AustralianPrivacy Charter Council
Version of May 2000
© Australian Privacy Charter Council, 2000
This document is at http://www.privacy.org.au/apcc/Submns/HoR0005.html
The Australian Privacy Charter Council was formed in 1992 to promoteobservance of best practice privacy standards throughout the AustralianCommunity. Under the chairmanship of Justice Michael Kirby, then of the NSWCourt of Appeal, the Council brought together privacy, consumer and civilliberties experts with representatives of the business community.
In 1994, the Charter Council launched the Australian Privacy Charter, which isattached to this submission. The Charter sets out 18 principles, reflectinginternational best practice, which provide a benchmark against which specificproposals for privacy laws and guidelines can be measured. The Charter and itsprinciples are appended to this submission.
The Charter Council continues in existence to promote the Charter and itsprinciples, to comment on privacy initiatives, or the lack of them, inparticular sectors and jurisdictions, and to provide a forum for discussion ofprivacy which brings together representatives from a wide range of interests -non-government organisations, business and government.
This submission is largely based on the one made to the Attorney-General'sDepartment in January on its December 1999 `key provisions' paper.Unfortunately, the Bill as introduced has not addressed most of the criticismsthat we made in January of the government's proposals.
We have no doubt that statutory privacy protection in the private sector isurgently required. Regrettably the Bill provides only partial and imperfect'safeguards' as to how personal information can be used. The proposedregime has lost most of its other critical function, which is to giveindividuals more control over when and if personal information can beused. In the context of growing business convergence, e-commerce and so-calledcustomer relationship management (often a code term for cross-selling), it isthis control function which will increasingly be demanded by consumers.
Our detailed comments and criticisms of the Bill are given below. If enactedunchanged, it would provide an entirely false sense of re-assurance to theAustralian public. It would also fail to achieve one of the main objects setout in Clause 3 -"meets international concerns and Australia's internationalobligations relating to privacy to meet our international obligations". In ourview, based on the expert knowledge of several of our members, the Bill willfail to meet the standard of adequacy required by European Union member statesfor transfer of personal data to other jurisdictions under Articles 25 & 26of the 1995 Data Protection Directive (95/46/EC).
As a result of the Bill's major weaknesses, it will fail to give consumers andbusiness alike the confidence to use and invest in electronic commerce andservice delivery, which we understood to be one of the government's mainobjectives.
The good work done over the last two years by participants in the PrivacyCommissioner's consultation process, and more recently in theAttorney-General's Department's consultations, will have been largely wasted ifBill is enacted in its current form.
The Charter Council urges the Committee recommend the amendments we suggest inthis submission. The required changes, most of which would not be opposed bythe majority of business interests, could result in legislation which we couldall support.
Many of our recommendations and suggestions would have the result ofsimplifying the legislation. By seeking to accommodate so many specialinterests, the government's proposed amendments would make the Privacy Act evenmore complex and hard to understand than it is already. The Bill fails theimportant test that should apply to all new legislation - that it be simple andeasily understood both by those with obligations and those with rights.
We have not dealt with the many areas of the proposed legislation which wesupport. In focussing on criticisms and weaknesses, we do not wish to overlookthe many uncontentious provisions, or the good work done by theAttorney-General's Department and Parliamentary draftsmen in dealing withissues such as outsourcing; extra-territorial operation, and temporary publicinterest determinations. Our silence on a particular provision should nothowever necessarily be taken as support, as we may have missed some adverseimplication which others may detect. We will read other submissions withinterest and reserve the option of commenting on other aspects of the Bill indue course.
The practical effect of the legislation will be determined by the combinedoperation of the principles, the exemptions and the definitions. The Committeeneeds to ensure that it does not take the apparent superficial meaning of aparticular provision at face value, since it may be undermined either by anexemption or by the effect of a definition - some of the terms used in the Billdo not carry their normal meanings.
We remain totally mystified as to the logic of the proposed exemption foremployee records - the government has produced no evidence or details of theprotection that it claims is or will be provided under Workplace Relationslegislation. As we have repeatedly stated, the handling of employment recordsis one of the areas where individuals are most in need of the safeguardsprovided by accepted privacy principles - given the serious consequences thatcan flow from inappropriate practices.
However effective the legislation is made in relation to other types ofpersonal information, we will only have 'half a law' if employment recordsremain exempted.
We acknowledge concerns in the business community about a requirement to giveemployees access to sensitive human resources information, and some categoriesof commercial in confidence information. We believe that these concerns havebeen adequately addressed - to the satisfaction of business representatives -by the Privacy Commissioner in drawing up exemptions to NPP 6. If there areoutstanding concerns, we would like to see these spelt out with a view toaddressing them by partial exemptions from particular principles.
There can be no justification for exempting employers from unarguableprinciples such as those relating to data quality (NPP 3) and security (NPP 4).The notice requirements of Principle 1 should also apply - it is difficult tosee what possible reason there could be for not telling employees about theextent of monitoring - whether by video or of emails or phones.
Again, while we acknowledge the need for exemptions from some of theprinciples for the news media, the proposed media exemption (proposed s.7B(4))is far too broad.
Firstly, it is a serious mistake to try to define the exemption via adefinition of journalism that rightly includes reporting etc of 'otherinformation' (definition of journalism and media organisation - items18&19. This correctly characterises the profession of journalism broadly,but results in the exemption applying to virtually anything that any publisherdoes. The important issues of freedom of speech and the public interest roleof the media are confined to news and current affairs - there is nojustification for the exemption extending to so-called 'infotainment' or otherforms of publication and broadcasting.
Another danger in the current approach is that any organisation could seek tolegitimate a breach of the collection or use and disclosure principles simplyby publishing the information, thereby compounding the breach. As an example,the recently launched Crimenet web site - a private sector venturewhich publishes apparently unverified information about alleged offenders -would be likely to fall within the media exemption as currently drafted,thereby escaping from any controls or accountability. So too would thepublication last year by a gun lobby magazine of the names and home addressesof politicians favouring gun controls.
While a suitable definition of exempt media activity may be difficult to agree,it is vitally necessary if some of the most scurrilous and intrusive privacyinvasive practices 'hiding' behind a media exemption are to be avoided.
One possible partial solution would be to introduce a public interest testwhereby news and current affairs providers would have to demonstrate a genuinepublic interest in the practice concerned in order to take advantage of theexemption.
It is difficult to see the justification for this exemption other than as ablatant political expedient. Many of the most highly privacy intrusiveactivities are undertaken by businesses which would almost exclusively fallunder any size threshold, let alone the arbitrary and generous $3 millionturnover figure used in the Bill. Debt collectors, private investigators, anddirect marketers are almost all `small businesses' and while some of these maybe picked up by the `transfer of personal information' condition (see below)others may not, particularly if they structure their services to deliver`outcomes' rather than information.
The size threshold is also an open invitation for larger organizations tore-structure their organizations into separate business entities all of whichfall under the threshold. The effect of this would be not only to exempt theindividual businesses but also to remove any controls over the transfer ofpersonal information between them - for example, a retailer could avoid theapplication of NPP 2 to direct marketing by splitting its operations intoseparate `under $3 million turnover" businesses. In this case, even the`transfer of personal information' condition would not help, as there would beno transfer - the information would still be within the single 'small businessoperator' as defined in the proposed section 6D.
The proposed operation of this exemption is also somewhat unclear. "Smallbusiness" is defined to exclude organisations holding sensitive data, whichseems obtuse, as some small businesses (as the term is normally used) willlegitimately hold sensitive data. The exemption then also requires that thesmall business not "transfer personal information ... to anyone else for abenefit, service or advantage." This would seem to ensure that only innocuousactivities are exempt, although it should be recognised that the effect will be(rightly) to keep many small businesses under the coverage of the law.
The introduction of the term 'transfer' in this provision (with a differentmeaning from its use in the transborder data flow principle) is potentiallyconfusing. It may be helpful to clarify that the exemption would not be lostsimply as a result of a small business 'disclosing' personal informationincidentally as a result of a legitimate activity - eg: to contractors oragents.
The complexity of the formula for the small business threshold (s.6D) with itsmany conditions, is a recipe for confusion - both for businesses themselves,and also amongst consumers - who cannot realistically be expected to know if abusiness they are dealing with is covered by the Act or not. Nothing willbring the law into disrepute faster than the many cases in which individualswill make a complaint about an interference with their privacy only to be toldthat there is nothing that can be done simply because the business concernedarbitrarily qualifies for the small business exemption. For small businesses,the cost of working out whether they are exempt, and of constant monitoring toensure they stay within the conditions, will surely outweigh the marginal costsof full compliance.
We are sympathetic to the concerns of small businesses about compliance costs,and it is unfortunate that the government's delay in bringing forwardlegislation means that implementation will overlap the GST introduction.However, overseas experience shows that the compliance 'burden' associated withthe introduction of privacy laws is much less than feared and anticipated.
If the privacy interests of Australians deserve legislative protection, thenthat protection must apply irrespective of the size of the organisationhandling personal information.
This exemption has been introduced at the last minute and has not beensubject to any discussion or consultation in the development of thelegislation. We challenge the government to disclose the detailed advice itclaims to be relying for its claim that subjecting political activity to theprivacy principles would infringe an implied constitutional right to freedom ofpolitical communication.
Even if there is an overriding public interest in exempting political partiesand representatives from some of the principles - such as the collection, useand disclosure principles (which we refute), there can be no good reason forexempting them from the need to comply with the other principles, such as thoserequiring data quality, openness, security etc. There can also be no objectionto the right of access, which becomes all the more important as a safeguard ifthe effect of some of the principles is limited.
We invite the Committee to consider most seriously the message that thelegislation will send to the community if it says, in effect, that mostorganisations cannot use unfair or deceptive collection practices, or use ordisclose personal information in unexpected ways, or keep their opinions aboutindividuals secret; but that it is perfectly in order for political parties andpoliticians to do all of these things!
The National Privacy Principles (NPPs) already had a serious weakness in thewide definition of 'organisation'. This has now been compounded and magnifiedby the inclusion of a provision (proposed s.13(B)) that expressly allowscollection and disclosure between organisations that are 'related bodiescorporate' as defined under the Corporations Law.
It is not entirely clear what the effect of this exemption will be - theExplanatory Memorandum and the Attorney-General's Department Fact Sheetsuggests that uses and disclosures will still be subject to all the provisionsof NPP 2. But if so, it is difficult to see why the related bodies corporateexemption is required and what it achieves (what value is there in sharingwithout an end-use in mind?). Proposed new NPP 2.3 suggests that the effect ofthe provision will be to ease the limits that NPP2 might otherwise place onsecondary uses such as marketing. We suggest that the Committee might like toexplore the intention behind this provision, and its practical effect, indetail.
There is in our view no justification for a broad exemption from theapplication of any aspect of the collection and use & disclosure principlesto transfers of information between organisations simply on the basis of anarbitrary company law association. The structure of corporate groups isusually quite opaque to consumers and often bears no relation to functions,activities or lines of business.
The basis of the use and disclosure principle is to ensure that only those usesand disclosures that are within the reasonable expectation of individuals arepermitted without consent (unless they meet one of the other definedexceptions). To override this presumption in favour of corporate groups beingable to internally exchange data at will would fatally undermine theprinciple.
The use and disclosure principle (NPP 2) should apply unaltered to transfersbetween different legal entities. If owners choose to take advantage ofcomplex corporate structures for other reasons, they should not gain theincidental benefit of being able to ignore individuals' legitimate andreasonable expectations about privacy.
To give a practical example, many people are concerned about the use ofpersonal information for the purposes of marketing of goods or services thatare unrelated to an earlier transaction during which their details wereoriginally captured. The effect of this provision (proposed s.13(B) togetherwith NPP 2.3) may be that many such marketing uses will not even have to passthe (already inadequate) tests included in NPP 2.
The provisions relating to transitions in partnerships (proposed s.13(C))seem adequate to deal with changes in ownership, but similar provisions shouldalso apply to changes in ownership of corporations. We had assumed that thenormal application of business law would apply to such transitions and thatspecial provisions would not be necessary in the Privacy Act. But if suchprovisions are included, it should be made clear that successor 'owners'inherit the obligations about use and disclosure that applied to theirpredecessors, and that they would not be free to redefine the boundaries of useand disclosure without reference to the individuals concerned.
The Bill proposes to leave coverage of State owned corporations to thediscretion of State governments, who can choose to have the federal Act applyto their businesses. (proposed s.6F). (The combined effect of proposed sections6C(4) and 6F is confusing)
Currently, only NSW has privacy legislation and that law exempts state ownedcorporations - presumably on the basis of putting them on a equal footing withprivately owned competitors. Now that those competitors are to be covered bythe federal law, we hope that the NSW government will close the gap, either byextending their own law (the Privacy and Personal Information Protection Act1998) or by taking up the option of having their own businesses subjected tothe federal Act.
Given the slow progress in other States, we would like to see the federal lawapply to State owned corporations as the default position, with an option forStates and Territories to subject them instead to their own law.
We do not disagree with the need for special attention to personal healthinformation, but the provisions in the Bill are too generous in relation tomanagement and research uses without consent. We share the serious concerns ofthe Health Issues Centre and the Consumers Health Forum who have analysed thehealth provisions in more detail, with expert knowledge, and support theirsubmissions. We have not been able to give these provisions as much attention,but do have the following specific concerns.
The interaction of the various provisions concerning sensitive and healthinformation is quite complex and not easy to fully understand.
In the definitions, it should be expressly stated that health informationincludes information about an individual's genetic make-up - this ispotentially one of the most sensitive pieces of information about someone, andthe public will rightly demand that the most stringent privacy principles applyto genetic information.
The definition of health service includes activities "claimed" by the providerto be in the defined categories. If the only use of the definition was toapply more stringent standards the breadth of the this definition would notmatter too much, but as the effect is in some cases to give access to moregenerous use and disclosure rules, extreme care needs to be taken to ensurethat only recognised health professionals can take advantage of them.
Principle 2.4 seems extraordinarily complicated to deal with the admittedlyimportant issue of disclosure of health information to carers and relatives.Including such elaborate and prescriptive text in the principles defeats theobjective of keeping them concise and easily understood. It should not bedifficult to devise a simple 'humanitarian' exemption and leave the detailedinterpretation to Commissioner's Guidelines and practical common sense.
We remain concerned that the sensitive information principle (NPP10) appliesonly to collection. The more restrictive conditions of this principle shouldapply not only to collection but also to `secondary' use and disclosure ofsensitive information collected initially for a bona fide purpose.
The government has accepted the Privacy Commissioner's advice to vary thewording of Principle 2.1(a) for sensitive (including health) information, whichwill be required to be `directly related' to the purpose of collection to takeadvantage of this exception. While we support the intention of this amendment,we are concerned that it might have the unintended effect of lessening theprotection offered to all other personal information, which can be used underexception (a) if the purpose is merely `related'. Our concerns in this respectare heightened by the suggestion in the Privacy Commissioner's advice on healthinformation that such uses as management and planning of health care may beregarded as `directly related'.
While this is intended to be the subject of further guidelines, we are disturbed by this interpretation. We would argue that many of the`administrative' uses of health information being discussed are not onlynot `directly related', they are not even`related'- at least closely enough to gain the benefit of exception (a). It isessential that the statutory regime retains the integrity of the fundamental`purpose limitation' principle and does not allow too many self-serving uses tobe `authorised' by the necessary related purpose exception.
Fortunately, the other part of the test in exception (a) - that the use bewithin the reasonable expectation of the individual - should ensure that thereis not too much `creep' towards excessively broad interpretations. Butconstant vigilance will be required to ensure that the natural tendency of datausers to regard most intended uses as `related' is held in check.
While we do not object to the principle of providing an option for Codes ofPractice to 'customise' the regime for particular sectors, we have strongreservations about the way in which the Bill provides for Codes as analternative to the default statutory scheme.
It remains to be seen what demand there is for Codes - it may well be that, asin New Zealand, very few sectors see the value in developing a Code, and arehappy to live with the default regime. The Explanatory Memorandum itselfpoints out one of the weaknesses of the approach "For example, different codesnominate various dispute resolution bodies, creating jurisdictional problemsand administrative burdens for business." And yet the Bill expressly providesfor such different bodies (Code adjudicators).
The Bill appears generally to envisage that a Code willeither include self contained complaint handling machinery,or leave complaint handling entirely to the Commissioner,either under the default statutory scheme, or by appointing the Commissioneras the Code adjudicator, presumably to handle all stages of complaints.However, proposed s.40(1B) (Item 80) appears to envisage a hybrid system, whichwould allow sectors to initially deal with complaints through an industry body(Code adjudicator), but to refer complex or difficult complaints to the PrivacyCommissioner. Such a hybrid arrangement may be very attractive to some sectorsand we seek confirmation that this is the effect of Item 80.
The Bill fails to provide adequate arrangements for the enforcement ofcodes, and for ensuring consistency of interpretation. As we have argued inearlier submissions, it is essential that there be some formal link between anapproved Code and the statutory enforcement mechanisms. Proposed s.18BB(3)(d)(item 58) suggests that a Code adjudicator's decisions will have the samestatus as those of the Privacy Commissioner in the default scheme. This isgiven effect by proposed s.55A (item 99) which provides that adjudicators'determinations will be enforceable in the federal court (or magistracy), and wewelcome this as a significant improvement over earlier proposals. However,private sector Code adjudicators are (rightly) not given the samepowers as the Privacy Commissioner (such as requiring witnesses andinformation, entering premises and inspecting records), and their effectivenessin investigating complaints may therefore be hindered.
The proposed regime appears to assume that most complaints will be resolvedthrough 'friendly' and co-operative discussion. While it is true that thePrivacy Commissioner has rarely had to exercise his or her formal powers, theimportance of having such powers 'in reserve' should not be underestimated. Itshould also be borne in mind that to date, the Commissioner has been dealingprimarily with Commonwealth agencies and larger credit providers - sectorswhere a high level of 'voluntary' compliance and co-operation can be expected.Under the wider jurisdiction, the Commissioner, and Code adjudicators to alesser extent, will face many organisations which are much less inclined toco-operate.
The Bill also fails to provide a right of appeal against decisions of Codeadjudicators. The ability to enforce a favourable determination in the federalcourt (or magistracy) is of no value to a complainant whose complaint has notbeen upheld by a Code adjudicator. Given the unavoidable tendency for industryappointed adjudicators to be influenced by sectoral interests (this after allbeing the rationale for their existence), it is essential that complainants areable to appeal to a genuinely disinterested person or body if they aredissatisfied with the decision of an adjudicator.
Our other related concern is about consistency of interpretation. Very fewprivacy complaints can be expected to reach the federal court (magistracy) andthis will not therefore be an effective way of ensuring consistency. This isanother reason why it is essential in our view that the Privacy Commissioner begiven some role in reviewing decisions of Code adjudicators - not necessarilyan automatic right of appeal, but at least the ability (discretion) tointervene in significant cases, either as a result of a complainant's requestor on his or her own initiative.
Even with the requirement in proposed s.18BB(3)(a)(i) that a Code complainthandling scheme must meet prescribed standards (envisaged as the 1997 ConsumerAffairs Benchmarks[1]), we have noconfidence, on the basis of self-regulation to date in various sectors, thatCode adjudicators left entirely to their own devices will provide individualswith an impartial, fair and consistent judgements on privacy issues,particularly given the necessarily broad nature of the principles.
Ultimate authority to set the privacy standards expected of the private andpublic sectors alike should reside with one or more independent statutoryofficers - sectoral bodies appointed by and responsible to businesses in thatsector run the constant risk of adopting convenient interpretations whichfavour industry practices over a robust defence of individuals' rights.
Ideally, the decisions of the Privacy Commissioner in the defaultjurisdiction should also be able to be appealed on their merits (not just onpoints of law).
Paragraph 166 of the Explanatory Memorandum confirms that Codes approved bythe Privacy Commissioner will not be disallowable instruments. Given theCommissioners' ability to approve not only initial Codes, but also variationsand to revoke Codes, which amount to the law for the relevant sector, thesafeguard of potential disallowance is essential. Judicial review is nosubstitute for the ability of Parliament to control the specification of legalobligations.
We strongly urge that the definition of personal information be modified toinclude `potentially identifiable' information (as the current PrivacyAct definition does), but should not continue to exclude informationin a generally available publication.
Many of the recent privacy controversies, concerning collection of informationon-line, have revolved around the collection of e-mail addresses or IPaddresses, which can either be used to communicate directly with a person orcan be subsequently matched with other information to add to a profile of aparticular individual.
However, it is arguable that an email address or IP address is not 'personalinformation' as defined in the legislation, as they do not unambiguouslyidentify an individual. The same applies to telephone numbers, even thoughthese are routinely used as a surrogate identifier for either the subscriber tothe line, or a regular user.
It is essential that the definition of personal information is clarified, toput beyond doubt that it applies to such 'indirect identifiers' and to theinformation collected and held in association with them. One way of doing thiswould be to adopt the definition in the UK Data Protection Act, which includes"identified from the information itself or from other information in thepossession of the data user".
The definition of health information relies on the definition of personalinformation and is therefore subject to the same limitation. This weakness isespecially worrying in the health context, in that it would potentially excludeinformation from which names or dates or birth had been removed, even if otherinformation in the possession of, or easily obtained by, the data user could,in combination with the `de-identified' data, readily identify individuals.
The existing Privacy Act regime already contains the weakness of anunjustifiable exclusion for information in a `generally available publication'.This occurs because of the interaction of the definitions of "personalinformation" and of "record". The Bill fails to take the opportunity tosimplify the way the Act works by removing intervening concept of 'record' - wehave long argued that 'Plain English' legislation would simply subject anyhandling of personal information to the Principles.
The Bill compounds the exemption by adding 'however published' to thedefinition of a generally available publication. It has never been clear if theeffect of the exclusion is to exempt only a generally available publicationitself, or the information contained in a generally available publication. TheAttorney-General's department argued for the latter view in relation toTelstra's application for a public interest determination in 1990-91, but thethen Commissioner took the former view in his Determination
We agree that published information (including public register information)
needs some special rules, but there is no need or rationale for excluding
information from the application of the principle simply because the same
information is also published - in the private sector context there is also the
possibility that an organisation might seek to legitimise a clearly undesirable
practice by publishing the personal information concerned, thereby gaining the
benefit of this exemption (and also perhaps the media exemption - see above).
These are fundamental issues and it is a major weakness of the Bill that it
stands by the narrow definition of personal information, and does not deal at
all with the related issue of protection for public register information.
The Bill generally deals well with the issue of outsourcing. But the further
delay of 12 months before the provisions take effect is unacceptable. We have
consistently argued for the re-introduction, passage and implementation of the
Privacy Amendment Bill 1998 which would have had the same effect. With major
data processing and other functions of government due to be contracted out over
the next year, further delay is inexcusable. Unless the government is prepared
to freeze any further contracting out until the new legislation is in place and
operational, the 1998 Bill should be passed as soon as possible to ensure that
Australians do not continue to lose the limited privacy protection that they
currently enjoy. Alternatively, the new Bill could provide for the law to apply
to contractors to Commonwealth government agencies immediately.
The longer term issue of harmonising private and public sector regimes is
discussed further below.
There is one particular issue relating to contracting which we do not fully
understand. Proposed s.6A(2) (and Item 37) appear to allow Commonwealth
agencies by contract to authorise acts and practices which would otherwise be a
breach of the NPPs - we assume that this is only to ensure that the IPPs in the
existing Act continue to prevail? We would like to see this confirmed. (see
also comments below about harmonisation).
We welcome the provisions in Item 42 for reviewing the existing exemptions
for certain government agencies and business enterprises imported from the FOI
Act. We would however like to see the agencies and activities to be brought
under the NPPs specified in the Act rather than left to regulations. There
will no doubt be vigorous rearguard actions fought by currently exempt
government entities in an attempt to avoid prescription.
We are not sure if the effect of Item 42 is confined to commercial activities.
If so, then there should also be a review of some of the other exemptions in
the FOI Act schedules, which appear to have been the arbitrary outcome of
successful lobbying rather than of any reasoned justification.
We note that the legislation re-affirms the limitation on correction rights
only to Australian citizens and permanent residents (item 87, amending
s.41(4)). This is a major flaw that will clearly contribute to the Bill
failing to meet the European Union's 'adequacy' test. The whole point of the
EU 'overseas transfer' provisions is to try to ensure that EU citizens can take
advantage of similar privacy protection wherever in the world their information
is transferred. Limiting the jurisidiction of the law, in respect of
correction rights, to Australians does not make sense in this context and there
are no apparent benefits.
We note that the New Zealand Privacy Commissioner, in his recent review of the
New Zealand Privacy Act 1993, recommended extending all of the rights under
that Act to non-residents as one essential amendment to ensure the law is
acceptable to the EU and other jurisdictions (such as Hong Kong) with overseas
transfer provisions.
We have some significant concerns about the Privacy Commissioner's National
Principles, as incorporated into the legislation. The Principles represent the
Commissioner's best efforts rather than a consensus between the parties
involved in the consultations. Apart from the matter of Principle 10 already
mentioned above, we have concerns about the following:
Since 1994, the Australian Privacy Charter, devised and now promoted by the
Council, has espoused several principles which go beyond the limited, though
valuable framework of the OECD guidelines. Some of these principles deal with
aspects of privacy other than information privacy. Since the current proposal
only purports to deal with information privacy, we will reserve our position on
these other aspects of privacy for other forums.
There are however three principles in the Charter which are relevant to
information privacy but which are missing from both the government's proposals
and from the existing Privacy Act. Charter Principles 1 (`prior
justification') and 18 ('no disadvantage') can often be effectively argued in
the context of particular privacy intrusive initiatives. It would however be
desirable to have both these principles enshrined in legislation to lend
support to the Privacy Commissioner's `watchdog' role.
The best way of implementing the `prior justification' principle would be
through a requirement for privacy impact statements for proposals (whether in
the private or public sectors) which met certain criteria for potential privacy
intrusion. There is already a precedent for such statements in Commonwealth
law - the program protocols required under the Data-matching Program
(Assistance and Tax) Act 1990.
Consideration should be given to including in the Bill a requirement for
privacy impact statements in appropriate circumstances.
The `no disadvantage' principle is becoming increasingly important as
individuals are faced with the offer of goods and services on favourable terms
on condition that they waive some privacy rights (usually the right to prevent
secondary uses and disclosures). In order to ensure that individuals are not
put under pressure to `sell' their privacy, this principle needs to be
enshrined in law so that it is able to be invoked against unreasonable
`contractual' waivers of privacy.
Charter Principle 7 deals with public register privacy. This is a complex
issue which deserves separate consideration, as it receives in many overseas
privacy laws. It is also related to the definition of personal information and
the inclusion or exclusion of material in 'generally available publications'
discussed above (see under Definitions).
The proposed section 16C disapplies Principles 1, 2, 6, 8 & 10 from
information collected, or transactions entered into, prior to commencement.
While this is sensible for Principles 1 and 10, there is no reason why
organisations should not be required to use best endeavours to comply with at
least the spirit of Principles 2, 6 and 8 in respect of information already
held, accepting that it would be unreasonable to enforce the same standards as
would apply to information collected subsequently. Experience overseas
suggests that many organisations will in any case find it easier to apply the
same regime to all data than to make an administrative distinction.
The twelve month delay after Royal Assent before organisations are required
to comply with any of the NPPs (cl.2), and the further twelve months grace for
small businesses in respect of some principles (proposed s.16D), are an
unnecessarily long phasing in period. The principles are well known and
understood by many larger businesses, and relatively easy for smaller
businesses to come to terms with and implement.
While a shorter phased introduction for mandatory compliance with some of the
principles is acceptable, there is no reason why the Privacy Commissioner could
not be given the power to investigate complaints during Stage One, albeit
without the power to find breaches of the principles or award remedies. A
recommendatory ombudsman role during this stage would complement the
educational and promotional roles, and would help to ensure that organisations
took their responsibilities seriously as they prepared for full implementation.
Without it, it will be difficult to generate public interest in the new
rights.
We therefore urge the Committee to recommend an earlier commencement, with only
delayed application of selective provisions where a strong case can be made.
The September information paper suggested that charges may be levied on
individuals for making and handling privacy complaints. The Council is opposed
in principle to charges for consumers, which would also undermine the existing
`free' character of many voluntary industry ombudsman schemes. Privacy
complaints do not typically involve significant financial considerations and
individuals could not often hope to recover the costs of a complaint. It is in
the general public interest for genuine complaints to be brought, so as to
improve overall compliance. Imposition of charges would be likely to deter
individuals from coming forward with complaints.
Any concerns about mischievous or malicious complaints can be dealt with by
robust ground for declining or discontinuing cases, rather than by any `crude'
financial disincentive.
The one important function under the existing Act which is not extended to
the new private sector/NPP jurisdiction is the audit power (s.27(1)(h);
28(1)(e) and 28A(1)(g)-(j)). There is no good reason why the Commissioner
should not be empowered to conduct audits of compliance with the NPPs, and
every reason why he should. While the number of audits conducted by the
Commissioner in the tax file number and credit reporting jurisdictions has been
modest, it has over the years built up into a very useful 'sample' of
compliance.
The existence of the audit function sends a message to organisations that they
cannot just take the risk of doing nothing with the only 'threat' being the
receipt of a complaint. It is the nature of many privacy breaches that the
individuals affected may not become aware of the breach, or be able to trace an
adverse consequence back to a privacy compliance issue. The Australian Privacy
Act has been one of only a few laws, internationally, to include a significant
pro-active audit role for the Commissioner and as such it is widely admired.
We strongly urge the Committee to recommend the extension of the audit function
to the new private sector jurisdiction.
It is clearly not intended to significantly amend the existing regime of
Information Privacy Principles applying to Commonwealth agencies. Given the
increasingly blurred distinction between public and private sectors, it would
be unfortunate if the government left the Australian community with two
different regimes other than as a short term expedient. Harmonisation was one
of the recommendations of the 1998 Senate Committee report.
The Charter Council acknowledges that any change to the public sector regime
would require further consultation with Commonwealth agencies and
representatives of affected individuals and third parties. It is
understandable, and desirable, that the need for such consultation should not
hold up the implementation of a private sector scheme. The Council therefore
supports the early passage of the Bill (subject to the many amendments
suggested in this submission) to implement a private sector scheme.
The government should however also commit itself to a firm timetable for review
of the existing public sector regime, with a view to bringing the IPPs in
section 14 of the Act into line with the private sector principles. Contrary
to a commonly held belief, the National Principles developed by the Privacy
Commissioner, which are to form the basis of the private sector scheme, were
not designed exclusively with the private sector in mind. The fact that they
were adopted by the previous Victorian government for application to its State
public sector bears this out. We also disagree with the claim in the
Explanatory Memorandum that the IPPs set a higher standard than the NPPs - this
may be true in some respects but in others the NPPs were deliberately designed
to address some of the weaknesses of the IPPs (such as the exemption for
disclosures simply on the basis that individuals had been notified
(IPP11(1)(a)).
The review of the public sector principles should also include consideration of
the relationship between the access and correction provisions of the
Commonwealth Freedom of Information Act 1982 and of the Privacy Act. A
government response to the recommendations of the joint ALRC/ARC report in 1995
on the FOI Act is long overdue. In the Charter Council's view, there is a
strong case for transferring the access to personal information provisions of
the FOI Act to the Privacy Act, leaving the FOI Act to emphasise openness and
access to government information. There would need to be close co-operation
between the Privacy Commissioner and the agency responsible for implementing
the FOI Act (an Information Commissioner?). There would also need to be
further consideration given to the definition of personal information and its
application in FOI and Privacy contexts.
We are not persuaded that the Bill adopts the right approach to providing
for national security needs. Disclosures to intelligence bodies are now dealt
with in a separate schedule - Schedule 3 - rather than, as in the National
Privacy Principles, in the use and disclosure principle. This will have the
effect of 'masking' the actual availability of the exemption, which will no
doubt only be pointed out to organisations as and when an intelligence agency
needs to seek personal information. There are strong accountability arguments
for putting the exemption 'up front' where it can be seen and widely
understood. On the other hand, the exemption will hopefully only be required
rarely and in relation to very few organisations, and it may be argued that it
is better not to 'clutter up' what should be simple and easily understood
principles (see elsewhere for our general view that the Bill has in any case
failed to meet this objective).
Our other concern about the intelligence agency exception is the failure to
provide for a record to be kept by organisations of such disclosures - similar
to the requirement applying to law enforcement exceptions (NPP 2(2). While it
would clearly be appropriate for such records to be kept secure and
confidential, the absence of any record, reviewable by an independent officer
such as the Privacy Commissioner or Ombudsman (or perhaps the Inspector General
of Intelligence and Security) is an open invitation for abuse. While the
intelligence agencies themselves may be accountable (through the
Inspector-General) for their use of the exception, what is to stop other
organisations (such as private investigators, or police forces) from purporting
to be an intelligence agency in order to obtain personal information to which
they would not otherwise be entitled?
Nigel Waters
Convenor, Australian Privacy Charter Council
12A Kelvin Grove, Nelson Bay, NSW 2315
E-mail:
nigelwaters@primus.com.au
Go to
APCC's
Home-Page.
Go to
the
contents-page for this segment.
Send
an email to the APCC Convenor
Created: 3 August 2000
Last Amended: 3 August 2000
APCC thanks its site-sponsor:
Outsourcing
Scope
Rights
of non-residents
The
National Principles
Other
new elements to the principles
Retrospectivity
Timing
Charging
for complaints
Functions
of the Privacy Commissioner
Relationship
between private and public sector schemes
Disclosures
to intelligence bodies
Appendix:
The
Australian Privacy Charter
Navigation
Sponsorship