas) to cover a broader range of technologies, such as visual and tracking devices,
as exists in most other jurisdictions.
Stalking, harassment, and bullying may in some circumstances involve interference with privacy—
whether through intrusion upon seclusion (also referred to as physical privacy, meaning a person’s
bodily or territorial privacy) or through the malicious use of private information against the person
concerned (for example, to intimidate, blackmail, or otherwise coerce that person). As with other
egregious interferences with privacy, these behaviours may cause humiliation, psychological distress,
or intimidation.
After reviewing the legislation that exists in other jurisdictions, and taking into account the submissions
received, the TLRI’s view is that there are areas in which the laws that apply in relation to stalking and
bullying could be strengthened in Tasmania to provide greater clarity around, and better protection for,
physical privacy. There is also a need to enact State-based offences relating to distributing an intimate
image without consent or threatening to distribute an intimate image. This is consistent with the
National Statement of Principles relating to the Criminalisation of the Non-consensual Sharing of
Intimate Images, which sets out principles for nationally consistent criminal offences.
The Recommendations are
Recommendation 1: The definition of ‘personal information’ in the PIPA should be amended to:
• replace ‘about’ with ‘relating to’; and
• introduce a non-exhaustive list of information that may fall within the definition of personal
information.
Recommendation 2: Further consideration should be given to:
• amending the definition of ‘personal information’ by replacing ‘reasonably ascertainable’ with
‘reasonably identifiable’; and
• providing further guidance for personal information custodians by inserting a non-exhaustive
list of circumstances to which PIPA personal information custodians will be expected to have
regard in assessing whether identity is ‘reasonably identifiable’.
Recommendation 3: The PIPA should be amended to insert a definition of ‘de-identified’ that is consistent with the definition in the Privacy Act 1988 (Cth) and that clarifies that ‘de-identification is a
process, informed by best available practice, applied to personal information which involves treating it
in such a way such that no individual is identified or reasonably identifiable in the current context’.
Recommendation 4: Further consideration should be given to whether the PIPA should be amended
to:
• introduce a criminal offence for ‘malicious re-identification’ of de-identified information where
there is an intention to harm or obtain an illegitimate benefit; and/or
• introduce a prohibition on PIPA personal information custodians from re-identifying
information obtained from a source other than the individual to whom the information relates.
Recommendation 5: The definition of ‘sensitive information’ in the PIPA should be amended to
include:
• biometric information used for the purpose of automated biometric verification or biometric
identification;
• biometric templates; and
• genetic information about an individual that is not otherwise health information.
Recommendation 6: If Recommendation 1 is implemented, the definition of ‘sensitive information’
should also be amended to replace ‘about’ with ‘relating to’.
Recommendation 7: The definition of ‘health information’ in the PIPA should be amended to align
with the definition of ‘personal information’.
Recommendation 8: In line with developments at the Commonwealth level and the desirability of
consistency with the approach in other jurisdictions, further consideration should be given to amending
the PIPA to expand the definition of ‘sensitive information’ to:
• include genomic information; and
• include inferences about sensitive information.
Recommendation 9: Pending the outcome of the Commonwealth Privacy Act Review, further
consideration should be given to amending the PIPA to:
• insert a definition of geolocation tracking data; and
• specify that such geolocation tracking data can only be collected, used, disclosed, and stored
with consent.
Recommendation 10: Section 12 of the PIPA should be subject to further consultation with public
authorities, to clarify whether the provision is necessary in light of other information-sharing provisions
in the PIPA.
Recommendation 11: The employee information exemptions in the PIPA should be removed.
Recommendation 12: The public information exemption in the PIPA should be removed.
Consideration should be given to ensuring that appropriate resources, guidance and transition periods
are set to enable public authorities to comply with this amendment.
Recommendation 13: A definition of ‘law enforcement information’ should be included in the PIPA.
Recommendation 14: The public benefit exemption mechanism should be amended to either:
(a) introduce a mechanism making Ministerial public benefit determinations subject to
disallowance by the Parliament; or
(b) if Recommendation 47 is adopted and an independent office-holder (such as an information
commissioner or a privacy commissioner) is established, confer the power to make public
benefit determinations on that office-holder, subject to disallowance by the Parliament.
Recommendation 15: There should be appropriate exemptions for information handling in emergency
situations in the PIPA.
Recommendation 16: The term ‘collects’ should be defined in the PIPA, and the definition should
include inferred and generated information.
Recommendation 17: PIPP 1(3) should be amended to require personal information custodians to
disclose who else may have access to the information once collected.
Recommendation 18: PIPP 1 should be amended to require personal information custodians to take
reasonable steps to give notice of collection at or before the time of collection or, if that is not
practicable, as soon as practicable after collection.
Recommendation 19: Further consideration should be given to the recommendations of the
Commonwealth Privacy Act Review in relation to whether the PIPA requirements relating to collection
notices should be amended to:
• require that collection notices should be clear and understandable (including where addressed
to a child) and accessible; and
• require that collection notices contain additional details, such as details of the circumstances of
handling where a high-risk activity is involved, information about the privacy policy and what
it contains, and information about individual rights and types of information that may be
disclosed to cross-border recipients.
Recommendation 20: PIPP 1 should be amended to enable personal information custodians to collect
personal information about an individual from a person other than the individual, where the individual
has consented or the custodian is required by law to collect the information.
Recommendation 21: The PIPA should be amended to insert a definition of ‘consent’ consistent with
the definition of valid consent in the OAIC Guidelines on the Australian Privacy Principles.
Recommendation 22: Guidance on the design of consent requests for online services should be
available to personal information custodians.
Recommendation 23: PIPP 1 should be amended to specify how personal information custodians
should respond to receiving unsolicited information.
Recommendation 24: Further consideration should be given to aligning the PIPA with the Privacy Act
in relation to cross-border in terms of:
• whether personal information custodians should be required to hold a reasonable belief that
there are mechanisms for the individual to enforce existing privacy protections prior to cross-
border disclosure;
• whether personal information custodians should be required to expressly inform individuals
that, if the individual consents to cross-border disclosure, the custodian will not be obliged to
take reasonable steps to ensure the recipient does not breach the PIPP (and, per the Privacy Act
Review’s further proposal, that privacy protections may not apply to the recipient); and
• whether personal information custodians retain responsibility for breaches of the PIPPs after
they have taken reasonable steps to ensure the recipient deals with the information consistently
with the PIPPs.
Recommendation 25: The PIPA should be amended to include a definition of ‘disclosure’ consistent
with the current definition in the OAIC Guidelines on the Australian Privacy Principles.
Recommendation 26: The PIPA should be amended to require that collection, use and disclosure of
personal information must be fair and reasonable in the circumstances, in line with the recommendation
of the Privacy Act Review.
Recommendation 27: The PIPA (PIPP 1) should be amended to require personal information
custodians to determine and record the purposes of collection, use, and disclosure of personal
information, including any secondary uses or disclosures.
Recommendation 28: The scope of PIPA information handling exceptions relating to requirement or
authorisation under law should be clarified.
Recommendation 29: The PIPA should be amended to state that consent to personal information
handling must be ‘voluntary, informed, current, specific, and unambiguous’, in line with the proposal
of the Privacy Act Review.
Recommendation 30: The Tasmanian Government should participate in cross-jurisdictional work on
the scope and harmonisation of research exceptions in privacy legislation (as proposed by the Privacy
Act Review), including in relation to the introduction of a ‘broad consent’ option for research-related
personal information handling.
Recommendation 31: Further consultation with stakeholders, including children and young people and
their parents and carers, should be undertaken to ensure that privacy protections under the PIPA are
appropriate for children and young people and are consistent with contemporary understandings of
children’s decision-making capacity. Matters for consultation may include:
• whether the PIPA should be amended to specify that consent to information handling will only
be valid where the individual has capacity to consent; • whether the PIPA should be amended to establish exceptions to consent requirements where
seeking consent from a parent or guardian would be inappropriate or harmful for the child or
young person; and
• whether guidance should be developed to assist personal information custodians to assess the
capacity of children and young people on a case-by-case basis.
