APF Submission - HoR - Private Sector Bill

Australian Privacy Foundation
Submission to the House of Representatives Standing Committee on Legal and Constitutional Affairs
Inquiry into the Privacy Amendment (Private Sector) Bill 2000

August 2000

This document is at http://www.privacy.org.au/Papers/SubmnHoR0008.html


The Australian Privacy Foundation is a non-government organisation which seeks to represent the public interest on privacy issues. The APF is the main non-governmental organisation dedicated to protecting the privacy rights of Australians. The Foundation aims to focus public attention on emerging issues which pose a threat to the freedom and privacy of Australians. The Foundation has led the fight to defend the right of individuals to control their personal information and to be free of excessive intrusions.

The Privacy Foundation plays a unique role as a non-government organisation active on a wide range of privacy issues. It works with consumer organisations, professional associations and other community groups on specific privacy issues. It gives informal assistance to individuals with complaints about privacy invasions. The Privacy Foundation is also a participant in Privacy International, the world-wide privacy protection network. Where possible, it cooperates with and supports official agencies, but it is entirely independent of the performance of agencies set up to protect our privacy.

The Privacy Foundation does not believe that privacy is an absolute right. It believes that privacy interests must be balanced against a range of other social and economic interests. However, it believes that privacy interests of the majority are too often sidelined by other interests, and aims to add balance to the public policy process.

The Privacy Foundation is an entirely voluntary organisation. It is involved in a wide range of privacy issues. During 2000, the following are regarded as the matters of highest priority:


Background

The implementation of comprehensive national privacy legislation is a major priority for Australia as we enter the information age, in which the right to control personal information will be a defining issue of individual rights and personal freedoms.

The threats to privacy have never been so extensive. Technology makes it possible for information on the most intimate detail of people's lives to be collected, used and disclosed to others without the person concerned even knowing what is going on. Changes in business and marketing practices have meant that detailed customer information is one of the most valuable assets a company can hold.

Most countries with similar democratic traditions to Australia implemented privacy laws years ago. Australia lags a long way behind. It was not until the late 1980s that Australia implemented privacy laws for the Federal Government, and more than a decade later, only one state government has a privacy law in place. Despite this, Australians are amongst the earliest adopters of new technologies - technologies which may often create greater privacy risks.

The public overwhelmingly supports privacy legislation in the private sector. Surveys show that more than 4 out of every 5 people say that governments should implement laws to safeguard their personal information.

The Privacy Foundation believes that the proposed law is flawed in many respects, and while lifting the overall level of privacy protection would lead to privacy standards in some areas. The current Bill reflects too heavily the influence of special interests and does not adequately reflect the public interest or public expectations. As one of the last industrialised democracies to implement privacy legislation, Australia has the opportunity to learn from overseas and enact a better privacy law. Instead, in its current construction the Bill appears to ignore much overseas experience and create wide and sometimes clumsy exemptions which experience overseas has shown are not necessary.


The opportunity

Although Australia is late in introducing privacy legislation, it still has the opportunity to establish an effective framework of privacy safeguards as we move into the information society of the 21st century. The Privacy Foundation believes that time is however limited, as the standards established now in the emerging information society are likely to endure for many years. It is essential for public policy to have foresight and create a stable and lasting policy framework which gives individuals an appropriate level of control over their personal information.

The rapid development of new technologies make the task of creating consistent national privacy legislation urgent. For example, a Forrester Research report in March 2000 predicted that more than 200 billion marketing e-mails will be sent by 2004, with each American household receiving 9 marketing e-mails per day. A similar trend will occur in Australia. Increasingly, business and standard transactions between individuals and organisations will be done online. Without adequate protection, privacy abuses will become more common - such as the CrimeNet website recently launched in Australia, or the incidents involving major internet businesses such as DoubleClick, Yahoo and RealNetworks in the United States over the past six months.


The aims of a privacy law

As a general guide, the Privacy Foundation believes that the interests of Australians are best served by legislation which achieves the following aims.


1. It should give you the right to control your personal information

Everywhere we go, and in everything we do, we are now creating a trail of personal data that someone, somewhere can later use in ways that we can hardly imagine. When we make a phone call, when we e-mail someone, when we go to the supermarket, when we travel on a motorway, when we go to the doctor, when we sit an exam - we are creating records of personal information.

The information society is forming around us. And in this information society, your right to control your personal information is crucial if you are going to have control over your life. Without this right, other organisations can make decisions about you, without your knowledge or consent, based on information which you don't even know they have (and which may not even be accurate). And if you do something wrong or embarrassing, it can follow you like a shadow which never leaves.

That's why privacy legislation is so important. It's the foundational human right in an information society. It's what lies behind fundamental freedoms, like the freedom of speech, freedom of movement and the freedom to make your own choices about your life.


2. It should give you control over when your personal information is collected

Privacy law should give you control of the flow of your personal information. When someone wants to obtain personal information from you, you have a right to know who they are, what they are collecting, how they will use it, and what will happen to the information. You should not be unfairly discriminated against just because you are not comfortable to hand over your personal information.


3. It should give you control over how your personal information is used

Privacy law should restrict how organisations use your personal information. Other than in very special circumstances (such as a life threatening situation) information should not be used for purposes beyond the purpose of its original collection.


4. It should stop your personal details being traded without your consent

Your information should not be passed on to other organisations without your consent. This is an abuse of the trust you place in an organisation when you give them information about you. And organisations should not be able to get away with requiring your consent to whatever they want to do with your information, just because you have sign a wordy agreement that doesn't even explain itself. Privacy law should give you real choices about how your information is used.


5. It should give you a right to check out what information companies have about you, and to change it if it is wrong

If a business is keeping information about you, you have a right to see that information - to know what it says, and if it is not accurate, to correct it or have it removed. This includes your medical records and records of your employment. An organisation which holds your personal information should be open about what it holds and what it plans to do with the information.


6. It should not be full of exemptions

Every exemption in a privacy law shoots a hole through the safeguards provided to consumers. Exemptions should not be granted just because a self-interested lobby groups demand a special deal or they will oppose a privacy law. Rather, exemptions should deal with unintended consequences of privacy legislation where privacy competes with other public interests. Exemptions should be cast narrowly, to ensure that they do not undermine the overall framework of privacy protection and cause other unintended results.


7. It should protect you from being forced to disclose personal information if it is not necessary

You should not be forced to disclose your personal information when it is not necessary. Privacy law should protect your right to remain anonymous when it is not necessary to be identified - for example, companies offering services like phone cards, travel tickets and motorway passes should give consumers an option of buying a prepaid, anonymous card.


8. It should be easy to enforce

When your privacy is invaded or your personal information abused, it should be simple and straightforward for you to get the problem resolved. If you can't get the problem resolved directly with the company, you should be able to go to the Privacy Commissioner and know that you complaint will be dealt with quickly and with a minimum of fuss. You should not be forced to run from one organisation to another trying to work out who is responsible for resolving the problem.


9. It should be overseen by an independent Privacy Commissioner

The Privacy Commissioner should be independent of government. He or she should be appointed for a single, non-renewable term, and should be accountable to Parliament and not to a minister. The Privacy Commissioner should be free to comment on any government or business issues that affect privacy. Government ministers and staffers should not intimidate the Privacy Commissioner by calling up and complaining whenever the Commissioner is critical of government policies.


The Privacy Amendment (Private Sector) Bill 2000

The Privacy Foundation applauds the Government on its decision to extend the Privacy Act to the private sector, but has serious reservations about the legislation in its current form. Our main concerns with the Privacy Amendment (Private Sector) Bill are:

The net result of these weaknesses is that in its current form, the legislation will not be able to satisfy consumer concerns about the inadequacy of privacy safeguards. As the Australian Treasury recently argued, people are simply opting not to transact online because they are not confident that their privacy will be protected (Summer 2000 Economic RoundUp article on "Drivers and Inhibitors to Consumer Uptake of Electronic Commerce") Without government leadership on this issue, Australia will continue to lag in the development of e-commerce. Without amendment, the Bill will not achieve the objective of improving consumer confidence in e-commerce, and the growth of the new economy industries will continue to be thwarted.

More broadly, the legislation risks entrenching the cynicism and alienation of many Australian voters, who feel that Parliament does not listen to their concerns. Privacy issues arouse deep emotions because personal information goes to the centre of the dignity, personality and reputation of individuals. It is a serious failure if a Parliament does not give adequate protection to these rights, allowing people to control the handling of their personal information.


Specific issues in the Bill
1. Small business exemption

The proposed exemption for businesses with a turnover under $3 million would remove the majority of Australian businesses from coverage of the privacy legislation unless they were covered by an exception such as because they deal in personal information for some kind of gain or benefit.

The Privacy Foundation believes this provision has the potential to severely undermine the legislation. It will not be possible to establish an environment of consumer confidence if individuals can not realistically know whether or not businesses are covered by the privacy law. Are they expected to ask for a business's annual turnover when they create a relationship with a business? We believe the current proposal is a recipe for confusion.


2. Employee records will be exempt

The Privacy Foundation believes that the proposed exemption for employee records is against the public interest. Employers and employees have a special trust relationship, allowing the employer to collect and use a significant amount of sensitive personal information. When employers abuse that trust, employers can suffer serious adverse consequences. By exempting employment records from the legislation, at a time when privacy legislation is being extended to the private sector, the Bill communicates to employers that their use or misuse of this personal information is not a matter of public concern - that employee privacy takes a low priority. It risks giving a nod and a wink to the minority of employers who abuse their position of power over their employees or former employees

The Government has argued that workplace privacy is best dealt with under workplace relations legislation. The Privacy Foundation disagrees, and instead supports the global norm of including employment records within the scope of privacy legislation.

The Privacy Foundation supports the alternative approach of covering employment records in the general legislation, and allowing the exceptions within individual principles to provide a balance for issues of concern to employers. Equally, matters specific to the workplace relations context, such as trade unions' rights of access to employee records (which may operate as an exception authorised by law) should remain within the workplace relations legislation context.


3. Political parties exemption

The Foundation is strongly opposed to the broad exemption for political parties for their activities in connection with an election, a referendum, or other participation in the political process.. We believe the proposed exemption for political parties will be seen by the public as a breathtaking example of political hypocrisy - that there is one rule for political leaders, and another rule for the rest of the community.

Two arguments have been given in favour of this exemption. The first is that privacy law could be abused during an election campaign, with the political process obstructed when a party might be besieged by demands from a figure in an opposing party for access to all the records held about them. In reality, this can be easily avoided by reference to the exception for vexatious requests, or with a provision which explicitly prevents privacy legislation being used to disrupt the political process. A specific exemption for some aspects of a person's right to access those records during specific times might make sense. A complete exemption does not.

The second argument offered in its favour is that it is necessary to give this exemption in order to give effect to the implied constitutional freedom of political speech. When asked to produce legal advice to this effect, its little surprise that the government has not been able to oblige. Our advice from constitutional law experts is that the limited right to free political speech which has been recognised in the Constitution does not impose any relevant limitations on governments protecting individuals from how political parties or anyone else collect, store and use personal information.

The unspoken but widely suspected reason for the exemption is that it protects the highly sophisticated campaign techniques of political parties which rely on building substantial databases to target voters. Parties have access to a computer database of the Electoral Roll, and can combine this information with census and other information to get a detailed picture of people in their area. This can allow a political organisation to use the cover of an "independent" opinion poll company to call a person at home and ask for their opinion about some current political issues. They may not tell the caller who they are, or the fact that they might be related to a political party, nor that they are going to keep this information about the voter's opinions on a database. After identifying what might change a voter's decision in the election, a party can feed back what a voter wants to hear - so that one person might get a letter from their local Member telling them how strongly he is preserving the natural environment, while another gets a different letter saying how he is pro-jobs and pro-development.

Political parties should have access to the same information collection and marketing techniques which other organisations in the community have, but under the same rules. These simply establish fair information practices so that voters know who is collecting and using their personal information. If a party wants to collect information about a voter's beliefs or concerns, they should be upfront in identifying exactly who they are and how they intend to use the information. They should state who they are disclosing information to, and give access to see whatever person information of yours which they have.

Even if political parties see great utility in being able to operate without privacy legislation, it is still a zero-sum game; any technology or practice acquired by one of the major parties is likely to be mirrored by the other. A fair better outcome for the public interest would be to reduce the exemption to the only legitimate issue which has been identified. The Foundation urges the Parliament that if it wishes to rebuild some of the broken trust in the political process, it should remove this exemption from the Bill.


4. Media exemption

The Privacy Foundation accepts the need to ensure that the media is not restricted in its appropriate reporting and news gathering functions by the amendments to the privacy legislation. However, the current drafting of the exemption for the media is so broad that it goes well beyond the media to allow a wide range of other organisations to claim the exemption because they can bring activities within the exemption for acts or practices done by an organisation in the course of journalism. The definition of journalism goes beyond the collection, preparation and dissemination of news, current affairs, and documentaries to include "other information" for the purpose of making the material available to the public. The Foundation supports the Privacy Commissioner's suggested amendment to the wording of the media exemption to ensure that organisations are not able to claim illegitimately an exemption from their privacy obligations.


5. "Related corporations" exemption

The Bill allows companies to swap and use personal information with related companies (companies which share a common ownership) without restrictions other than those which apply to the organisation which collected the personal information. That means that a company which runs a bank, a supermarket, an adult internet site, a pay TV company and a health insurance organisation can swap that information between its businesses.

We believe that the transfer and exchange of personal information to related bodies should be restricted to the reasonable expectations of customers. This is a litmus test issue. A privacy law that permits the unlimited exchange of information within large and diverse business groups is not protecting people's privacy - rather, it is giving the tick to massive privacy invasion.


6. Complaints handling mechanism

A number of submissions have highlighted the imbalance of the complaints handling mechanism in the Bill. In the event that a Code establishes an industry complaints handling body to resolve complaints, consumers will effectively be denied the review process if a decision is made against them, while businesses will be given a review process through the Federal Magistracy if a decision is made against them.

While the complaints handling body must report annually and a Code is subject to revocation by the Commissioner, the Foundation believes that in the interests of consistency and fairness, individuals should have a right to take a complaint to the Commissioner after an adverse finding by a complaints handling body. This ensures that privacy principles will be interpreted consistently, and gives a fair chance to the complainant.

The opportunity for the Privacy Commissioner to establish consistent interpretation of the legislation is critical because the general nature of the wording of the principles will ultimately require careful consideration of its application. In addition, an independent body such as the Commissioner is in a better position to evaluate industry-wide practices which might breach the principles, than a industry complaints handling body which for practical reasons may not challenge industry-wide practices.


For further information, contact:

Tim Dixon, Director, (02) 9231 4949 or 0411 114411, TimDixon

Prof. Graham Greenleaf, (02) 9569 5310 or 9385-2233, Graham Greenleaf

Dr Roger Clarke, (02) 6288 1472 or 6288 6916, Roger.Clarke@anu.edu.au


Navigation

Go to the APF Home Page.

Send an email to APF

Created: 15 September 2000

Last Amended: 15 September 2000


Sponsorship

APF thanks its site-sponsor: