According to Weisbrot credit lenders currently can keep on record that a customer has applied for credit, a card or an overdraft, but cannot keep on record whether the customer's application was approved, for how much, or how many accounts they might have.

"We've recommended opening it up a bit...so if you're applying for a $100,000 loan to buy a boat the lenders and credit agencies should know that you've got a $500,000 mortgage, a $20,000 loan for a car, four credit cards with $50,000 limit, for example. That will enable better risk management practices because it's hard to know how they make those assessments with the limited amount of information they [currently] have."

The recommendations also called for consultation with young people to improve their control of personal information on social networking sites. However, Walls said he was surprised at the assumption that social networks were exclusive to young people, and believes the ALRC missed a crucial component regarding the flow of corporate and personal data over professional social networking sites.

"Many Australians are attached to things like LinkedIn, Myspace, Beebo, Facebook etc which are multi-national entities based in the US, Europe and elsewhere, but the recommendations make no comment about what we should be doing there.

"Westpac is experimenting with Facebook as a collaboration and productivity enhancer, and I know of other Australian organisations using virtual worlds like Second Life to do team collaboration. They are all using off shore resources so what is the status of law there...I think they missed an opportunity to grapple with this issue," he said.

Weisbrot said he doesn't expect the reforms, once they are legislated, to require significant hardware or software infrastructure expenditure for enterprises to comply, as any organisation engaging in responsible security practices would already have adequate measures in place. For small businesses that file data on customers and employees, he said an econometrician predicted several hundred dollars in security software would be required.

In order to ensure the new Privacy Act remains future-proof, an expert sub-committee of IT-related professors and industry representatives advised the ALRC on new and emerging technologies. But Weisbrot said the new Act would be "technology-neutral but technology-aware" with general principles rather than specific regulation on technologies that will become outdated, "so that even if the technology changes, we will still have the eleven commandments as I call them," he said.

Walls said the real fight will start once parliament gets a hold of the recommendations and starts trying to trim them into real laws.

"Then we'll see whether enforcement actually occurs. But that is several years out, I think we're probably looking at three years in terms of real impact," he said.

The report For Your Information: Australian Privacy Law and Practice can be viewed in full here.