Recommendation 32: Guidance on capacity and consent, including guidance on recognising and
facilitating supported decision-making, should be available to personal information custodians.
Recommendation 33: An individual ‘right to object’, with the same features as the right proposed by
the Commonwealth Privacy Act Review, should be introduced in the PIPA.
Recommendation 34: PIPP 4 should be amended, in line with the corresponding proposals of the
Commonwealth Privacy Act Review, to:
• provide further guidance to personal information custodians on the ‘reasonable steps’ they must
take to protect personal information;
• set baseline privacy outcomes personal information custodians must meet to fulfil their data
security obligations; and
• require personal information custodians to set and periodically review retention periods for
personal information.
Recommendation 35: Consideration should be given to whether further guidance on PIPA-compliant
destruction and de-identification of personal information by personal information custodians, similar to
the revised guidance proposed by the Commonwealth Privacy Act Review, is necessary.
Recommendation 36: An individual ‘right to erasure’, with the same features as the right proposed by
the Commonwealth Privacy Act Review, should be introduced in the PIPA.
Recommendation 37: There should be a review of all Tasmanian legislation that requires retention of
personal information to ensure it appropriately balances policy objectives and privacy and cyber-
security risks.
Recommendation 38: PIPP 6 should be amended to require a personal information custodian to:
• provide individuals with access to their personal information upon request;
• provide access to personal information in the manner requested by the individual, as long as
this is reasonable and practicable, without charge;
• give written notice of the reasons for a refusal to give access and the mechanisms available to
complain about the refusal (which are discussed further in Part 8 of this Report); and
• adopt a presumption in favour of disclosure.
Recommendation 39: PIPP 6 should be amended to simplify the process for requesting access to
personal information. These amendments should clarify the interaction of the PIPA and the RTI Act.
Recommendation 40: PIPP 6 should be amended to confer an individual right to explanation about
personal information, including a right to explanation of the source of personal information collected
indirectly, and a right to an explanation or summary of what a personal information custodian has done
with the personal information.
Recommendation 41: Part 3A of the PIPA should be amended to: • modify the operation of Section 17G to enable a person to request (rather than require) the
personal information custodian to add information to a notation;
• require a personal information custodian to provide a written notice of a refusal of a request to
add information to a notation; and
• extend the right to correction in Section 17A to enable persons to request amendment of
incorrect, incomplete, out-of-date or misleading information in generally available publications
online over which a personal information custodian maintains control.
Recommendation 42: Individual rights to access and explanation, to object, to erasure, and to
correction in the PIPA should be subject to the exceptions proposed by the Commonwealth Privacy Act
Review; namely, where:
• there are competing public interests;
• required or authorised by law or legal relationships; and
• technically infeasible or an abuse of process.
Recommendation 43: Personal information custodians should be required to provide ‘reasonable
assistance’ to individuals in exercising a right, take ‘reasonable steps’ to respond to an exercise of a
right, and respond within a prescribed timeframe, unless a longer period is justified.
Recommendation 44: There should be greater clarity around how personal information custodians
should meet the requirements of PIPP 5. This should include:
• specifying the type of information that must be included in privacy policies made under PIPP 5;
and
• requiring personal information custodians to designate a senior employee as privacy officer
responsible for compliance with the PIPA.
This could be implemented by amendment to legislation or regulation, or the development of guidelines.
Recommendation 45: The PIPA should be amended to:
• require personal information custodians to specify the types of personal information that will
be used in automated decision-making; and
• establish a right to request meaningful information about how such decisions are made.
Recommendation 46: Guidance should be developed to support personal information custodians to
meet new requirements relating to automated decision-making.
Recommendation 47: Consideration should be given to:
• the most appropriate form that a body responsible for broadened enforcement and compliance
functions under the PIPA should take; and
• ensuring adequate resourcing for that body.
Recommendation 48: Consideration should be given to the introduction of a requirement for the
Ombudsman (or other complaints-handling body) to consider the appropriateness of conciliation when
dealing with a complaint. There should also be jurisdiction for TasCAT to hear a complaint if the
Ombudsman (or other complaints-handling body) decides that it is not reasonably possible that a
complaint be conciliated successfully.
Recommendation 49: Community consultation should be undertaken to ensure that changes to
complaints and review processes under the PIPA are available and accessible to all in the community.
Recommendation 50: Decisions of the Ombudsman (or other complaints-handling body) in relation to
PIPA complaints should be reviewable by TasCAT.
Recommendation 51: TasCAT should be empowered to make appropriate orders against personal
information custodians, where all or part of a PIPA complaint has been proven.
Recommendation 52: Consideration should be given to strengthening the enforcement regime through:
• the creation of offences for certain conduct;
• a civil penalty regime; and/or
• the creation of additional enforcement mechanisms such as injunctions and enforceable
undertakings.
Guidance can be sought from the provision in other Australian jurisdictions as to the scope of the
regimes.
Recommendation 53: The power of the Ombudsman (or other complaints-handling body) to conduct
investigations into breaches of the PIPPs, regardless of whether a complaint has been received, should
be clarified.
Recommendation 54: The PIPA should be amended to enable the creation of privacy codes.
Recommendation 55: The TLRI recommends that Tasmania introduce a data breach notification
scheme based on the Commonwealth model.
Recommendation 56: There should be a close examination of the relationship between the provisions
of the PIPA and other Tasmanian legislation with a view to obtaining greater harmonisation and
consistency between them. In this review, there is a need to ensure privacy protection is maximised to
the extent that is possible in balance with other policy interests.
Recommendation 57: The Tasmanian Government should undertake a review of provisions that
present legislative barriers to the sharing of information within government and with relevant non-
government organisations in the interests of protecting the safety and wellbeing of children and young
people, people in family violence situations, abuse of elder persons and people with disabilities.
Recommendation 58: Consideration should be given to reform of the listening devices legislation to
strengthen protections for individuals against surveillance by optical surveillance devices, tracking
devices, and data surveillance devices.
Recommendation 59: Consideration should be given to improving the resources made available to
allow for independent monitoring of police use of surveillance devices by the Ombudsman.
Recommendation 60: A review should be conducted that examines the adequacy of the existing laws
relating to stalking and intimidation in Tasmania and that considers whether there is a need to amend
these laws to take better account of technological advances. The following could be considered in the
review:
• whether the crime of stalking and bullying in the Criminal Code (Tas) Section 192 should be
amended to include intimidation based on the New South Wales approach—with intimidation
being defined separately from stalking—and the provision should be changed to recognise that
a single act, or a pattern of behaviour, may be taken into account in the determination of stalking
or intimidation;
• the extent to which behaviour that amounts to harassment is adequately protected for the
purposes of the Family Violence Act 2003 (Tas); and
• whether the crime of stalking and bullying in the Criminal Code (Tas) Section 192 should be
amended to more clearly criminalise surveillance conducted by technology; for example, by installing tracking and spyware applications on mobile phones, electronic devices, and vehicles,
as well as installing covert cameras and the use of drones.
Recommendation 61: Tasmania should, in line with other jurisdictions, enact state-based legislation
to create offences of distributing an intimate image without consent or threatening of distribute an
intimate image. In the creation of such an offence, the law should make it clear that the prohibition
extends to the distribution (or threat to distribute) images created or modified by the use of artificial
intelligence.
Recommendation 62: There should be further consideration of necessary reforms to the PIPA, or the
creation of standalone legislation, to align Tasmanian regulation with the National Health
Interoperability Plan.
Recommendation 63: If a national statutory tort is not adopted by the Commonwealth in the near
future, consideration should be given to the introduction of Tasmanian legislation to create a statutory
tort of privacy.