AUSTRALIANPRIVACY CHARTER COUNCIL
Submissionto an Inquiry by the House of Representatives Committee on Legal andConstitutional Affairs
Re: The Privacy Amendment (Private Sector) Bill 2000

Convenor

AustralianPrivacy Charter Council

Version of May 2000

© Australian Privacy Charter Council, 2000

This document is at http://www.privacy.org.au/apcc/Submns/HoR0005.html


TheAustralian Privacy Charter Council

The Australian Privacy Charter Council was formed in 1992 to promoteobservance of best practice privacy standards throughout the AustralianCommunity. Under the chairmanship of Justice Michael Kirby, then of the NSWCourt of Appeal, the Council brought together privacy, consumer and civilliberties experts with representatives of the business community.

In 1994, the Charter Council launched the Australian Privacy Charter, which isattached to this submission. The Charter sets out 18 principles, reflectinginternational best practice, which provide a benchmark against which specificproposals for privacy laws and guidelines can be measured. The Charter and itsprinciples are appended to this submission.

The Charter Council continues in existence to promote the Charter and itsprinciples, to comment on privacy initiatives, or the lack of them, inparticular sectors and jurisdictions, and to provide a forum for discussion ofprivacy which brings together representatives from a wide range of interests -non-government organisations, business and government.


Introduction

This submission is largely based on the one made to the Attorney-General'sDepartment in January on its December 1999 `key provisions' paper.Unfortunately, the Bill as introduced has not addressed most of the criticismsthat we made in January of the government's proposals.

We have no doubt that statutory privacy protection in the private sector isurgently required. Regrettably the Bill provides only partial and imperfect'safeguards' as to how personal information can be used. The proposedregime has lost most of its other critical function, which is to giveindividuals more control over when and if personal information can beused. In the context of growing business convergence, e-commerce and so-calledcustomer relationship management (often a code term for cross-selling), it isthis control function which will increasingly be demanded by consumers.

Our detailed comments and criticisms of the Bill are given below. If enactedunchanged, it would provide an entirely false sense of re-assurance to theAustralian public. It would also fail to achieve one of the main objects setout in Clause 3 -"meets international concerns and Australia's internationalobligations relating to privacy to meet our international obligations". In ourview, based on the expert knowledge of several of our members, the Bill willfail to meet the standard of adequacy required by European Union member statesfor transfer of personal data to other jurisdictions under Articles 25 & 26of the 1995 Data Protection Directive (95/46/EC).

As a result of the Bill's major weaknesses, it will fail to give consumers andbusiness alike the confidence to use and invest in electronic commerce andservice delivery, which we understood to be one of the government's mainobjectives.

The good work done over the last two years by participants in the PrivacyCommissioner's consultation process, and more recently in theAttorney-General's Department's consultations, will have been largely wasted ifBill is enacted in its current form.

The Charter Council urges the Committee recommend the amendments we suggest inthis submission. The required changes, most of which would not be opposed bythe majority of business interests, could result in legislation which we couldall support.

Many of our recommendations and suggestions would have the result ofsimplifying the legislation. By seeking to accommodate so many specialinterests, the government's proposed amendments would make the Privacy Act evenmore complex and hard to understand than it is already. The Bill fails theimportant test that should apply to all new legislation - that it be simple andeasily understood both by those with obligations and those with rights.

We have not dealt with the many areas of the proposed legislation which wesupport. In focussing on criticisms and weaknesses, we do not wish to overlookthe many uncontentious provisions, or the good work done by theAttorney-General's Department and Parliamentary draftsmen in dealing withissues such as outsourcing; extra-territorial operation, and temporary publicinterest determinations. Our silence on a particular provision should nothowever necessarily be taken as support, as we may have missed some adverseimplication which others may detect. We will read other submissions withinterest and reserve the option of commenting on other aspects of the Bill indue course.


Commentson key features

The practical effect of the legislation will be determined by the combinedoperation of the principles, the exemptions and the definitions. The Committeeneeds to ensure that it does not take the apparent superficial meaning of aparticular provision at face value, since it may be undermined either by anexemption or by the effect of a definition - some of the terms used in the Billdo not carry their normal meanings.


Employeerecord exemption

We remain totally mystified as to the logic of the proposed exemption foremployee records - the government has produced no evidence or details of theprotection that it claims is or will be provided under Workplace Relationslegislation. As we have repeatedly stated, the handling of employment recordsis one of the areas where individuals are most in need of the safeguardsprovided by accepted privacy principles - given the serious consequences thatcan flow from inappropriate practices.

However effective the legislation is made in relation to other types ofpersonal information, we will only have 'half a law' if employment recordsremain exempted.

We acknowledge concerns in the business community about a requirement to giveemployees access to sensitive human resources information, and some categoriesof commercial in confidence information. We believe that these concerns havebeen adequately addressed - to the satisfaction of business representatives -by the Privacy Commissioner in drawing up exemptions to NPP 6. If there areoutstanding concerns, we would like to see these spelt out with a view toaddressing them by partial exemptions from particular principles.

There can be no justification for exempting employers from unarguableprinciples such as those relating to data quality (NPP 3) and security (NPP 4).The notice requirements of Principle 1 should also apply - it is difficult tosee what possible reason there could be for not telling employees about theextent of monitoring - whether by video or of emails or phones.


Mediaexemption

Again, while we acknowledge the need for exemptions from some of theprinciples for the news media, the proposed media exemption (proposed s.7B(4))is far too broad.

Firstly, it is a serious mistake to try to define the exemption via adefinition of journalism that rightly includes reporting etc of 'otherinformation' (definition of journalism and media organisation - items18&19. This correctly characterises the profession of journalism broadly,but results in the exemption applying to virtually anything that any publisherdoes. The important issues of freedom of speech and the public interest roleof the media are confined to news and current affairs - there is nojustification for the exemption extending to so-called 'infotainment' or otherforms of publication and broadcasting.

Another danger in the current approach is that any organisation could seek tolegitimate a breach of the collection or use and disclosure principles simplyby publishing the information, thereby compounding the breach. As an example,the recently launched Crimenet web site - a private sector venturewhich publishes apparently unverified information about alleged offenders -would be likely to fall within the media exemption as currently drafted,thereby escaping from any controls or accountability. So too would thepublication last year by a gun lobby magazine of the names and home addressesof politicians favouring gun controls.

While a suitable definition of exempt media activity may be difficult to agree,it is vitally necessary if some of the most scurrilous and intrusive privacyinvasive practices 'hiding' behind a media exemption are to be avoided.

One possible partial solution would be to introduce a public interest testwhereby news and current affairs providers would have to demonstrate a genuinepublic interest in the practice concerned in order to take advantage of theexemption.


Smallbusiness exemption

It is difficult to see the justification for this exemption other than as ablatant political expedient. Many of the most highly privacy intrusiveactivities are undertaken by businesses which would almost exclusively fallunder any size threshold, let alone the arbitrary and generous $3 millionturnover figure used in the Bill. Debt collectors, private investigators, anddirect marketers are almost all `small businesses' and while some of these maybe picked up by the `transfer of personal information' condition (see below)others may not, particularly if they structure their services to deliver`outcomes' rather than information.

The size threshold is also an open invitation for larger organizations tore-structure their organizations into separate business entities all of whichfall under the threshold. The effect of this would be not only to exempt theindividual businesses but also to remove any controls over the transfer ofpersonal information between them - for example, a retailer could avoid theapplication of NPP 2 to direct marketing by splitting its operations intoseparate `under $3 million turnover" businesses. In this case, even the`transfer of personal information' condition would not help, as there would beno transfer - the information would still be within the single 'small businessoperator' as defined in the proposed section 6D.

The proposed operation of this exemption is also somewhat unclear. "Smallbusiness" is defined to exclude organisations holding sensitive data, whichseems obtuse, as some small businesses (as the term is normally used) willlegitimately hold sensitive data. The exemption then also requires that thesmall business not "transfer personal information ... to anyone else for abenefit, service or advantage." This would seem to ensure that only innocuousactivities are exempt, although it should be recognised that the effect will be(rightly) to keep many small businesses under the coverage of the law.

The introduction of the term 'transfer' in this provision (with a differentmeaning from its use in the transborder data flow principle) is potentiallyconfusing. It may be helpful to clarify that the exemption would not be lostsimply as a result of a small business 'disclosing' personal informationincidentally as a result of a legitimate activity - eg: to contractors oragents.

The complexity of the formula for the small business threshold (s.6D) with itsmany conditions, is a recipe for confusion - both for businesses themselves,and also amongst consumers - who cannot realistically be expected to know if abusiness they are dealing with is covered by the Act or not. Nothing willbring the law into disrepute faster than the many cases in which individualswill make a complaint about an interference with their privacy only to be toldthat there is nothing that can be done simply because the business concernedarbitrarily qualifies for the small business exemption. For small businesses,the cost of working out whether they are exempt, and of constant monitoring toensure they stay within the conditions, will surely outweigh the marginal costsof full compliance.

We are sympathetic to the concerns of small businesses about compliance costs,and it is unfortunate that the government's delay in bringing forwardlegislation means that implementation will overlap the GST introduction.However, overseas experience shows that the compliance 'burden' associated withthe introduction of privacy laws is much less than feared and anticipated.

If the privacy interests of Australians deserve legislative protection, thenthat protection must apply irrespective of the size of the organisationhandling personal information.


Exemptionfor political activity

This exemption has been introduced at the last minute and has not beensubject to any discussion or consultation in the development of thelegislation. We challenge the government to disclose the detailed advice itclaims to be relying for its claim that subjecting political activity to theprivacy principles would infringe an implied constitutional right to freedom ofpolitical communication.

Even if there is an overriding public interest in exempting political partiesand representatives from some of the principles - such as the collection, useand disclosure principles (which we refute), there can be no good reason forexempting them from the need to comply with the other principles, such as thoserequiring data quality, openness, security etc. There can also be no objectionto the right of access, which becomes all the more important as a safeguard ifthe effect of some of the principles is limited.

We invite the Committee to consider most seriously the message that thelegislation will send to the community if it says, in effect, that mostorganisations cannot use unfair or deceptive collection practices, or use ordisclose personal information in unexpected ways, or keep their opinions aboutindividuals secret; but that it is perfectly in order for political parties andpoliticians to do all of these things!


Useby related bodies corporate

The National Privacy Principles (NPPs) already had a serious weakness in thewide definition of 'organisation'. This has now been compounded and magnifiedby the inclusion of a provision (proposed s.13(B)) that expressly allowscollection and disclosure between organisations that are 'related bodiescorporate' as defined under the Corporations Law.

It is not entirely clear what the effect of this exemption will be - theExplanatory Memorandum and the Attorney-General's Department Fact Sheetsuggests that uses and disclosures will still be subject to all the provisionsof NPP 2. But if so, it is difficult to see why the related bodies corporateexemption is required and what it achieves (what value is there in sharingwithout an end-use in mind?). Proposed new NPP 2.3 suggests that the effect ofthe provision will be to ease the limits that NPP2 might otherwise place onsecondary uses such as marketing. We suggest that the Committee might like toexplore the intention behind this provision, and its practical effect, indetail.

There is in our view no justification for a broad exemption from theapplication of any aspect of the collection and use & disclosure principlesto transfers of information between organisations simply on the basis of anarbitrary company law association. The structure of corporate groups isusually quite opaque to consumers and often bears no relation to functions,activities or lines of business.

The basis of the use and disclosure principle is to ensure that only those usesand disclosures that are within the reasonable expectation of individuals arepermitted without consent (unless they meet one of the other definedexceptions). To override this presumption in favour of corporate groups beingable to internally exchange data at will would fatally undermine theprinciple.

The use and disclosure principle (NPP 2) should apply unaltered to transfersbetween different legal entities. If owners choose to take advantage ofcomplex corporate structures for other reasons, they should not gain theincidental benefit of being able to ignore individuals' legitimate andreasonable expectations about privacy.

To give a practical example, many people are concerned about the use ofpersonal information for the purposes of marketing of goods or services thatare unrelated to an earlier transaction during which their details wereoriginally captured. The effect of this provision (proposed s.13(B) togetherwith NPP 2.3) may be that many such marketing uses will not even have to passthe (already inadequate) tests included in NPP 2.


Ownershipchanges

The provisions relating to transitions in partnerships (proposed s.13(C))seem adequate to deal with changes in ownership, but similar provisions shouldalso apply to changes in ownership of corporations. We had assumed that thenormal application of business law would apply to such transitions and thatspecial provisions would not be necessary in the Privacy Act. But if suchprovisions are included, it should be made clear that successor 'owners'inherit the obligations about use and disclosure that applied to theirpredecessors, and that they would not be free to redefine the boundaries of useand disclosure without reference to the individuals concerned.


Stateowned businesses

The Bill proposes to leave coverage of State owned corporations to thediscretion of State governments, who can choose to have the federal Act applyto their businesses. (proposed s.6F). (The combined effect of proposed sections6C(4) and 6F is confusing)

Currently, only NSW has privacy legislation and that law exempts state ownedcorporations - presumably on the basis of putting them on a equal footing withprivately owned competitors. Now that those competitors are to be covered bythe federal law, we hope that the NSW government will close the gap, either byextending their own law (the Privacy and Personal Information Protection Act1998) or by taking up the option of having their own businesses subjected tothe federal Act.

Given the slow progress in other States, we would like to see the federal lawapply to State owned corporations as the default position, with an option forStates and Territories to subject them instead to their own law.


Health information

We do not disagree with the need for special attention to personal healthinformation, but the provisions in the Bill are too generous in relation tomanagement and research uses without consent. We share the serious concerns ofthe Health Issues Centre and the Consumers Health Forum who have analysed thehealth provisions in more detail, with expert knowledge, and support theirsubmissions. We have not been able to give these provisions as much attention,but do have the following specific concerns.

The interaction of the various provisions concerning sensitive and healthinformation is quite complex and not easy to fully understand.

In the definitions, it should be expressly stated that health informationincludes information about an individual's genetic make-up - this ispotentially one of the most sensitive pieces of information about someone, andthe public will rightly demand that the most stringent privacy principles applyto genetic information.

The definition of health service includes activities "claimed" by the providerto be in the defined categories. If the only use of the definition was toapply more stringent standards the breadth of the this definition would notmatter too much, but as the effect is in some cases to give access to moregenerous use and disclosure rules, extreme care needs to be taken to ensurethat only recognised health professionals can take advantage of them.

Principle 2.4 seems extraordinarily complicated to deal with the admittedlyimportant issue of disclosure of health information to carers and relatives.Including such elaborate and prescriptive text in the principles defeats theobjective of keeping them concise and easily understood. It should not bedifficult to devise a simple 'humanitarian' exemption and leave the detailedinterpretation to Commissioner's Guidelines and practical common sense.

We remain concerned that the sensitive information principle (NPP10) appliesonly to collection. The more restrictive conditions of this principle shouldapply not only to collection but also to `secondary' use and disclosure ofsensitive information collected initially for a bona fide purpose.


Noteabout `related purpose'

The government has accepted the Privacy Commissioner's advice to vary thewording of Principle 2.1(a) for sensitive (including health) information, whichwill be required to be `directly related' to the purpose of collection to takeadvantage of this exception. While we support the intention of this amendment,we are concerned that it might have the unintended effect of lessening theprotection offered to all other personal information, which can be used underexception (a) if the purpose is merely `related'. Our concerns in this respectare heightened by the suggestion in the Privacy Commissioner's advice on healthinformation that such uses as management and planning of health care may beregarded as `directly related'.

While this is intended to be the subject of further guidelines, we are disturbed by this interpretation. We would argue that many of the`administrative' uses of health information being discussed are not onlynot `directly related', they are not even`related'- at least closely enough to gain the benefit of exception (a). It isessential that the statutory regime retains the integrity of the fundamental`purpose limitation' principle and does not allow too many self-serving uses tobe `authorised' by the necessary related purpose exception.

Fortunately, the other part of the test in exception (a) - that the use bewithin the reasonable expectation of the individual - should ensure that thereis not too much `creep' towards excessively broad interpretations. Butconstant vigilance will be required to ensure that the natural tendency of datausers to regard most intended uses as `related' is held in check.


Relationshipof Codes to the default statutory regime

While we do not object to the principle of providing an option for Codes ofPractice to 'customise' the regime for particular sectors, we have strongreservations about the way in which the Bill provides for Codes as analternative to the default statutory scheme.

It remains to be seen what demand there is for Codes - it may well be that, asin New Zealand, very few sectors see the value in developing a Code, and arehappy to live with the default regime. The Explanatory Memorandum itselfpoints out one of the weaknesses of the approach "For example, different codesnominate various dispute resolution bodies, creating jurisdictional problemsand administrative burdens for business." And yet the Bill expressly providesfor such different bodies (Code adjudicators).


Codesand Complaint-handling

The Bill appears generally to envisage that a Code willeither include self contained complaint handling machinery,or leave complaint handling entirely to the Commissioner,either under the default statutory scheme, or by appointing the Commissioneras the Code adjudicator, presumably to handle all stages of complaints.However, proposed s.40(1B) (Item 80) appears to envisage a hybrid system, whichwould allow sectors to initially deal with complaints through an industry body(Code adjudicator), but to refer complex or difficult complaints to the PrivacyCommissioner. Such a hybrid arrangement may be very attractive to some sectorsand we seek confirmation that this is the effect of Item 80.


Enforcementof Codes

The Bill fails to provide adequate arrangements for the enforcement ofcodes, and for ensuring consistency of interpretation. As we have argued inearlier submissions, it is essential that there be some formal link between anapproved Code and the statutory enforcement mechanisms. Proposed s.18BB(3)(d)(item 58) suggests that a Code adjudicator's decisions will have the samestatus as those of the Privacy Commissioner in the default scheme. This isgiven effect by proposed s.55A (item 99) which provides that adjudicators'determinations will be enforceable in the federal court (or magistracy), and wewelcome this as a significant improvement over earlier proposals. However,private sector Code adjudicators are (rightly) not given the samepowers as the Privacy Commissioner (such as requiring witnesses andinformation, entering premises and inspecting records), and their effectivenessin investigating complaints may therefore be hindered.

The proposed regime appears to assume that most complaints will be resolvedthrough 'friendly' and co-operative discussion. While it is true that thePrivacy Commissioner has rarely had to exercise his or her formal powers, theimportance of having such powers 'in reserve' should not be underestimated. Itshould also be borne in mind that to date, the Commissioner has been dealingprimarily with Commonwealth agencies and larger credit providers - sectorswhere a high level of 'voluntary' compliance and co-operation can be expected.Under the wider jurisdiction, the Commissioner, and Code adjudicators to alesser extent, will face many organisations which are much less inclined toco-operate.


Lackof Appeal rights

The Bill also fails to provide a right of appeal against decisions of Codeadjudicators. The ability to enforce a favourable determination in the federalcourt (or magistracy) is of no value to a complainant whose complaint has notbeen upheld by a Code adjudicator. Given the unavoidable tendency for industryappointed adjudicators to be influenced by sectoral interests (this after allbeing the rationale for their existence), it is essential that complainants areable to appeal to a genuinely disinterested person or body if they aredissatisfied with the decision of an adjudicator.

Our other related concern is about consistency of interpretation. Very fewprivacy complaints can be expected to reach the federal court (magistracy) andthis will not therefore be an effective way of ensuring consistency. This isanother reason why it is essential in our view that the Privacy Commissioner begiven some role in reviewing decisions of Code adjudicators - not necessarilyan automatic right of appeal, but at least the ability (discretion) tointervene in significant cases, either as a result of a complainant's requestor on his or her own initiative.

Even with the requirement in proposed s.18BB(3)(a)(i) that a Code complainthandling scheme must meet prescribed standards (envisaged as the 1997 ConsumerAffairs Benchmarks[1]), we have noconfidence, on the basis of self-regulation to date in various sectors, thatCode adjudicators left entirely to their own devices will provide individualswith an impartial, fair and consistent judgements on privacy issues,particularly given the necessarily broad nature of the principles.

Ultimate authority to set the privacy standards expected of the private andpublic sectors alike should reside with one or more independent statutoryofficers - sectoral bodies appointed by and responsible to businesses in thatsector run the constant risk of adopting convenient interpretations whichfavour industry practices over a robust defence of individuals' rights.

Ideally, the decisions of the Privacy Commissioner in the defaultjurisdiction should also be able to be appealed on their merits (not just onpoints of law).


Modificationof the law should be subject to Parliamentary scrutiny

Paragraph 166 of the Explanatory Memorandum confirms that Codes approved bythe Privacy Commissioner will not be disallowable instruments. Given theCommissioners' ability to approve not only initial Codes, but also variationsand to revoke Codes, which amount to the law for the relevant sector, thesafeguard of potential disallowance is essential. Judicial review is nosubstitute for the ability of Parliament to control the specification of legalobligations.


Othercomments

Definitionof personal information

We strongly urge that the definition of personal information be modified toinclude `potentially identifiable' information (as the current PrivacyAct definition does), but should not continue to exclude informationin a generally available publication.

Many of the recent privacy controversies, concerning collection of informationon-line, have revolved around the collection of e-mail addresses or IPaddresses, which can either be used to communicate directly with a person orcan be subsequently matched with other information to add to a profile of aparticular individual.

However, it is arguable that an email address or IP address is not 'personalinformation' as defined in the legislation, as they do not unambiguouslyidentify an individual. The same applies to telephone numbers, even thoughthese are routinely used as a surrogate identifier for either the subscriber tothe line, or a regular user.

It is essential that the definition of personal information is clarified, toput beyond doubt that it applies to such 'indirect identifiers' and to theinformation collected and held in association with them. One way of doing thiswould be to adopt the definition in the UK Data Protection Act, which includes"identified from the information itself or from other information in thepossession of the data user".

The definition of health information relies on the definition of personalinformation and is therefore subject to the same limitation. This weakness isespecially worrying in the health context, in that it would potentially excludeinformation from which names or dates or birth had been removed, even if otherinformation in the possession of, or easily obtained by, the data user could,in combination with the `de-identified' data, readily identify individuals.


Generallyavailable publications

The existing Privacy Act regime already contains the weakness of anunjustifiable exclusion for information in a `generally available publication'.This occurs because of the interaction of the definitions of "personalinformation" and of "record". The Bill fails to take the opportunity tosimplify the way the Act works by removing intervening concept of 'record' - wehave long argued that 'Plain English' legislation would simply subject anyhandling of personal information to the Principles.

The Bill compounds the exemption by adding 'however published' to thedefinition of a generally available publication. It has never been clear if theeffect of the exclusion is to exempt only a generally available publicationitself, or the information contained in a generally available publication. TheAttorney-General's department argued for the latter view in relation toTelstra's application for a public interest determination in 1990-91, but thethen Commissioner took the former view in his Determination[2]. It would be helpful to put the former view beyond doubt, and at the same time to review the intention and practical effect of the provision.

We agree that published information (including public register information) needs some special rules, but there is no need or rationale for excluding information from the application of the principle simply because the same information is also published - in the private sector context there is also the possibility that an organisation might seek to legitimise a clearly undesirable practice by publishing the personal information concerned, thereby gaining the benefit of this exemption (and also perhaps the media exemption - see above).

These are fundamental issues and it is a major weakness of the Bill that it stands by the narrow definition of personal information, and does not deal at all with the related issue of protection for public register information.


Outsourcing

The Bill generally deals well with the issue of outsourcing. But the further delay of 12 months before the provisions take effect is unacceptable. We have consistently argued for the re-introduction, passage and implementation of the Privacy Amendment Bill 1998 which would have had the same effect. With major data processing and other functions of government due to be contracted out over the next year, further delay is inexcusable. Unless the government is prepared to freeze any further contracting out until the new legislation is in place and operational, the 1998 Bill should be passed as soon as possible to ensure that Australians do not continue to lose the limited privacy protection that they currently enjoy. Alternatively, the new Bill could provide for the law to apply to contractors to Commonwealth government agencies immediately.

The longer term issue of harmonising private and public sector regimes is discussed further below.

There is one particular issue relating to contracting which we do not fully understand. Proposed s.6A(2) (and Item 37) appear to allow Commonwealth agencies by contract to authorise acts and practices which would otherwise be a breach of the NPPs - we assume that this is only to ensure that the IPPs in the existing Act continue to prevail? We would like to see this confirmed. (see also comments below about harmonisation).


Scope

We welcome the provisions in Item 42 for reviewing the existing exemptions for certain government agencies and business enterprises imported from the FOI Act. We would however like to see the agencies and activities to be brought under the NPPs specified in the Act rather than left to regulations. There will no doubt be vigorous rearguard actions fought by currently exempt government entities in an attempt to avoid prescription.

We are not sure if the effect of Item 42 is confined to commercial activities. If so, then there should also be a review of some of the other exemptions in the FOI Act schedules, which appear to have been the arbitrary outcome of successful lobbying rather than of any reasoned justification.


Rights of non-residents

We note that the legislation re-affirms the limitation on correction rights only to Australian citizens and permanent residents (item 87, amending s.41(4)). This is a major flaw that will clearly contribute to the Bill failing to meet the European Union's 'adequacy' test. The whole point of the EU 'overseas transfer' provisions is to try to ensure that EU citizens can take advantage of similar privacy protection wherever in the world their information is transferred. Limiting the jurisidiction of the law, in respect of correction rights, to Australians does not make sense in this context and there are no apparent benefits.

We note that the New Zealand Privacy Commissioner, in his recent review of the New Zealand Privacy Act 1993, recommended extending all of the rights under that Act to non-residents as one essential amendment to ensure the law is acceptable to the EU and other jurisdictions (such as Hong Kong) with overseas transfer provisions.


The National Principles

We have some significant concerns about the Privacy Commissioner's National Principles, as incorporated into the legislation. The Principles represent the Commissioner's best efforts rather than a consensus between the parties involved in the consultations. Apart from the matter of Principle 10 already mentioned above, we have concerns about the following:


Other new elements to the principles

Since 1994, the Australian Privacy Charter, devised and now promoted by the Council, has espoused several principles which go beyond the limited, though valuable framework of the OECD guidelines. Some of these principles deal with aspects of privacy other than information privacy. Since the current proposal only purports to deal with information privacy, we will reserve our position on these other aspects of privacy for other forums.

There are however three principles in the Charter which are relevant to information privacy but which are missing from both the government's proposals and from the existing Privacy Act. Charter Principles 1 (`prior justification') and 18 ('no disadvantage') can often be effectively argued in the context of particular privacy intrusive initiatives. It would however be desirable to have both these principles enshrined in legislation to lend support to the Privacy Commissioner's `watchdog' role.

The best way of implementing the `prior justification' principle would be through a requirement for privacy impact statements for proposals (whether in the private or public sectors) which met certain criteria for potential privacy intrusion. There is already a precedent for such statements in Commonwealth law - the program protocols required under the Data-matching Program (Assistance and Tax) Act 1990.

Consideration should be given to including in the Bill a requirement for privacy impact statements in appropriate circumstances.

The `no disadvantage' principle is becoming increasingly important as individuals are faced with the offer of goods and services on favourable terms on condition that they waive some privacy rights (usually the right to prevent secondary uses and disclosures). In order to ensure that individuals are not put under pressure to `sell' their privacy, this principle needs to be enshrined in law so that it is able to be invoked against unreasonable `contractual' waivers of privacy.

Charter Principle 7 deals with public register privacy. This is a complex issue which deserves separate consideration, as it receives in many overseas privacy laws. It is also related to the definition of personal information and the inclusion or exclusion of material in 'generally available publications' discussed above (see under Definitions).


Retrospectivity

The proposed section 16C disapplies Principles 1, 2, 6, 8 & 10 from information collected, or transactions entered into, prior to commencement. While this is sensible for Principles 1 and 10, there is no reason why organisations should not be required to use best endeavours to comply with at least the spirit of Principles 2, 6 and 8 in respect of information already held, accepting that it would be unreasonable to enforce the same standards as would apply to information collected subsequently. Experience overseas suggests that many organisations will in any case find it easier to apply the same regime to all data than to make an administrative distinction.


Timing

The twelve month delay after Royal Assent before organisations are required to comply with any of the NPPs (cl.2), and the further twelve months grace for small businesses in respect of some principles (proposed s.16D), are an unnecessarily long phasing in period. The principles are well known and understood by many larger businesses, and relatively easy for smaller businesses to come to terms with and implement.

While a shorter phased introduction for mandatory compliance with some of the principles is acceptable, there is no reason why the Privacy Commissioner could not be given the power to investigate complaints during Stage One, albeit without the power to find breaches of the principles or award remedies. A recommendatory ombudsman role during this stage would complement the educational and promotional roles, and would help to ensure that organisations took their responsibilities seriously as they prepared for full implementation. Without it, it will be difficult to generate public interest in the new rights.

We therefore urge the Committee to recommend an earlier commencement, with only delayed application of selective provisions where a strong case can be made.


Charging for complaints

The September information paper suggested that charges may be levied on individuals for making and handling privacy complaints. The Council is opposed in principle to charges for consumers, which would also undermine the existing `free' character of many voluntary industry ombudsman schemes. Privacy complaints do not typically involve significant financial considerations and individuals could not often hope to recover the costs of a complaint. It is in the general public interest for genuine complaints to be brought, so as to improve overall compliance. Imposition of charges would be likely to deter individuals from coming forward with complaints.

Any concerns about mischievous or malicious complaints can be dealt with by robust ground for declining or discontinuing cases, rather than by any `crude' financial disincentive.


Functions of the Privacy Commissioner

The one important function under the existing Act which is not extended to the new private sector/NPP jurisdiction is the audit power (s.27(1)(h); 28(1)(e) and 28A(1)(g)-(j)). There is no good reason why the Commissioner should not be empowered to conduct audits of compliance with the NPPs, and every reason why he should. While the number of audits conducted by the Commissioner in the tax file number and credit reporting jurisdictions has been modest, it has over the years built up into a very useful 'sample' of compliance.

The existence of the audit function sends a message to organisations that they cannot just take the risk of doing nothing with the only 'threat' being the receipt of a complaint. It is the nature of many privacy breaches that the individuals affected may not become aware of the breach, or be able to trace an adverse consequence back to a privacy compliance issue. The Australian Privacy Act has been one of only a few laws, internationally, to include a significant pro-active audit role for the Commissioner and as such it is widely admired.

We strongly urge the Committee to recommend the extension of the audit function to the new private sector jurisdiction.


Relationship between private and public sector schemes

It is clearly not intended to significantly amend the existing regime of Information Privacy Principles applying to Commonwealth agencies. Given the increasingly blurred distinction between public and private sectors, it would be unfortunate if the government left the Australian community with two different regimes other than as a short term expedient. Harmonisation was one of the recommendations of the 1998 Senate Committee report.

The Charter Council acknowledges that any change to the public sector regime would require further consultation with Commonwealth agencies and representatives of affected individuals and third parties. It is understandable, and desirable, that the need for such consultation should not hold up the implementation of a private sector scheme. The Council therefore supports the early passage of the Bill (subject to the many amendments suggested in this submission) to implement a private sector scheme.

The government should however also commit itself to a firm timetable for review of the existing public sector regime, with a view to bringing the IPPs in section 14 of the Act into line with the private sector principles. Contrary to a commonly held belief, the National Principles developed by the Privacy Commissioner, which are to form the basis of the private sector scheme, were not designed exclusively with the private sector in mind. The fact that they were adopted by the previous Victorian government for application to its State public sector bears this out. We also disagree with the claim in the Explanatory Memorandum that the IPPs set a higher standard than the NPPs - this may be true in some respects but in others the NPPs were deliberately designed to address some of the weaknesses of the IPPs (such as the exemption for disclosures simply on the basis that individuals had been notified (IPP11(1)(a)).

The review of the public sector principles should also include consideration of the relationship between the access and correction provisions of the Commonwealth Freedom of Information Act 1982 and of the Privacy Act. A government response to the recommendations of the joint ALRC/ARC report in 1995 on the FOI Act is long overdue. In the Charter Council's view, there is a strong case for transferring the access to personal information provisions of the FOI Act to the Privacy Act, leaving the FOI Act to emphasise openness and access to government information. There would need to be close co-operation between the Privacy Commissioner and the agency responsible for implementing the FOI Act (an Information Commissioner?). There would also need to be further consideration given to the definition of personal information and its application in FOI and Privacy contexts.


Disclosures to intelligence bodies

We are not persuaded that the Bill adopts the right approach to providing for national security needs. Disclosures to intelligence bodies are now dealt with in a separate schedule - Schedule 3 - rather than, as in the National Privacy Principles, in the use and disclosure principle. This will have the effect of 'masking' the actual availability of the exemption, which will no doubt only be pointed out to organisations as and when an intelligence agency needs to seek personal information. There are strong accountability arguments for putting the exemption 'up front' where it can be seen and widely understood. On the other hand, the exemption will hopefully only be required rarely and in relation to very few organisations, and it may be argued that it is better not to 'clutter up' what should be simple and easily understood principles (see elsewhere for our general view that the Bill has in any case failed to meet this objective).

Our other concern about the intelligence agency exception is the failure to provide for a record to be kept by organisations of such disclosures - similar to the requirement applying to law enforcement exceptions (NPP 2(2). While it would clearly be appropriate for such records to be kept secure and confidential, the absence of any record, reviewable by an independent officer such as the Privacy Commissioner or Ombudsman (or perhaps the Inspector General of Intelligence and Security) is an open invitation for abuse. While the intelligence agencies themselves may be accountable (through the Inspector-General) for their use of the exception, what is to stop other organisations (such as private investigators, or police forces) from purporting to be an intelligence agency in order to obtain personal information to which they would not otherwise be entitled?


Nigel Waters

Convenor, Australian Privacy Charter Council

12A Kelvin Grove, Nelson Bay, NSW 2315

E-mail: nigelwaters@primus.com.au


Appendix: The Australian Privacy Charter


Navigation

Go to APCC's Home-Page.

Go to the contents-page for this segment.

Send an email to the APCC Convenor

Created: 3 August 2000

Last Amended: 3 August 2000


Sponsorship

APCC thanks its site-sponsor: