Australian Privacy Charter Council
© Australian Privacy Charter Council, 1999
This document is at http://www.privacy.org.au/apcc/Submns/AG9910.html
The Council welcomes the government's intention to extend privacy legislation to cover the private sector.
The proposals set out in the information paper represent an interesting and innovative approach to the regulation of information privacy which is attracting world wide attention. In particular, the prominent role given to sectoral codes of practice is potentially a sensible compromise between overly prescriptive law and self-regulation, which has been shown here and overseas to be an inadequate response.
There are however some serious flaws in the current proposals which need to be remedied. Given the acknowledged importance of the international trade context, there is no point in Australia introducing legislation which falls short of the criteria which are being promoted by the international community, and best represented in the papers from the European Union's Article 29 Working Party.
Legislation which fails to substantially meet these criteria will not give Australian businesses the confidence they need to participate in international trade involving the transfer of personal data, and will therefore not meet one of the government's declared objectives.
The other reason for remedying the flaws in the current proposals is to ensure that all Australians enjoy the same high level of privacy protection, set at international best practice standard, and are able to readily access affordable complaint processes and remedies.
It is unfortunate that the proposals do not reflect all of the good features of the Victorian Data Protection Bill, given that many of the same interested parties have been involved in devising that model. In particular, the Victorian provision for appeals from decisions of code administration bodies and of the Privacy Commissioner, and the extensive powers of the Privacy Commissioner, are essential features of an acceptable privacy regime, currently missing in whole or part from the Commonwealth proposal.
While a phased introduction is acceptable, there is no reason why the Privacy Commissioner could not be given the power to investigate complaints during Stage One, albeit without the power to find breaches of the principles or award remedies. A recommendatory ombudsman role during this stage would complement the educational and promotional roles, and would help to ensure that organisations took their responsibilities seriously as they prepared for full implementation. Without it, it will be difficult to generate public interest in the new rights.
As we have already indicated in an earlier letter, it is unacceptable to delay the re-introduction, passage and implementation of the Privacy Amendment Bill 1998. Waiting until private sector contractors are covered by the proposed new legislation will leave a further gap of nearly two years in which personal information handled by contractors will lose the existing protection of the Privacy Act. With major data processing and other functions of government due to be contracted out within this period, the delay is inexcusable. Unless the government is prepared to freeze any further contracting out until the new privacy legislation is in place and operational, the 1998 legislation should be passed as soon as possible to ensure that Australians do not lose the limited privacy protection that they currently enjoy.
This would mean that some private sector businesses would have to operate under two somewhat different sets of principles, depending on whether they were carrying out work for a Commonwealth agency client or not. But this outcome is unavoidable - even if the 'outsourcing' amendments are not passed, contractors will be required by contract to apply the IPPs.
The longer term issue of harmonising private and public sector regimes is discussed further below.
The proposed exemption for `domestic' uses is acceptable, but needs to be defined more precisely to ensure that home based activities of a `business' nature, even if not commercial, are covered by the law.
The proposed exemption for employee records is completely unacceptable. The argument that equivalent protections can apply under workplace agreements is simply unrealistic and in any case would not have the same range of investigatory, complaint an enforcement provisions, or remedies.
The area of employment record keeping is one where the consequences of breaches of the privacy principles can be most serious for individuals, and one where they most need the protection of privacy law. Any specific issues that the privacy principles raise for employers can and to a large extent have already been dealt with in the discussions leading to the National Principles.
Introducing a privacy law which did not apply to employee records would ensure that the law had severely limited credibility both domestically and in the international community.
The Council supports the government's apparent intention to take the opportunity of the new legislation to review the existing exemptions for certain government agencies and business enterprises imported from the FOI Act.
It is necessary and desirable to provide some form of exemption from some of the principles for the news media. It is however important that any such exemption is carefully crafted to respect the value of free speech and benefit the media only in its `public sphere' role. Other commercial and `infotainment' roles, although challenging to define, should remain subject to the principles. And even in the exempt areas, there is no reason why principles such as security should not apply. It is mainly in the area of fair collection practices and use and disclosure limitations that the news media need exemption, together with some modification of the access and correction rights.
We await with interest the Attorney-General's conclusions in relation the issue of personal health information. Like the Privacy Commissioner, we believe that general privacy principles can and should apply to health information, with any special needs being dealt with by appropriate modifications.
We have already previously indicated that we have some concerns about the Privacy Commissioner's National Principles, which represent the Commissioner's best efforts rather than a consensus between the parties involved in the consultations.
Go to APCC's Home-Page.
Go to the contents-page for this segment.
Send an email to the APCC Convenor
Created: 3 August 2000
Last Amended: 3 August 2000
APCC thanks its site-sponsor: