Getting in on the Act:

The Review of the Private Sector Provisions of the Privacy Act 1988

March 2005

Copyright © Office of the Privacy Commissioner 2005

ISBN 1-877079-46-4

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer
Corporate and Public Affairs
Office of the Privacy Commissioner
GPO Box 5218
SYDNEY NSW 2001

E-mail: privacy@privacy.gov.au


The Hon Philip Ruddock MP
Attorney-General
Parliament House
CANBERRA ACT 2600

Dear Attorney-General

I refer to your request of 13 August 2004 asking me to undertake a review of the private sector provisions of the Privacy Act 1988. I have pleasure in presenting to you the report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

Yours sincerely

Karen Curtis
Privacy Commissioner

31 March 2005

Table of Contents

Foreword

Overview and Executive Summary

Approach to the review
Terms of reference
Participants in the review
Timing of the review
Provisions work well on balance
A single national scheme
Main recommendations
Recommendations:
Recommendation: Wider review of Privacy Act
Recommendations: National consistency
Recommendations: Telecommunications consistency
Recommendations: Health consistency
Recommendations: Residential tenancy databases
Recommendation: EU ‘adequacy’ and APEC
Recommendation: NPP 9
Recommendations: Control over personal information
Recommendations: Direct marketing
Recommendations: Consumer education
Recommendations: Access generally
Recommendations: Transfer of health records
Recommendations: Health service ceases to operate
Recommendations: Complaints handling and compliance
Recommendation: Approved privacy codes
Recommendations: Business awareness
Recommendations: Small business exemption
Recommendations: Private sector contracting
Recommendation: Due diligence
Recommendations: Media exemption
Recommendations: Research
Recommendations: Decision-making where capacity is impaired
Recommendation: Law enforcement
Recommendation: Private investigations
Recommendations: Alternative dispute resolution schemes
Recommendations: Large scale emergencies
Recommendations: New technologies
Recommendation: NPP 1.3(d)
Recommendation: Reasonable steps for NPP 1.3 and 1.5
Recommendation: NPP 1.5 – ‘Someone’
Recommendations: Primary purpose and health information
Recommendation: NPP 3 – Data quality
Recommendation: NPP 7 - Identifiers
Recommendations: NPP 10 – Public Interest Determinations
Recommendations: NPP 10.2(b)
Recommendations: Deceased persons

1 Background

1.1 This Inquiry

Background to the review
Terms of Reference
Matters not included in the review
Other relevant privacy related reviews and processes
Research
Framework for assessing issues
Conduct of the review- overview of consultation
Issues Paper
Consultation Meetings
Written Submissions
Structure of report

1.2 Private Sector Provisions of the Privacy Act

History of Commonwealth Privacy Legislation
What do the Private Sector Provisions cover?

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation
Issues
Other law impacting on privacy
Submissions favour national consistency
What submissions say - issues
What submissions say – addressing the issues
Options for reform

2.2 Recommendations: National consistency

2.3 Consistency in telecommunications

Law and policy
Complaints and enquiries
What the submissions say - issues
What submissions say – addressing the issues
Options for reform

2.4 Recommendations: Telecommunications consistency

2.5 Consistency in protection of health information

Law and policy
What the submissions say - issues
Options for reform

2.6 Recommendations: Health Consistency

2.7 Residential tenancy databases

What are residential tenancy databases?
Application of the Privacy Act
Issues
Options for reform

2.8 Recommendations: Residential tenancy databases

3 International issues and obligations

3.1 EU Adequacy and APEC

Law and Policy
Issues
What submissions say - issues

3.2 Recommendation: EU ‘adequacy’ and APEC

3.3 NPP 9

Law and policy
Issues
What submissions say – issues
What submissions say – addressing the issues
Options for reform

3.4 Recommendation: NPP 9

4 Protecting individual’s right to privacy

4.1 Control over personal information

Law and policy
Issues
Community attitudes survey
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.2 Recommendations: Control over personal information

4.3 Direct marketing

What is direct marketing?
Law and policy
Rationale
Community attitudes survey
Issues
What submissions say – the issues
What submissions say – addressing the issues
Options for reform

4.4 Recommendations: Direct marketing

4.5 Awareness of, confidence in and capacity to exercise rights

Law and policy
Issues
Role of the Office
Role of organisations
Community awareness survey
Demographic information about complainants
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.6 Recommendations: Consumer education

4.7 Access generally

Law and policy
Issues
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.8 Recommendations: Access generally

4.9 Transfer of health records to another health service provider

Law and policy
What submissions say
Options for reform

4.10 Recommendations: Transfer of health records

4.11 Access to health records when health service ceases to operate

Law and policy
Health services ceasing to operate
What submissions say
Options for reform

4.12 Recommendations: Health service ceases to operate

5 Enforcing individual rights and ensuring compliance

5.1 Introduction

5.2 Law and policy

Approach to compliance
Complaints process
Review rights

5.3 Issues

5.4 What submissions say – issues

Approach to compliance
Level of compliance
Office does not use existing powers
Systemic issues not being addressed
Complaints process

5.5 What submissions say – addressing issues

Transparency
Fairness
More help to complainants – streamline process
Improving levels of compliance
Are levels of compliance adequate?

5.6 Options for reform

More education and awareness
Increase transparency in complaints process
More external review
Fairer process
Make better use of existing powers
Power to enforce own motion investigations
Power to audit private sector
Other power to address systemic problems in complaints
Improve liaison with overlapping complaint handlers
Advice about complaint rights
Address delay in handling complaints
Review practices

5.7 Recommendations: Complaints handling and compliance

6 Balancing individual privacy interests with business efficiency

6.1 Introduction

Law and policy
Issues
Striking the balance
Principles or rules
Principles may need some illumination

6.2 Approved Privacy Codes

Law and policy
Issues
What submissions say - issues
What submissions say – addressing the issues
Options for reform

6.3 Recommendation: Approved Privacy Codes

6.4 Compliance costs

Law and policy
Issues paper
What submissions say

6.5 Business awareness

Issues
What submissions say
Options for reform

6.6 Recommendations: Business awareness

6.7 Small business exemption

Law and policy
Issues
What submissions say
Options for reform

6.8 Recommendations: Small business exemption

6.9 Private sector contracting

Law and policy
What submissions say
Options for reform

6.10 Recommendations: Private sector contracting

6.11 Due diligence on sale or purchase of business

What is due diligence?
Information Sheet 16
Issues
What submissions say
Options for reform

6.12 Recommendation: Due diligence

7 Balancing individual rights and other social interests

7.1 Media exemption

Introduction
Law and policy
Issues
What submissions say – issues
Options for reform

7.2 Recommendations: Media exemption

7.3 Medical research

Law and Policy
What submissions say - issues
What submissions say – addressing the issues
Options for reform

7.4 Recommendations: Research

7.5 Decision-making where capacity is impaired

Introduction
Relevant privacy principles
What submissions say - issues
Options for reform

7.6 Recommendations: Decision-making where capacity is impaired

7.7 Law enforcement

Law and policy
Issues paper
What submissions say - issues
Options for reform

7.8 Recommendation: Law enforcement

7.9 Private investigation

Introduction
What submissions say – issues
Private detectives and other jurisdictions
Options for Reform

7.10 Recommendation: Private investigations

7.11 Alternative Dispute Resolution

Alternative Dispute Resolution
What submissions say – issues
What submissions say – addressing the issues
Options for Reform

7.12 Recommendations: Alternative dispute resolution schemes

7.13 Responding to large scale emergencies

Introduction
Law and policy
Issues
What submissions say – addressing the issues
Options for reform

7.14 Recommendations: Large scale emergencies

8 New technologies

8.1 Developments

Telecommunications and internet
Data aggregation and mining
Biometrics
Electronic health records
Role of technology in protecting privacy
Issues

8.2 What submissions say – the issues

8.3 What submissions say – addressing the issues

8.4 Options for reform

8.5 Recommendations: New technologies

9 Clarifying how the National Privacy Principles work

9.1 NPP 1.3(d)

Law and Policy
The issue
Options for Reform

9.2 Recommendation: NPP 1.3(d)

9.3 NPP 1.3 and 1.5 – ‘reasonable steps’

Law and Policy
The issue
Options for Reform

9.4 Recommendation: Reasonable steps for NPP 1.3 and 1.5

9.5 NPP 1.5 – collection from ‘someone’ else

Law and Policy
Options for Reform

9.6 Recommendation: NPP 1.5 – ‘Someone’

9.7 NPP 2 – primary purpose and the collection of health information

Background
Options for Reform

9.8 Recommendations: Primary purpose and health information

9.9 NPP 3

Law and Policy
What submissions say – issues
Options for Reform

9.10 Recommendation: NPP 3 – Data quality

9.11 NPP 4

9.12 NPP 5

9.13 NPP 6

9.14 NPP 7

Law and policy
Issues
What the submissions say – issues
Options for reform

9.15 Recommendation: NPP 7 - Identifiers

9.16 NPP 8

9.17 NPP 9

9.18 NPP 10 – Collection of Family History Information – PID 9 and 9A

Law and Policy
What the submissions say – issues
Options for Reform

9.19 Recommendations: NPP 10 – Public Interest Determinations

9.20 NPP 10.2 – Collecting health information without consent

Law and Policy
Scope of the exception
Options for Reform

9.21 Recommendations: NPP 10.2(b)

10 Other issues with the private sector provisions of the Privacy Act

10.1 Information of deceased persons

Law and Policy
What submissions say – issues
Options for Reform

10.2 Recommendations: Deceased persons

10.3 Employee Records Exemption

Law and Policy
What submissions say

10.4 Political Exemption

Law and Policy
What submissions say

Appendix 1

Terms of Reference

Appendix 2

Review Reference Group

Appendix 3

Submissions Received

Appendix 4

National Privacy Principles

Appendix 5

Information Privacy Principles

Appendix 6

Community Attitudes towards Privacy 2004

Appendix 7

Information Sheet 13: 2001 Privacy Commissioner’s Approach to Promoting Compliance

Appendix 8

Summary of complaint handling provisions, including powers to investigate

Appendix 9

Complaints Statistics

Appendix 10

Own Motion (section 40 (2)) power

Appendix 11

Current Powers to enforce determinations

Appendix 12

Decision Appeal Processes in comparable legislation

Appendix 13

Demographic information about complainants

Appendix 14

Complainant and respondent satisfaction survey

Forward

This report is the first major examination of how the laws governing the use of personal information by the private sector in Australia have worked in their first years of operation.

It has been a significant project for the Office and leadership team since last August. The project team was headed by Robin McKenzie.

The report has drawn on information and views from a wide range of sources including individuals, businesses, industry organisations, interest groups, and government agencies across the Commonwealth, and states and territories.

The review has benefited from discussions, consultations and material contained in submissions. I thank all those involved for contributing their ideas and views, and for the constructive way in which those views were conveyed.

I particularly thank the members of the Steering Committee and the Reference Group for their advice and guidance.

Many members of staff contributed in various ways – preparation of the Issues Paper, organising meetings for the Steering Committee and Reference Group, organising public consultations, analysing submissions, developing policy options, putting submissions on the website, undertaking surveys, writing sections of the report, editing and formatting. The Corporate and Public Affairs Section of the Office was involved in all aspects of the review process.

While I hesitate to single out individuals, it would be remiss if I did not acknowledge the major contributions of Robin McKenzie, Pauline Kearney , Paul Armstrong , Chris Cowper and Timothy Pilgrim . Suzanne Christian was responsible for the report compilation, formatting and editing.

To my staff, I express my gratitude for their contribution to this important review and I look forward to further improving the operation of the private sector provisions for the benefit of the community and business.

Karen Curtis
Privacy Commissioner


March 2005

Overview and Executive Summary

Approach to the review

Terms of reference

The Office has undertaken a review of the operation of the private sector provisions of the Privacy Act to see whether they meet their objectives. The objects are outlined in the terms of reference from the Attorney-General which are at Appendix 1.

Participants

In the course of the review, information has been considered from a wide range of sources. They are:

A wide range of stakeholders have participated in the review. They include major business and industry sectors, including banking, insurance, finance, private detectives and debt collection, credit reporting, marketing, fundraising, health and allied care, manufacturing, retail, small business, housing, real estate, superannuation, internet, hospitality and welfare. There has also been input from consumer and privacy advocacy groups including consumer, credit, health and academia. In addition, the Office has received input from state and federal government agencies, including health, law enforcement agencies and other regulators, and also dispute resolution bodies.

Timing of the review

The private sector provisions have been in operation since 21 December 2001, or just over three years for non-small business operators, and since 21 December 2002, or just over two years for small businesses that do not qualify for the small business exemption. Given that implementing a privacy scheme, particularly for some sectors, involves complex attitude change and understanding rather than simply complying with clear, black letter law, this is a relatively short period of time to be assessing the operation of the provisions.

In addition, it was not possible to conduct the kind of detailed quantitative research that might give a clearer indication of the actual level of business compliance with its obligations under the scheme. Further, because the scheme is complaint based and the Office has only limited powers to investigate practices on its own initiative, it is possible that there are areas of non-compliance of which the Office is not aware. As a result, although the Office has sought to gain and draw upon quantitative evidence to the extent it is possible and available, it is in the end relying to a considerable extent on anecdotal evidence as well as its own complaint statistics for its conclusions.

Provisions work well on balance

Overview

The review process shows that the private sector provisions have met with their objectives in some areas and not in others. In some areas it has failed to meet with an objective, but in practice the impact may not have been significant. In others, objectives were met in a way quite different from that envisaged at the time the legislation was implemented. In some, the provisions have not met the objective.

Indeed, it could be argued for example that the private sector provisions have not met the two objectives of ‘a national scheme' or ‘international concerns'. But this does not take away from the overall effect that the National Privacy Principles (NPPs) have worked well and delivered to individuals protection of personal and sensitive information in Australia in those areas covered by the Act.

No fundamental flaw

Although 85 recommendations have been made, this does not equate to dissatisfaction with the provisions. Rather, it means with the benefit of three years experience it has become apparent there are ways to improve existing elements of the regime, and there are external influences which have impacted on the efficacy of the legislation.

Although there were a few calls from privacy advocates for the Government to ‘go back to the drawing board' entirely on the provisions, the Office has no substantive evidence to suggest that the private sector scheme has any significant flaws to warrant dramatic changes.

Provisions have generally worked well for business

The overall view from the business sector is that the scheme has worked well for them, and that there is considerable support for it as it currently stands. Generally speaking, it appears that in most areas, the scheme has met its objective of not unduly impeding the free flow of information, or the right of business to achieve their objectives in an efficient way.

Consumers are less satisfied

Generally speaking however, those representing the consumer and privacy advocate groups were less satisfied that the private sector provisions had met their objectives of adequately providing for the privacy rights of individuals.

International concerns

One area where the private sector provisions have not met their objectives in the way that was anticipated is the objective of meeting international concerns and Australia 's international obligations relating to privacy. It appears that this has been less of a concern to many stakeholders than might have been expected at the time the provisions were enacted. A particular example of this is achieving European Union (EU) adequacy to enable businesses to engage in trade involving personal information with European businesses.

Despite the fact that the private sector provisions have not yet been found adequate by the EU, in general, business does not report a major impediment to trade. In addition, the issue of global trade beyond the EU has meant that the need to address consistency in privacy regulation at a global level has become important. The APEC initiatives on privacy are evidence of this shift.

Approved NPP Codes

Another area where the objectives of the private sector provisions have not been achieved in the way that was anticipated is the adoption of industry and organisation codes by the private sector to regulate their collection, use and disclosure of personal information. There are only three approved codes under the Privacy Act. However, there is no call for the repeal of the code provisions of the Act despite the very low level of take-up. Most businesses appear content to be regulated by the NPPs and to have the Office as their external complaints handling body.

A single national scheme

There is significant inconsistency

There is evidence that the failure of the privacy sector provisions to meet their objective of achieving national consistency in privacy regulation has had consequences for business efficiency. There is also some evidence that this has posed some impediments in the way of individuals seeking to be aware of, and have respected, their privacy rights. The inconsistency operates at a number of levels, including within the Privacy Act itself, within Commonwealth regulation impacting on privacy, and between state and Commonwealth legislation. The area of privacy involving health information, including health research has been clearly identified as being greatly affected by all these levels of inconsistency. Other areas affected include employee privacy and tenancy databases.

Reasons for the inconsistency

These inconsistencies have emerged for a number of reasons, some of which relate directly to the formulation of the private sector provisions. Others are a consequence of the rapidly changing environment in which the provisions are operating, and in particular, the heightened security concerns following September 11, and the developments in new technology.

One factor contributing to inconsistency is that within the Privacy Act, there are two sets of slightly different privacy principles, one for the Australian public sector and one for the private sector. As the Government has increasingly drawn upon the private sector - for example, welfare organisations - to carry out activities that were once performed by its agencies, this has become more of an issue.

Another factor appears to be the presence of exemptions in the Act. Submissions and consultations suggest that areas of inconsistency are arising because states and territories are legislating in areas covered by the exemptions. A key example of concern to business is the area of surveillance in the workplace. In the absence of privacy protection in this area in the federal Privacy Act, states and territories are legislating and each in a slightly different way.

There are also problem areas such as the regulation of tenancy databases by states and territories. As the NPPs do not totally regulate tenancy databases states and territories are legislating in this area, once again, in a slightly different way.

The desire for more detailed and binding guidance for health care providers together with inconsistency between private sector provisions and state public sector privacy principles, could also be considered reasons for states to legislate in the health area. Submissions from business and consumers, and consultations indicate overwhelmingly that this has created a range of different rules that is confusing for health care providers, other businesses holding health information and consumers.

The Office's complaints caseload that is larger than expected as a result of the private sector provisions has meant that the Office has not clarified the application of the NPPs in some of these areas (for example, tenancy databases) as speedily as it would like. In the mean time, states have moved to address what was emerging as a community need to ensure that tenants were not denied housing as a result of inaccurate and unfair listings.

Finally, rapidly changing technology has resulted in Commonwealth legislation that is outside of, but overlaps with, the Privacy Act. The Spam Act 2003 is an example. Spam was less of a concern in 1999 when the private sector provisions were formulated and the private sector provisions did not address this issue. This situation may arise again with the (future) development of new pervasive technologies. Businesses are concerned to ensure that when it does, the provisions fit well with the private sector provisions.

Approach to recommendations

This report makes a range of recommendations including strategies to address these inconsistencies. But as indicated by the complex factors contributing to these, there is no easy or single fix, especially in a federal system of government. Resolving the issues will involve commitment from all levels of government and a willingness to focus on the big picture.

One thing that became clear in conducting the review is that many of the issues that arise in relation to the operation of the private sector provisions are inter-related. This inter-relation has to be taken into account in recommendations. Recommendations on one aspect of operation will also have the potential to address issues on other aspects of operation.

It is also the case that there are a number of ways that issues arising out of the review could be addressed. Which approach is taken in one area, may affect what approach is best taken in other areas. For this reason, in a number of areas, this report has made recommendations as options that could be taken up depending on the approach taken in addressing other issues.

Resourcing implications of reform

In developing recommendations as part of this review, the Office has been aware of the resource implications of reform. Since the implementation of the private sector provisions, the Office has shifted resources from its guidance and advice role to its compliance role to try to better manage and resolve the complaints received. Even so, there is an unacceptably long waiting list of complaints to be handled. This satisfies neither business, who have invested in compliance and in whose interest it is to have complaints against them settled quickly, nor consumers.

Submissions from all sectors discuss funding for the Office 1. A number of submissions expressly support an increase in resources being granted to the Office 2. Many of these submissions are particularly concerned by the backlog of complaints and subsequent delay in resolving complaints 3.

There was also a general call for more resources to ensure consumers and businesses are educated about their rights and obligations under privacy laws. 4

In this review recommendations are made that, if implemented, will impact upon the operation of the Office. This has implications in terms of resources, for both staff and program delivery.

Main recommendations

This report makes recommendations about how the operation of the private sector provisions could be improved. Recommendations are primarily written as either actions that the Australian Government should consider doing, or as measures that the Office could or intends to undertake. A small number of recommendations involve measures that could be taken by state and territory governments.

Some recommendations involve broad high level principles around the operation of the private sector provisions, for example, recommendations to improve national consistency in privacy regulation, including health privacy regulation, and to ensure that the private sector provisions adequately protect privacy in the face of rapidly developing new technologies.

Recommendations for measures to raise awareness of both consumers and business on a range of topics are found in a number of places in the report.

These particular recommendations could be regarded as forming the ‘lynch pin' for a scheme that is intended to operate in a way that benefits individuals while recognising the right of businesses to achieve their objectives in an efficient way.

Other recommendations aim to increase the control that individuals have over their personal information, particularly in relation to information collected about them indirectly or used or disclosed for other purposes such as direct marketing. These include measures to promote short form privacy notices, and a general opt-out right for direct marketing.

The report makes recommendations about the small business exemption aimed at simplifying its application while suggesting that some sectors that have higher privacy risks should be covered by the private sector provisions.

The report also makes recommendations aimed at improving the transparency and fairness of the Office's complaints process, and to enable it to better identify and address systemic issues.

Some issues raised are complex and need further consideration by the Australian community. The Office identified the application of the private sector provisions to research, in particular medical research, and to new technologies as warranting further debate. The main recommendations on these issues are that they should be considered in the context of a wider review of the Privacy Act.

In response to concerns that organisations need more guidance or that the NPPs may need amending to ensure that they are applied in a commonsense way, recommendations are made on such matters as alternative dispute resolution schemes, access to health records and major national emergences.

The report makes a number of more technical recommendations that aim to increase certainty about the application of the NPPs, which in many cases clarify what is already existing practice.

Throughout the report, but particularly in the recommendations, there has been careful consideration of the balance between protecting individual rights while recognising the collective needs of the community including the business community.

Finally, it became apparent that while the private sector provisions work well, it may be appropriate for the Government to undertake a wider review of privacy for Australians in the 21 st century.

The NPPs are based on principles developed in the 1970s and it may be fitting to consider how the operating environment has changed over the last 30 years. For example: Is our definition of personal information still appropriate given technological advances? Do we need different sets of privacy principles covering the private and public sectors? Should the legislation make a distinction between data controllers and data operators? Should the legislation only cover protection of data about living persons? In a changed security environment what are people's expectations about their personal information?

In some of the 85 recommendations there is a reference to this wider review of privacy. Given that it is a recurring theme throughout the report to give more considered thought to ‘bigger picture' issues, a recommendation has been made here in the Overview Section. It is the first recommendation listed below, and is followed by the recommendations as identified in each chapter.

Recommendations:

Recommendation: Wider review of Privacy Act

  1. The Australian Government should consider undertaking a wider review of privacy laws in Australia to ensure that in the 21 st century the legislation best serves the needs of Australia.

Recommendations: National consistency

The Privacy Act has not achieved its object of establishing a ‘single comprehensive national scheme' for the protection of personal information. As submissions reveal, national consistency is important to business, to charities and to individuals. The lack of national consistency contributes significantly to the costs imposed on business.

  1. The Australian Government should consider amending section 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.

  2. The Australian Government should consider asking the Council of Australian Governments (COAG) to endorse national consistency in all privacy related legislation.

  3. The Australian Government should consider setting in place mechanisms to address inconsistencies that have come about, or will come about, as a result of exemptions in the Privacy Act, for example, in the area of workplace surveillance.

  4. The Australian Government should consider commissioning a systematic examination of both the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations. This would address the issues surrounding Australian Government contractors.

  5. The Australian Government should consider changing, by legislative amendment, the name of the Office of the Privacy Commissioner to the Australian Privacy Commission.

  6. The Australian Government should consider amending the Privacy Act to provide for a power to make binding codes.

Recommendations: Telecommunications consistency

  1. The Australian Government should consider amending the Privacy Act and the Telecommunications Act to clarify what constitutes authorised uses and disclosures under the two Acts, and to ensure that the Privacy Act cannot be used to lower the standard of privacy protection in the Telecommunications Act.

  2. The Australian Government should consider making regulations under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.

  3. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and Part 13 of the Telecommunications Act.

  4. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and the Spam Act.

Recommendations: Health consistency

  1. The Office urges the National Health Ministers' Council to finalise the National Health Privacy Code. This should include agreement by all jurisdictions on the contents of the code and on its consistent implementation in each jurisdiction.

  2. The Australian Government should consider adopting the National Health Privacy Code as a schedule to the Privacy Act. This would recognise the Australian Government's part in the consistent enabling of the Code. Should agreement not be reached by all jurisdictions about implementing the Code, the Australian Government should still consider adopting the code as a schedule to the Act to provide greater consistency of regulation for the handling of health information by Australian Government agencies and the private sector. (See also recommendations 29, 33 and 35.)

Recommendations: Residential tenancy databases

  1. The Australian Government should advance as a high priority the work currently being undertaken by the Working Group on Residential Tenancy Databases of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General.

  2. The Australian Government should consider, depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, making the Privacy Act apply to all residential tenancy databases. This could be done by using the existing power under section 6E to prescribe them by regulation, or by amending the consent provisions (section 6D(7) and section 6D(8)) that apply to the small business exemption. (See recommendation 53.)

  3. If the Privacy Act is amended to provide for a power to make a binding code, (see recommendation 7), and depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, the Privacy Commissioner could make a binding code that applies to tenancy databases.

Recommendation: EU ‘adequacy' and APEC

  1. There is no evidence of a broad business push for ‘adequacy'. Given the increasing globalisation of information, however, there may be long term benefits for Australia in achieving EU ‘adequacy'. Certainly the globalisation of information makes the implementation of frameworks such as APEC important. The Australian Government should continue to work with the European Union on the ‘adequacy' of the Privacy Act and to continue work within APEC to implement the APEC Privacy Framework.

Recommendation: NPP 9

  1. The Office will provide further guidance to assist organisations comply with NPP 9 by issuing an information sheet outlining the issues that should be addressed as part of a contractual agreement and how to more easily assess whether a privacy regime is substantially similar.

Recommendations: Control over personal information

  1. The Australian Government should consider amending NPP 5.1 to provide for short form privacy notices. This could also clarify the obligations on organisations to provide notice, and to clarify the links between NPP1.3 and NPP 5.1.

  2. The Office will encourage the development of short form privacy notices. It will also play a more active role in assisting businesses develop their notices by developing template notices for different sectors, in consultation with them, and by issuing example of both satisfactory and unsatisfactory notices

  3. The Office will develop guidance to the effect that privacy notices should be dated.

  4. The Office will develop guidance on bundled consent, noting the possible tension between the desirability of short form privacy notices and the desirability of lessening the incidence of bundled consent.

Recommendations: Direct marketing

  1. The Australian Government should consider amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.

  2. The Australian Government should consider amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information.

  3. The Australian Government should consider exploring options for establishing a national ‘Do Not Contact' register.

Recommendations: Consumer education

  1. The Australian Government should consider specifically funding the Office to undertake a systematic and comprehensive education program to raise community awareness of privacy rights and obligations.

  2. The Office will continue to collect demographic information about complainants. It will seek to identify and then remove any barriers that prevent sectors of the community from knowing about and exercising their privacy rights.

Recommendations: Access generally

  1. The Australian Government should consider amending NPP 6 to provide that when an individual's personal information is corrected in response to a request from the individual, the organisation should be obliged to notify third parties, where practicable, that they have received the inaccurate information.

  2. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) Code as a schedule to the Privacy Act (see recommendation 13). This will address the issue of intermediaries, and the issue of fees for access. (See also recommendations 13, 33 and 35.)

  3. The Office will develop further guidance on the operation of NPP 6.1 on ‘serious threat to life or health', explaining that a serious threat to a therapeutic relationship could be a serious threat to a person's health. This will go some way towards addressing what appears to be a too narrow interpretation of NPP 6.1(b) by some practitioners.

  4. The Office will develop guidance on fees for access to personal information.

  5. The Office will develop guidance on the meaning of NPP 6.5 which requires than an individual ‘establish' that information is not accurate before the organisation need to take reasonable steps to correct it.

Recommendations: Transfer of health records

  1. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) code as a schedule to the Privacy Act. This will address the issue of the transfer of health records to another health service provider. (See also recommendations 13, 29 and 35.)

  2. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 11 in the AHMAC Code.

Recommendations: Health service ceases to operate

  1. The Australian Government should consider adopting the AHMAC code as a schedule to the Privacy Act. This will address the issue of access to health records when a health service ceases to operate. (See also recommendations 13, 29 and 33.)

  2. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 10 in the AHMAC Code.

Recommendations: Complaints handling and compliance

Approach to compliance

  1. The Office will maintain its current approach to compliance including the focus on attempting to conciliate complaints in the first instance as set out in Information Sheet 13. However, the Office will consider whether it might be appropriate in some circumstances to use its other powers earlier, such as the determination making power.

  2. The Office will consider options for providing more feedback on systemic issues either in advice or guidance or in some form of regular update to stakeholders.

  3. The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.

Review rights for complaint decisions

  1. The Australian Government should consider amending the Privacy Act to give complainants and respondents a right to have the merits of complaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

  1. The Australian Government should consider amending National Privacy Principle 1.3 to require organisations to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the Privacy Commissioner or (where relevant) the code adjudicator.

  2. The Office will review its complaints handling processes and will consider the circumstances in which it might be appropriate to make greater use of the Commissioner's power to make determinations under section 52 of the Privacy Act.

  3. The Office will also consider measures to increase the transparency of its complaints processes and complaint outcomes.

Additional powers

  1. The Australian Government should consider amending the Privacy Act to:

    • expand the remedies available following a determination under section 52 to include giving the Privacy Commissioner power to require a respondent to take steps to prevent future harm arising from systemic issues

    • provide for enforceable remedies following own motion investigations where the Commissioner finds a breach of the NPPs

    • provide a power for the development of binding codes and/or binding guidelines in cases where there is a strong public interest, where more detailed guidance is warranted or complaints reveal recurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

  1. The Australian Government should consider the strong calls by a wide range of stakeholders for the Office to be adequately resourced to meet its complaint handling functions.

  2. The Australian Government should consider amending the Privacy Act to give the Commissioner a further discretion not to investigate complaints where the harm to individuals is minimal and there is no public interest in pursuing the matter.

Recommendation: Approved privacy codes

  1. The Office will review the Code Development Guidelines dealing with the processes relating to code approval with a view to simplifying them.

Recommendations: Business awareness

  1. The Australian Government should consider the benefits of greater business and community awareness of privacy and specifically fund the Office to undertake a systematic and comprehensive education program to raise business awareness.

  2. The Office will review existing information sheets and develop information sheets on key issues identified in submissions.

  3. The Office will develop strategies for communication with stakeholders, including establishing a privacy contact officer network for private sector organisations.

Recommendations: Small business exemption

  1. The Australian Government should consider retaining but modifying the small business exemption by amending the Privacy Act so that the definition of small business is to be expressed in terms of the ABS definition, currently 20 employees or fewer, rather than annual turnover.

  2. The Attorney-General should consider using the power to prescribe under section 6(E) of the Privacy Act, the tenancy databases and telecommunications sectors including Internet Service Providers and Public Number Directory Producers as businesses to be covered by the Act. (See recommendations 9 and 15.)

  3. The Australian Government should consider amending the Privacy Act to remove the consent provisions (sections 6D(7) and 6D(8)).

Recommendations: Private sector contracting

  1. The Australian Government should consider amending NPP 4 to impose an obligation on an organisation to ensure personal information it discloses to a contractor is protected.

  2. The Australian Government should consider, in the context of the wider review of the Privacy Act, (see recommendation 1) whether there should be a distinction between data controllers and data operators.

  3. The Office will amend the Guidelines to the National Privacy Principles to clarify that businesses that give personal information to contractors for the purpose of performing a function on their behalf should impose contractual obligations on the contractor to take reasonable steps to protect the information.

Recommendation: Due diligence

  1. The Australian Government should consider amending the NPPs to take into account the practice of due diligence.

Recommendations: Media exemption

  1. The Australian Government should consider amending the Privacy Act so that:

  1. The Office will, in conjunction with the ABA , provide greater guidance to media organisations as to appropriate levels of privacy protection, especially in relation to health issues, and make organisations aware that the media exemption is not a blanket exemption.

Recommendations: Research

  1. As part of a broader inquiry into the Privacy Act (see recommendation 1), the Australian Government should consider:

    • how to achieve greater consistency in regulating research activities under the Privacy Act

    • whether regulatory reform is needed to address the issue of de-identification in the context of research and the handling of health information

    • where the balance lies between the public interest in comprehensive research that provides overall benefits to the community, and the public interest in protecting individuals' privacy (including individuals having choices about the use of their information for such research purposes)

    • whether there is a need to amend NPP 2 to permit the use and disclosure of personal information for research that does not involve health information

    • undertaking further research and education work with the broader community to ensure that the balance between research and privacy accords with what the community expects and understands.

  2. The Office will issue guidance in relation to NPP 2 to clarify that organisations can disclose health information for the management, funding and monitoring of a health service.

  3. The Office will work with the National Health and Medical Research Council to simplify the reporting process for human research ethics committees under the section 95A guidelines.

Recommendations: Decision-making where capacity is impaired

  1. The Australian Government should consider, in order to ensure that the Privacy Act does not prevent individuals with a decision-making disability from receiving a range of utilities and other services, amending NPP 2 to permit the disclosure of non-health information to a class of persons the same, or similar, to that described in NPP 2.5, where an organisation considers the disclosure to be necessary for the management of the person's affairs in a way that their financial or other interests are secured or safeguarded.

It would be appropriate to consider developing such an amendment in consultation with the Australian Guardianship and Administration Committee.

  1. The Office will, in recognition that disclosures of health information under NPP 2 are appropriately permitted in law but may not occur in practice, develop further and more practical guidance.

Recommendation: Law enforcement

  1. The Office will work with the law enforcement community, private sector bodies and community representatives to develop more practical guidance to assist private sector organisations to better understand their obligations under the Privacy Act in the context of law enforcement activities.

Recommendation: Private investigations

  1. The Australian Government, through the Attorney-General, should consider requesting that the Standing Committee of Attorneys General (SCAG) consider the issues raised by the Australian Institute of Privacy Detectives as they are broader than the Privacy Act.

Recommendations: Alternative dispute resolution schemes

  1. The Australian Government, in recognising the important role played by Alternative Dispute Resolution (ADR) schemes, and in an attempt to formalise advice already given by the Office, should consider:

    • amending NPP 2 to enable use and disclosure of personal information to ADR schemes in the course of handling disputes

    • amending NPP 10 to enable collection of sensitive information where it is necessary for the investigation and resolution of claims under an ADR scheme

    • defining the term ‘Alternative Dispute Resolution Scheme' for these purposes in the Act.

Recommendations: Large scale emergencies

  1. Privacy laws should take a common sense approach. There needs to be an appropriate balance between the desirability of having a flow of information and protecting individual's right to privacy. In developing an exception to disclosure for cases of national emergencies, consideration should be given to the seriousness of the privacy breach versus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should be compared to the consequences of non-disclosure. Consideration also needs to be given to the potential identity fraud that may occur during such a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

Recommendations: New technologies

  1. The Australian Government should consider, in the context of a wider review of the Privacy Act (see recommendation 1) reviewing the National Privacy Principles and the definition of personal information to assess whether they remain relevant in the light of technological developments since the OECD principles were developed. This should ensure that the private sector provisions remain technologically neutral and relevant to protect data privacy in the main contexts in which information about people is currently collected, used and disclosed.

  2. The Australian Government should consider initiating discussions through appropriate international forums about how to deal with major international jurisdictional issues arising from global reach of new technologies such as Voice over Internet Protocol (VoIP).

  3. The Australian Government should consider developing specific enabling legislation to underpin any national electronic health records system. The legislation should be consistent with the National Health Privacy Code, but also include enhancing protections for matters such as the voluntariness of the system and limitations upon the uses of people's health records.

  4. The Office will issue further guidance, consistent with the current law, on what is personal information which takes into account the fact that in the current environment it is more difficult to assume that any information about people cannot be connected.

  5. The Office could use, if necessary, any new powers to develop binding codes (see recommendation 7) to deal with technologically specific situations.

Recommendation: NPP 1.3(d)

  1. The Australian Government should consider amending NPP 1.3(d) to make clear that an organisation collecting personal information from an individual must take reasonable steps to notify them of likely disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.

Recommendation: Reasonable steps for NPP 1.3 and 1.5

  1. The Australian Government should consider amending NPP 1.3 and NPP 1.5 to make clear that there are situations in which the reasonable steps an organisation might take to provide notice to an individual may equate to no steps.

Recommendation: NPP 1.5 – ‘Someone'

  1. The Australian Government should consider amending NPP 1.5 to remove the term ‘someone', and to make clear that an organisation has an obligation to take reasonable steps to provide notice to an individual when collecting their personal information indirectly, from any source.

Recommendations: Primary purpose and health information

  1. The Office will work with the health sector to develop further guidance about the operation of NPP 2 as it specifically relates to the issue of primary and secondary purpose in health care.

  2. The Office will provide clearer guidance on the operation of NPP 2 to give more effective and practical assistance to demonstrate how the principle operates. This will take into account the range of relationships between health services and individuals, particularly where individuals agree to a holistic approach to the delivery of a health service.

Recommendation: NPP 3 – Data quality

  1. The Office will provide further guidance to organisations about their obligations under NPP 3, particularly to ensure they take a proportional approach to complying with the principle. This will include guidance about organisations taking into account whether or not there are good privacy reasons for seeking to update an individual's personal information.

Recommendation: NPP 7 - Identifiers

  1. The Australian Government should consider using the existing regulation-making mechanism under NPP 7 to address circumstances such as those identified by Centrelink regarding concessional entitlements.

Recommendations: NPP 10 – Public Interest Determinations

  1. The Australian Government should consider amending NPP 10 to include an exception that mirrors the operation of Public Interest Determinations 9 and 9A.

  2. The Australian Government should consider undertaking consultation on limited exceptions or variations to the collection of family, social and medical history information, particularly with regard to genetic information and the collection practices of the insurance industry.

Recommendations: NPP 10.2(b)

  1. The Australian Government should consider amending NPP 10.2 to permit the collection of health information (under NPP 10.2(b)(i)) ‘as authorised by law' in addition to ‘as required by law'.

  2. The Australian Government should consider amending NPP 10.2(b) (ii) to clarify the nature of the binding rules intended to be covered by this provision, particularly with regard to the substantive content of such rules.

Recommendations: Deceased persons

  1. If the National Health Privacy Code is adopted into the Privacy Act (see recommendation 13), then protection for health information under these provisions would extend to deceased persons. Also, the Australian Government's response to the Australian Law Reform Commission and the Australian Health Ethics Committee's inquiry into the protection of human genetic information in Australia may have implications for the Privacy Act. In addition, the Australian Government should consider as part of a wider review (recommendation 1) whether the jurisdiction of the Privacy Act should be extended to cover the personal information of deceased persons.

1 Background

1.1 This Inquiry

Background to the review

The Review of the Privacy Act was foreshadowed by the former Attorney-General the Hon Daryl Williams AM QC MP in his second reading speech for the Privacy Amendment (Private Sector) Act 2000. The Commissioner was asked to review the operation of the private sector provisions of the Act by the Attorney-General, the Hon Philip Ruddock MP, on 13 August 2004.

Terms of Reference

The Office conducted the review within the terms of reference outlined by the Attorney-General. They are included in full at Appendix 1 of this report. They provide for an assessment of the operation of the private sector provisions and a consideration of the extent to which the private sector provisions meet their objects. These objects include creating a single comprehensive national scheme for the appropriate handling of an individual's personal information by organisations, in a way that:

Matters not included in the review

The terms of reference exclude aspects of the private sector provisions from the review including:

The terms of reference state that these areas are currently, or have recently been subject to processes of review.

The terms also mean that Part IIIA of the Privacy Act, which deals with credit reporting has not been reviewed. However the credit reporting provisions where relevant to the operation of the private sector provisions have been considered.

Other relevant privacy related reviews and processes

There are a number of processes underway that touch on privacy in some way. For example, initiatives to develop a national health code (Australian Health Ministers' Advisory Council (AHMAC) process) and the review of privacy protection for employee records. In developing the recommendations in this report, the Office has taken into account, where appropriate, the work being done in these areas.

Research

To help inform the review work, including submissions to the review, the Office conducted research into community attitudes towards privacy in April 2004. This complements research it conducted in July 2001 into attitudes towards privacy in the spheres of government, business and the community. This Community Attitudes Research can be found on the Office's website. The results of the 2004 research are summarised at Appendix 6 and the full report is to be found on the Office's web site.

Framework for assessing issues

The terms of reference ask the Privacy Commissioner to consider the degree to which the private sector provisions meet their objects. The Office used this framework for assessing the provisions. This involved considering the following issues.

  1. Do the provisions provide a comprehensive, national, consistent set of standards for privacy? Do they fit seamlessly into the Privacy Act? Do they relate effectively with other federal privacy provisions, the privacy laws of the States and Territories and other relevant federal law?

  2. Do the provisions operate in a way that assists Australian businesses to operate internationally? Are they adequate to ensure Australia fulfils its international obligations relating to privacy?

  3. Are individuals confident that their interests in protecting their privacy are recognised and that personal information that is collected, used, stored and disclosed by organisations is adequately protected? Are individuals aware of, and able to exercise, their rights?

  4. Do the provisions strike an appropriate balance between privacy and competing human rights and social interests, including free speech, medical research, national security, law enforcement and property rights? Is there a free flow of information? Is business aware of its obligations and able to comply with them while still achieving its objectives efficiently?

Conduct of the review- overview of consultation

The Privacy Commissioner received the terms of reference from the Attorney-General on the 13 August 2004. The review of the private sector provisions was completed by 31 March 2005. The Privacy Commissioner encouraged widespread public participation in the review through a number of measures. The Office:

The Commissioner appointed a steering committee to assist with and advise on the conduct of the review. The Steering Committee members were:

The Steering Committee met on five separate occasions throughout the process to discuss the conduct of the review.

The Commissioner also reconvened the core consultative group which had been formed by the Attorney-General in 1998 to advise on the development of the private sector provisions. The group, reconvened by the Commissioner and renamed the Review Reference Group, consisted of approximately 40 representatives from consumers groups, industry and government who have been affected by the operation of the Act. Approximately half of the reconvened group were part of the original group that advised on the introduction of the private sector provisions. The Review Reference Group was consulted regarding the conduct of the review, the issues contained in the issues paper, and the options for reform. The list of members is available at Appendix 2.

Issues Paper

To assist stakeholders to make submissions the Commissioner released an issues paper on 27 October 2004.

The issues paper sought to provide a framework for assessing the extent to which the private sector provisions met their objectives as defined in the terms of reference. The issues paper closely followed the terms of reference and sought to help stakeholders assess whether the provisions meet international concerns and Australia 's obligations relating to privacy. It raised issues about whether the legislation provides appropriate protection of individuals' privacy while allowing a balance to be struck with competing human rights and social interests including the desirability of a free flow of information and the right of business to achieve its objectives efficiently.

Consultation Meetings

The Office organised consultation meetings in all of the capital cities during 2004. Meetings were held in:

There were also health forums held in Perth on 11 November, Melbourne on 18 November and Darwin on 25 November. In addition, a telecommunications forum was convened in Melbourne on 19 November 2004.

At each meeting the Commissioner or a representative of the Office led the discussion using a presentation which can be found on the Office's website.

The consultation forums were attended by a wide range of participants from diverse industry sectors including the finance sector, direct marketing, credit reporting, debt collection, law firms, law societies, telecommunications, retail, real estate, fundraising and the health sector including, doctors, researchers and pharmacists, and the community sector including consumer and public interest advocates, community legal and tenancy advice centres and union representatives.

Issues raised in theses forums have been incorporated throughout this report.

Written Submissions

The Commissioner encouraged stakeholders to make written submissions to aid the Review. In all the Review received 136 written submissions (see Appendix 3) ranging in length and style from individuals, organisations, industry bodies, advocacy groups and government agencies. Of these, 20 submissions requested to remain confidential. These submissions can be found on the Office's website.

Structure of report

The structure of this Report reflects the Terms of Reference received from the Attorney-General.

Chapter 1 gives background to the inquiry and an overview of the private sector provisions of the Privacy Act.

Chapter 2 examines the degree to which the private sector provisions establish national consistency in the way private sector organisations collect, hold, use, correct, disclose and transfer personal information.

Chapter 3 considers how adequately the private sector provisions meet international concerns and Australia 's international obligations relating to privacy.

Chapter 4 considers the effectiveness of the private sector provisions in protecting individuals' rights to privacy.

Chapter 5 considers the effectiveness of the private sector provisions in enforcing individual rights to privacy.

Chapter 6 considers how effectively the private sector provisions balance an individual's right to privacy with other competing social interests such as business efficiency and the desirability of a free flow of information.

Chapter 7 considers other social interests that compete with privacy and whether the private sector provisions have achieved the appropriate balance.

Chapter 8 looks at developments in new technologies.

Chapter 9 looks at whether any NPPs not addressed elsewhere in the report may need to be amended to create greater certainty in their interpretation.

Chapter 10 covers other issues that arise in relation to the private sector provisions.

1.2 Private Sector Provisions of the Privacy Act

History of Commonwealth Privacy Legislation

Commonwealth agencies

The Privacy Act was enacted in 1988. It provides for the Office of the Privacy Commissioner and a Privacy Commissioner and lists 11 principles governing the collection, use, storage, access to, maintenance and disclosure of an individual's personal information. These Information Privacy Principles (IPPs) apply to personal information held by Australian Government agencies. Since 1994, the IPPs have also applied to Australian Capital Territory (ACT) agencies.

Tax file numbers and credit reporting

The Privacy Act also provides for the Commissioner to issue tax file number guidelines and to investigate acts or practices of tax file number recipients that breach these guidelines.

In 1990, the Privacy Act was amended to regulate the handling of credit reports and other credit worthiness information about individuals held by credit reporting agencies and credit providers 5.

Private sector

Voluntary principles

In February 1998, following extensive consultation, the Privacy Commissioner issued the National Principles for the Fair Handling of Personal Information (the National Principles), compliance with which was voluntary. This was partly in response to a directive on information privacy adopted in October 1995 by the European Parliament and the Council of the European Union (EU) which included a provision that personal data could not be transferred from an EU country to a non-EU country unless there was an adequate level of information privacy.

Privacy Amendment (Private Sector) Act 2000

In late 1998, the Government announced its intention to legislate to support and strengthen privacy protection in the private sector. After widespread consultation the Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 with a commencement date of 21 December 2001. It aimed to establish a single comprehensive national scheme governing the collection, holding, use, correction, disclosure and transfer of personal information by private sector organisations. It did so by means of the National Privacy Principles (NPPs) and provisions allowing organisations to adopt approved privacy codes.

Co-regulation

The approach adopted by the legislation was one of co-regulation. This refers to a legislative framework within which self regulatory codes of practice can be given official recognition 6. The aim of the legislation was ‘to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice' 7. In the absence of a code, the NPPs would apply. This co-regulation aimed to ensure consistency and standardisation of personal information handling 8.

Balancing rights and obligations

The legislation acknowledges that privacy is not an absolute right and that an individual's right to protect his or her privacy must be balanced against a range of other community and business interests. These include the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently. The legislation seeks to achieve the appropriate balance by providing for, among other things, a number of exemptions from the legislative requirements, including most small businesses.

Key drivers for private sector provisions

The Explanatory Memorandum for the private sector provisions outlined concerns raised in consultations on the absence of privacy protection that self-regulation had not resolved. It said:

‘These concerns include

Another factor underpinning the legislation was the International Covenant on Civil and Political Rights (ICCPR) that Australia had ratified. This provides that individuals shall not be subjected to arbitrary or unlawful interference with their privacy and that they have the right to the protection of the law against such interference or attacks 10.

2004 amendments to the legislation

Amendments to the legislation in April 2004 11 make it clear that the protection provided by NPP 9, which regulates transborder data flows, applies equally to the personal information of individuals who are Australian and those who are not. They remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information. They also give businesses and industries more flexibility in developing privacy codes by allowing the codes to cover otherwise exempt acts and practices where the authors of the code wish to do so.

What do the Private Sector Provisions cover?

Purpose

The private sector provisions of the Privacy Act give individuals control over the way personal information about them is handled by private sector organisations. They regulate the way many private sector organisations collect, use, keep secure and disclose personal information. They also give individuals a right to know what information an organisation holds about them and a right to correct it if it is wrong.

Who is covered?

The provisions apply to organisations, including corporations and unincorporated associations, with an annual turnover of more than $3 million.

hey also apply, regardless of annual turnover, to all private sector health service providers, to organisations that buy and sell information without the individual's consent, and contracted Commonwealth service providers in relation to their contractual activities 12. Specified acts and practices of organisations are exempt from the operation of the Privacy Act. These include in general terms acts or practices:

What obligations are imposed?

In general terms, a private sector organisation covered by the Act must not do anything that breaches an approved code binding on it. If not bound by an approved code, it must not do anything that breaches an NPP.

National Privacy Principles

The NPPs govern the collection, use and disclosure, security, quality and access to and correction of personal information. They include principles applicable to the use and disclosure of personal information for specific purposes, including:

The general principle that a person should have access to information organisations hold about them includes exceptions, such as exceptions based on health and safety, law enforcement and national security. Special provisions apply to sensitive information, including information about an individual's racial or ethnic origin, membership of political or professional or trade associations, religious beliefs and so on. Generally speaking, a higher level of protection is afforded sensitive information than personal information.

Advice and guidance

The Office plays an active role in raising awareness about individuals' privacy rights and in addressing providing advice to business about its obligations. It provides information by way of its information hotline and its web site. The web site contains all the Office's publications, answers to Frequently Asked Questions, media comments, media releases, speeches, case notes, an online complaint checker, multi-lingual web pages, guidelines, information sheets, brochures and the annual report. Members of the Office also make speeches and presentations at a range of events.

Approved Codes

The Act provides for the approval of privacy codes by the Commissioner. To be approved a code must:

In addition, members of the public must have been given adequate opportunity to comment on a draft of the code 17. The Commissioner must keep a register of approved privacy codes 18.

Complaints

An individual may complain to the Commissioner about an interference with his or her privacy, unless an approved code applies and the code has its own code adjudicator. The Commissioner is required to investigate complaints, unless it is appropriate to exercise one of the discretions not to investigate, including for example, if the individual has not first complained to the organisation in question. If the complaint is upheld, the Commissioner may make a determination that the organisation should not repeat the conduct complained about.

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation

In introducing the private sector provisions of the Privacy Act, the then Attorney-General, the Hon Daryl Williams AM QC MP, noted that although some Australian businesses had already established privacy codes of practice this was not being done consistently. By contrast, the private sector amendments provide ‘a national, consistent and clear set of standards to encourage and support good privacy practices'. It was the Government's intention:

‘to establish a single national comprehensive scheme for the protection of personal information by the private sector. However, state and territory laws would continue to operate to the extent that they are not directly inconsistent with the terms of the bill' 19.

Issues

The issues paper suggested a number of topics for submissions related to national consistency. It asked:

The issues paper also suggested a number of topics for submission focussed on the Privacy Act itself. It asked about:

Finally, the issues paper addressed the issue of new developments in technology. This is addressed in Chapter 8.

Other law impacting on privacy

Other provisions of the Privacy Act

Public and private sector provisions integrated

The private sector provisions were enacted as an amendment to the existing Privacy Act 1988. It was intended that the NPPs would operate alongside the pre-existing provisions of the Act, including the IPPs, which apply to public sector agencies, and the provisions regulating credit reporting (largely contained in Part IIIA of the Act). Although the NPPs are similar to the IPPs, there are differences. Unlike the IPPs, the NPPs include specific provisions about the transfer of data overseas (NPP 9), and the NPPs provide more protection to defined types of ‘sensitive personal information', including health information. The NPPs and the IPPs are included at Appendices 4 and 5 respectively.

Interaction of private sector provisions with other provisions

There are circumstances when an organisation might be subject to both the NPPs and the IPPs. An Australian Government contractor, for example, may be bound to comply with the NPPs, and will also be bound by contract to comply with the IPPs. Some government enterprises are, for the purposes of the Privacy Act, both an ‘agency' (in relation to their non-commercial activities) and an ‘organisation' (in relation to their commercial activities). Similarly, credit providers and credit reporting agencies will generally be an ‘organisation' for the purposes of the private sector provisions and will be bound by the NPPs as well as the provisions of Part IIIA of the Act which impose specific obligations on them.

Other Commonwealth legislation

Overview

A number of pieces of Commonwealth legislation impose obligations on organisations that may have an impact on how those organisations comply with their obligations under the Privacy Act. This legislation is administered by various Australian Government agencies.

Misleading and deceptive conduct

Section 52 of the Trade Practices Act 1974 , administered by the Australian Competition and Consumer Commission (ACCC), provides that a corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive, or is likely to mislead or deceive. This may influence the way in which an organisation complies with NPP obligations such as making people aware it has collected their personal information, openness and giving reasons for denying access or refusing to correct personal information. A similar provision in the Australian Securities and Investments Commission Act 2001 (ASIC Act), administered by the Australian Securities and Investments Commission (ASIC), section 12D, applies to financial services.

Telecommunications

The Telecommunications Act 1997 , administered by the Australian Communications Authority (ACA), includes provisions relating to privacy. The Telecommunications (Interception) Act 1979 makes it an offence to intercept communications and specifies the circumstances in which interception may lawfully take place. The Spam Act 2003 establishes a scheme for regulating commercial email and other types of commercial electronic messages. This is discussed in more detail later in this chapter at 2.3.

Other

Other relevant Commonwealth legislation includes the Corporations Act 2001 , which limits use or disclosure of information on company shareholder registers (section 177), and the Commonwealth Electoral Act 1918 , which regulates access to, and use and disclosure of, electoral roll information. The Australian Broadcasting Authority (ABA) may investigate complaints alleging a breach of broadcasting industry codes, some of which include provisions intended to protect individual privacy, or practice 20.

State and territory legislation

New South Wales , Victoria , the Australian Capital Territory and the Northern Territory have privacy legislation that covers all or part of their own public sectors. In Tasmania , similar legislation commences on 1 July 2005. Other jurisdictions have administrative arrangements which seek to establish appropriate information handling practices. Queensland has established two standards for privacy regulation in its public sector on an administrative basis. In South Australia , an administrative instruction applies to government agencies and a Code of Fair Information Practice, based on the NPPs, applies to all personal information handled by the Department of Human Services and its agencies. The Western Australian public sector does not currently have a legislative privacy regime.

Each jurisdiction's scheme is slightly different and so are the principles on which they are based. In addition, New South Wales and Victoria have health privacy legislation that regulates the handling of personal information in their public sectors and the private sector. They contain similar, though not identical, principles to the NPPs. The Australian Capital Territory has legislation, that predated the NPPs, covering health service providers in the public and private sector. The Australian Health Ministers' Advisory Council (AHMAC) is currently working towards a National Health Privacy Code, which may be one way of achieving national consistency for the handling of personal health information.

Other law

Other obligations overlap with responsibilities imposed on organisations by the Privacy Act. They include:

Self regulatory mechanisms

A number of industry organisations developed their own codes.

Telecommunications. The Australian Communications Industry Forum (ACIF) has developed a number of industry codes and guidelines, some of which deal with matters relating to the handling of personal information.

Direct Marketing. The Australian Direct Marketing Association (ADMA) has developed a model code, which includes the NPPs and a reference to the NPP Guidelines. It enforces the code against its members.

E-marketing. Following passage of the Spam Act, the Australian eMarketing Code of Practice was registered under Part 6 of the Telecommunications Act.

Submissions favour national consistency

Submissions overwhelmingly support the goal of national consistency. Business generally, and the finance and retail industries in particular, think that national consistency is important.

Members of the Australian Finance Conference (63) support the Government's object of achieving a single comprehensive scheme for handling personal information and it continues to remain important for them. It remains relevant and important to the Australian Bankers' Association (70). It is ‘essential' for the financial planning industry says the Financial Planning Association (85). In the view of the Australian Association of Permanent Building Societies (91), it is ‘imperative' for there to be a single nationally consistent scheme.

The charity sector agrees. Fundraising Institute Australia Ltd (52) argues that national consistency is important in ensuring compliance and reports that its members advise that consistency would improve their capacity to undertake their work as fundraisers.

Consumers also agree. The Consumers' Federation of Australia (65), for example, says national consistency is essential for privacy protection for consumers in Australia . The Australian Consumers' Association (15):

‘endorses the goal of a single, comprehensive, nationally consistent scheme for privacy protection in Australia . Such consistency makes the task of compliance by industry easier and cheaper. It facilitates education.'

On the other hand, in stakeholder forums, consumer groups made the point that they do not want national consistency at the cost of reducing privacy protection to the lowest common denominator.

The health sector, including the private hospital sector, professional organisations and public sector bodies like the Health Services Commissioner, Victoria (27), say there should be nationally consistent health standards. The Royal District Nursing Service (78) says national consistency is ‘vital'.

Objective has not been achieved

Despite the almost universal support for consistency, the objective has not been achieved in the view of very many submissions. Business and consumers agree that the objective has not been met. The Australian Consumers' Association (15), the National Health and Medical Research Council (32), Promina (34), the Consumers' Federation of Australia (65) and the Australian Health Insurance Association Ltd (76), for example, all agree the objective has not been achieved.

The Australian Chamber of Commerce and Industry (22) says there is a general trend towards ‘fragmentation', which has ‘adverse consequences in terms of magnified compliance burdens, administrative duplication and overlap between the separate regimes'.

Submissions from business and consumer organisations describe an emergence of a ‘patchwork' of federal and state and territory legislation, driven by, according to the Consumers Federation of Australia (65):

‘divisions by public and private sectors of the economy, state and federal levels of government, specific economic sectors (such as health), emerging technologies [and] gaps embodied in the federal legislation'.

Telstra (110) identifies state and territory legislation which contracted service providers must comply with and says that:

‘the proliferation of State-based legislation and inconsistency between State-based and Commonwealth legislation has the potential to add costs to conducting business with Government agencies'.

The Australian Retailers Association (111) describes recently introduced (or about to be introduced) state legislation as ‘designed to subvert the authority of the Federal Privacy Commissioner and create a complicated compliance regime for business.'

ANZ (40) is concerned that Australia will end up with differing laws among states that will confuse customers and increase compliance costs. The Insurance Council of Australia (59) describes privacy law as a ‘patchwork', as does the Australian Bankers' Association (70). The Australian Communications Authority (94) says there are gaps, overlap and jurisdictional confusion.

Coles Myer (60), concerned about the introduction of workplace surveillance legislation by the states, says that:

‘as with any other area of regulation (eg tax) any exemptions or possible inconsistencies provide an opportunity for the States and Territories to impose their own requirements'.

What submissions say - issues

State and territory laws are inconsistent with the Privacy Act

Overview

One of the consequences of the lack of national consistency in the way privacy is regulated is that organisations may be subject to inconsistent laws. There are inconsistencies between the Privacy Act and some state and territory legislation. Submissions identify a number of examples of this.

Health services

Health services provided by the private sector are subject to the Privacy Act. They may also be subject to state and territory health records legislation which may not be consistent with the Privacy Act. This is discussed in detail later in this chapter at 2.5.

Welfare organisations

Welfare organisations administer programs that are government funded. They may be funded by both the Australian Government and a state or territory. A charitable organisation (11) points out that in administering its Employment Services and Community Services programs it may have to comply with the NPPs, the IPPs, department procedural requirements and state or territory law. Furthermore, as their Community Services contracts are often negotiated on an individual program basis, the responsibility for interpreting the contractual provisions will fall on local management. The issue is further complicated by the fact that the organisation may need to collect health information as well, which is subject to state or territory health records legislation.

Tenancy databases

The Real Estate Institute of Australia (13) identifies legislation relating to tenancy databases as an example of lack of consistency between federal and state and territory legislation. Its submission to the working group of the Ministerial Council of Consumer Affairs advocated that a nationally consistent framework should be developed for the operation of tenancy databases. In the meantime, Queensland and New South Wales have their own legislation and the Australian Capital Territory is considering it.

Occupational health and safety

St John Ambulance Australia (97) identifies an inconsistency between the Privacy Act and occupational health and safety legislation in the context of reporting casualties at events.

Commonwealth laws are complex

Telecommunications

Submissions have drawn attention to inconsistencies between the Privacy Act and other Commonwealth legislation, for example, between Part 13 of the Telecommunications Act and the Privacy Act in relation to disclosure of customer information. Telecommunications companies may be subject to both. This is discussed in detail later in this chapter at 2.3.

Credit unions

There are other difficulties in the relationship between the Privacy Act and other Commonwealth legislation. The Credit Union Services Corporation (CUSCAL) (64) is concerned that the Corporations Law provides that credit unions must give anyone access to their share register which contains personal information about their shareholders who are also their customers.

Private health insurance

The Private Health Insurance Ombudsman (10) draws attention to difficulties caused by the notion of ‘contributor' and ‘dependents' in relation to a private health insurance contract in the National Health Act.

Inconsistency between the NPPs and IPPs

Organisation may be subject to both

There are inconsistencies between the NPPs and the IPPs. Some organisations may be subject to both. Australia Post (109) points out that the IPPs apply to its ‘non-commercial activities' but the NPPs apply to its commercial activities. In addition, its employees must comply with further, and more specific, obligations of privacy and confidence in the Australian Postal Corporation Act 1989 .

Commonwealth contractors

An organisation contracted by the Australian Government (or subcontracted by an Australian Government contractor) to perform outsourced functions for the Australian Government must comply with the IPPs and the NPPs. The contract will require the contractor to comply with the IPPs. Where there is no provision in the contract equivalent to one or more of the NPPs, the NPPs apply.

The Chamber of Commerce and Industry WA (Inc) (77) says that there are aspects of the IPPs which may be problematic or confusing. The Tenants' Union of Queensland Inc (69), which is funded through the Community Legal Centres funding program, notes that having to comply with both the IPPs and the NPPs is unreasonably cumbersome on community sector organisations.

In the view of Telstra (110), the differences between the IPPs and the NPPs may lead to uncertainty about the obligations that apply when a contracted service provider collects (or otherwise handles) personal information on behalf of an Australian Government agency.

Finally, the Australian Government Department of Health and Ageing (99) identifies inconsistencies that have arisen in the context of Australian Government funded Aboriginal health services. It draws attention to circumstances when compliance with the NPPs alone would, in the appropriate circumstances, allow a doctor to discuss the care of a patient with a relative without the patient's consent but compliance with the IPPs would not.

An organisation may be subject to several privacy regimes

A number of submissions describe the difficulties they face complying with several privacy regimes at the same time. Promina (34), whose operations are national, is ‘subject to a complex matrix of federal and state legislation'. A confidential submission notes that each business activity is subject to different privacy legislation according to the state or territory the business operates in; the type of business; the type of personal information collected (personal information or health information); and whether the business unit is considered a government agency or a private sector organisation.

The Department of Health and Ageing (99) gives an example of the effect of several layers of privacy regulation. In giving advice to ACT pathologists who were changing their forms in a way that gave rise to privacy implications, the Department had to refer to the Privacy Act (the IPPs and NPPs), the Health Records (Privacy and Access) Act 1997 (ACT) and other ACT legislation, applying to pathologists operating as a private sector organisation.

Single piece of information may be subject to different laws

A number of submissions, particularly those from financial services organisations, have pointed out that one consequence of the plethora of legislation is that a single item of personal information may have several pieces of legislation, possibly inconsistent, applying to it. Promina (34), a group of insurance and financial services companies that operates nationally notes that:

‘a single piece of personal information may be subject to two or more . . . legislative regimes at one time, creating conflicting obligations, different obligations or more onerous obligations in respect of the whole or parts of that same piece of information.'

Suncorp-Metway Ltd (35), another banking, insurance, investment and superannuation conglomerate, notes that the:

‘same piece of personal information may have multiple pieces of legislation applying to it, some of these obligations may compete with others and we may have to quarantine particular parts of that information and apply federal or state laws as applicable.'

There are jurisdictional problems

The plethora of legislation gives rise to jurisdictional problems. This affects both organisations and consumers. Telecommunications companies, for example, are subject to multiple regulators, including, for example, the Privacy Commissioner, the Australian Communications Authority (ACA), and the Telecommunications Industry Ombudsman (TIO). However, Optus (98), which deals with the ACA, the Office and other government bodies on various aspects of privacy, says that dealing with different regulators has not caused it any difficulties. The ACA (94) says that even the regulator may not know if it has jurisdiction until the investigation has begun.

The Private Health Insurance Ombudsman (10) notes that there is no clear jurisdiction in relation to privacy complaints between the federal and New South Wales Privacy Commissioners. Consequently, a person in New South Wales may complain to both.

ANZ (40) notes that banking customers with a privacy complaint may choose to go to the Banking and Financial Services Ombudsman (BFSO) or to the Privacy Commissioner. In a recent case a customer took part of a complaint to the BFSO and the privacy aspect of it to the Privacy Commissioner. (The whole complaint was ultimately resolved at a conciliation conference between the customer, the bank and the BFSO).

Telecommunications customers may also choose between the TIO and the Privacy Commissioner.

Compliance is more difficult

The lack of a single, national and comprehensive regime increases the administrative and cost burden of compliance on organisations. Submissions from a number of industries have drawn attention to this.

Suncorp-Metway Ltd (35) notes that its staff need to deal with various pieces of legislation and to deal with a number of regulators, ranging from the Privacy Commissioner to the Health Care Complaints Commissions of the states. It notes:

‘this makes the practice of providing information, adhering to the correct legislation and reference to a Regulator difficult for our staff and may result in the incorrect information being provided, incorrect principles or guidelines being applied or information not being fully provided.'

ANZ (40) is particularly concerned that if New South Wales or Victoria introduces their own workplace privacy legislation, which seems likely, the prospect of non-uniform laws throughout Australia would be opened again. Organisations that operate nationally would be subject to contradictory laws affecting the national workforce.

‘This would be likely to create significant additional compliance costs due to systems modifications, altered practices and staff training in order to manage the differences and ensure compliance.'

Comcare (12), which deals with health professionals, says that they are often unsure as to which privacy regime they are subject to when dealing with information relating to people in the Commonwealth jurisdiction.

The Australian Compliance Institute (16) notes that many national health services comply with what they consider to be the more onerous Victorian and New South Wales provisions across all jurisdictions to ensure they need deal with only one compliance system. 21

Difficult to advise

The Australian Physiotherapy Association (37) notes that inconsistent legislation creates confusion for its members. Furthermore, it creates difficulties for the association itself in keeping abreast of the legislation and putting out a consistent message to its members about their privacy obligations.

Lack of consistency is getting worse

Many submissions say that the problem of inconsistency is getting worse. They cite, for example, the proliferation of state and territory health records Acts and the Australian Government's recently enacted Spam Act. Financial institutions in particular express concern about the developments in workplace surveillance legislation at a state and territory level, and the Real Estate Institute of Australia (13) is concerned that legislation regulating tenancy databases is being introduced in a piecemeal fashion. The Credit Union Services Corporation (CUSCAL) (64) is concerned about proposed anti-money laundering laws that will force credit unions to collect more, not less, personal information about its members. CUSCAL:

‘is particularly concerned about the need to educate consumers about these obligations and the reasons why privacy rights must yield to security concerns.'

What submissions say – addressing the issues

Australian Government should exercise its constitutional power

Some submissions suggest that the Australian Government should exercise its constitutional power to ensure that Commonwealth law prevails. A charitable organisation (11) says that the Australian Government should enforce its overriding constitutional power to the extent that all formal complaints about privacy should go to the Privacy Commissioner. The Salvation Army Australia Southern Territory (74) argues that Commonwealth law should prevail over state and territory law to provide consistency.

Review and simplify

The complex nature of privacy law in Australia leads a charitable organisation (11) to suggest that the legal requirements imposed by privacy law should be reviewed and simplified. The National Health and Medical Research Council (32) says that there should be a single, simplified national health privacy regulatory scheme.

Greater co-operation among governments

Submissions from health services raise the lack of consistency between the Privacy Act and state and territory legislation regulating health records as a problem, and a problem that will become worse as electronic medical records become commonplace.

Banks and other financial institutions are concerned that at least two states are developing workplace surveillance legislation independently of each other.

A participant in a stakeholder forum hopes that at least the various bodies might consider a consistent interpretation of terms such as ‘related' and ‘reasonable' because currently they are interpreted differently across jurisdictions.

There clearly needs to be greater co-operation between the Australian and state and territory governments in developing legislation that has privacy implications if national consistency is to be achieved. In the view of the Australian Information Industry Association (43), the Australian Government needs to take the lead to ensure that disparate policies do not emerge. The Insurance Council of Australia (ICA) (59) recommends that

‘Federal and State Ministers should work together to ensure that privacy regulation is developed in a coherent and consistent manner. Health ministers should promote co-ordination between the States in the development of privacy legislation.'

Telstra (110) wants to see more co-operation between the Office and other regulators to ensure a national and consistent approach to enforcement.

There needs to be a process for ensuring ongoing Australian and state and territory government co-operation. This has already happened in the area of health privacy. A National Health Privacy Working Group of the Australian Health Ministers' Advisory Council (AHMAC) is developing a national privacy code. Applauding the commitments of the health ministers, the ICA encourages AHMAC to finalise the health code.

Enhance the Privacy Commissioner's role

Given the need for a national approach it is appropriate that the Australian Government should take the lead in any process that is established to ensure consistency.

In the view of Telstra (110), the Australian Government should liaise with State and Territory governments to encourage a consistent approach. The Salvation Army Australia Southern Territory (74) urges the Office to take a role in ensuring consistency.

A number of possible mechanisms for doing this are identified in submissions. The Association of Market Research Organisations (AMRO) and the Australian Market and Social Research Society (AMSRS) (61) suggest that there should be a clearing house for ensuring that proposed legislation is consistent with the Privacy Act and that there should be a Privacy Impact Statement made for each new law. In the view of the Australian Bankers' Association (70), the clearing house should be the Office.

‘The ABA would support the Privacy Commissioner taking a lead role in the oversight and co-ordination of developments in other legislation that have implications for privacy regulation acting as a clearing house to ensure national consistency with the Act wherever possible'.

Other submissions recommend an enhanced role for the Office. The Australian Direct Marketing Association (67) suggests that the Office should be given increased authority to ensure there are appropriate mechanisms to ensure legislation that is inconsistent with the private sector provisions is not passed.

The Australian Nursing Federation (127) suggests that the Office should initiate a process to consult with all stakeholders to develop a single piece of national health privacy legislation.

Coles Myer Ltd (60) suggests the Office should be adequately funded to be involved in proposed laws. In the view of the Credit Union Services Corporation (64), it should also be well enough funded to participate actively in the development of new anti-money laundering laws.

Combine the NPPs and the IPPs

A number of submissions recommend that the NPPs and IPPs be combined into a single set of privacy principles that would apply to both Australian Government agencies and private sector organisations. In the view of a charitable organisation (11), the NPPs should prevail. Electronic Frontiers (51) says that the harmonisation of the two sets of principles should be done so as to provide the highest level of privacy protection from each of them.

Remove exemptions from the Privacy Act

One of the ways to ensure greater national consistency could be to remove the existing exemptions from the Privacy Act. In the view of a number of participants in the stakeholder forums, the exemptions provide gaps in protection that states and territories need to fill with their own legislation. Among the drivers of the development of privacy law in other jurisdictions are the gaps in the protection provided by the federal law. The exemptions in the Privacy Act are undermining the goal of national consistency.

Options for reform

Clarify constitutional issue

The failure of the Privacy Act to achieve its object of establishing a ‘single comprehensive national scheme' for the protection of personal information is an issue for the private sector. As submissions reveal, national consistency is important to business, to charities and to individuals. The lack of national consistency contributes significantly to the costs imposed on business. It is not clear whether section 3 of the Privacy Act, which provides that the operation of state and territory laws that are ‘capable of operating concurrently with' the Act are not to be affected, covers the field or not. This provision determines whether or not a state or territory privacy law, or part of it, is or is not constitutional.

This lack of clarity leaves the way open to a state or territory to pass its own laws on the ground that there is no constitutional barrier to doing so. It certainly may be that state and territory legislation purporting to regulate health records is inconsistent at least to the extent that it imposes obligations on organisations covered by the Privacy Act. If so, it may be unconstitutional. Section 3 could be amended to make it clear that the Privacy Act was intended to cover the field.

Australian Government to promote national consistency

All stakeholders regard national consistency as very important and claim that it has not been achieved. Because of the exemptions in the Privacy Act, some hold the Australian Government at least partly responsible for not achieving the ‘single comprehensive national' scheme it promoted. It is also a consequence of our federal system. It is clearly the role of the Australian Government, rather than the states and territories, to play the leadership role in promoting national consistency. To succeed it has to be done at the highest level. The Australian Government could ask the Council of Australian Governments (COAG) to endorse national consistency in all privacy related legislation.

Consult Privacy Commissioner about all privacy related legislation

There would be more consistency in privacy related legislation if a centralised body had oversight of all proposed legislation. One possibility is that the Privacy Commissioner plays that role. The Privacy Commissioner is already consulted when Australian Government policy affecting privacy is being developed. Even if desirable, it may not be practical to nominate a federal body to play such a role in relation to the states and territories.

Examine IPPs and NPPs

The lack of consistency between the IPPs and the NPPs causes considerable compliance difficulties for organisations that are public sector organisations that undertake commercial activities and for some private sector organisations, especially those who are funded by Australian Government agencies or are contracted to Australian Government agencies. Although both sets of principles draw on the 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines for the Protection of Privacy and Transborder Flows of Personal Data, each set of principles reflects the time in which it was developed.

Similar functions are performed by both public and private sector bodies, and both public sector and private sector bodies may be characterised as both an agency and an organisation for the purposes of the Privacy Act. There seems no clear rationale for applying similar, but slightly different, privacy principles to public sector agencies and private sector organisations and certainly no clear rationale for applying both to an organisation at the same time. There is no clear policy reason why they are not consistent. The time may have come for a systematic examination of both the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations.

Consider Australian Government contractors

As part of the suggested examination of the IPPs and NPPs the application of both the IPPs and the NPPs to Australian Government contractors could be considered.

Power to make a binding code

When state and territory governments pass legislation regulating activities that businesses engage in on a national basis that is not uniform, there is a negative impact on business.

Having to comply with similar but different legislation in the states and territories adds to the costs and complexity of compliance.

One way of overcoming the problems caused by inconsistent state and territory legislation regulating a particular activity is to provide for a power within the Privacy Act to develop binding codes. There are a number of ways in which this could be achieved. For example, the Attorney-General, after identifying the need for a code in a specific sector, could ask the Privacy Commissioner to commence a process to develop a code in consultation with key stakeholders. The Privacy Act would need to be amended to provide a power for the Privacy Commissioner to develop a code following a request from the Attorney-General.

A model that is worth considering is that set out in the Trade Practices Act 1974 . The Act provides by regulation for the Minister to declare a code mandatory for the industry in question.

Alternatively, the Privacy Act could be amended to provide for the Privacy Commissioner, at his or her own initiative, to make a binding code in appropriate circumstances, again drawing on strong stakeholder consultation.

A model that may be worth considering is that set out in the Telecommunications Act. The Act provides for the telecommunications industry to develop self regulatory codes on a range of matters including privacy. Section 125 of the Act provides a mechanism for the regulator, the Australian Communications Authority, to issue a binding industry standard where a self regulatory code is failing or where no code has been developed. The process places strong emphasis on stakeholder consultation.

Change the name of the Office to the Australian Privacy Commission

Section 19 of the Privacy Act established the Office of the Privacy Commissioner, also known as the Office of the Federal Privacy Commissioner. The NSW Office is known as the Office of the NSW Privacy Commissioner or Privacy NSW; the Victorian Office is the Office of the Victorian Privacy Commissioner or Privacy Victoria.

The similarity of these names causes confusion, especially for consumers who are trying to work out to whom they should make a complaint. Changing the name of the Office would avoid unnecessary confusion. It would also be more consistent with other Australian Government regulatory bodies, such as the Australian Competition and Consumer Commission and the Australian Securities and Investments Commission.

2.2 Recommendations: National consistency

The Privacy Act has not achieved its object of establishing a ‘single comprehensive national scheme' for the protection of personal information. As submissions reveal, national consistency is important to business, to charities and to individuals. The lack of national consistency contributes significantly to the costs imposed on business.

  1. The Australian Government should consider amending section 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.

  2. The Australian Government should consider asking the Council of Australian Governments (COAG) to endorse national consistency in all privacy related legislation.

  3. The Australian Government should consider setting in place mechanisms to address inconsistencies that have come about, or will come about, as a result of exemptions in the Privacy Act, for example, in the area of workplace surveillance.

  4. The Australian Government should consider commissioning a systematic examination of both the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations. This would address the issues surrounding Australian Government contractors.

  5. The Australian Government should consider changing, by legislative amendment, the name of the Office of the Privacy Commissioner to the Australian Privacy Commission.

  6. The Australian Government should consider amending the Privacy Act to provide for a power to make binding code

 

2.3 Consistency in telecommunications

Law and policy

Businesses in the telecommunications sector handle a large range of personal information, including customer details, telephone or internet service details, as well as carrying the contents of telecommunications such as voice calls, SMS and MMS messages, and emails.

Telecommunications carriers, as a group, collect personal information about all telephone and internet subscribers, amounting to a very large proportion of the population. There are 11.7 million fixed telephone lines in Australia , 16.5 million mobile phone services, and 5.2 million internet subscribers 22. Some of this information is routinely transferred between telecommunications carriers as an integral part of the operation of the telecommunications network. Telecommunications carriers also hold information of interest to emergency services and law enforcement agencies.

In addition to information about subscription to telephone, internet and other telecommunications services (e.g. name, address, phone number etc.), the contents of voicemails, emails, SMS and MMS messages can include some of the most sensitive and personal information we have. Such messages are often stored, for varying lengths of time, by telecommunications companies.

The community's interest in protecting the privacy of telephone calls and other telecommunications is reflected in a range of legislation that pre-dates the private sector provisions of the Privacy Act. The Office's community attitude research shows that individuals are more reluctant to give organisations their home phone number than all other sorts of information, with the exception of bank account details and income. The Office's research also shows that this sensitivity has increased over recent years 23.

The private sector provisions of the Privacy Act regulate organisations that operate within the telecommunications sector. These provisions do not, however, include specific references to the telecommunications sector. Telecommunications-related businesses with a turnover less than $3 million may not be covered by the Privacy Act.

In the telecommunications sector, privacy is also regulated through the Telecommunications Act 1997 (Telecommunications Act), the Telecommunications (Interception) Act 1979 (Interception Act), and the Spam Act 2003 (Spam Act).

A number of submissions focused on the regulation of telecommunications privacy in considering the question of national consistency. Many of these submissions referred in particular to the operation of the Privacy Act with the Telecommunications Act, in some cases analysing in detail the interaction of specific provisions of both Acts.

Telecommunications Act

Part 13 of the Telecommunications Act provides for the confidentiality of personal information and the contents of communications, including restrictions on how telecommunications carriers and carriage service providers may use and disclose information that relates to the affairs of other persons, the contents of communications, and the services they provide. The Privacy Commissioner has the function of monitoring compliance with the record-keeping requirements in Division 5 of Part 13 of the Telecommunications Act.

Part 6 of the Telecommunications Act provides for industry to develop binding codes, for example codes developed by the Australian Communications Industry Forum, which are registered with the Australian Communications Authority. The private sector provisions of the Privacy Amendment (Private Sector) Act 2000 include amendments to Part 6 of the Telecommunications Act, and were intended to recognise and promote the pre-eminence of the Privacy Act and the role of the Privacy Commissioner within the telecommunications environment without diminishing the integrity of the telecommunications self-regulatory regime.

Industry codes provide a mechanism that permits the inclusion of privacy provisions beyond those in the Privacy Act, where the telecommunications industry considers that the NPPs do not readily address some specific industry or service related privacy concern. The Privacy Commissioner has a statutory role during the development phase of industry codes that relate to privacy, which involves the telecommunications sector consulting the Privacy Commissioner about such codes.

Telecommunications (Interception) Act

The Telecommunications (Interception) Act 1979 (Interception Act) has two key purposes. Its primary object is to protect the privacy of individuals who use the Australian telecommunications system by making it an offence to intercept communications. The second purpose of the Interception Act is to specify the circumstances in which it is lawful for interception to take place.

Following amendments to the Interception Act in 2004, stored communications such as emails, SMS and MMS messages are not protected by the prohibition on interception and the associated penalties in the Interception Act. Submissions made no substantial comment on the Interception Act or its interaction with the Privacy Act.

Spam Act

The Spam Act 2003 (Spam Act) sets up a scheme for regulating commercial email and other types of commercial electronic messages. Under the Spam Act, unsolicited commercial electronic messages must not be sent, and there are restrictions on the use of address-harvesting software.

Telecommunications regulators

There is more than one regulator with an interest in privacy in the telecommunications sector. The Australian Communications Authority (ACA) monitors the performance of telecommunications carriers and carriage service providers. The Telecommunications Industry Ombudsman (TIO), set up by the industry, investigates complaints about a range of telecommunications issues, including printed and electronic White Pages, privacy and breaches of the Customer Service Guarantee, and industry Codes of Practice.

Complaints and enquiries

During the review reporting period (21 December 2001-31 January 2005), approximately 9% of all NPP complaints received by the Office (223 complaints) related to the telecommunications sector, positioning it as the third most complained about sector behind the finance and health sectors. The Office also received 1725 telecommunications enquiries over the period, or approximately 4% of NPP enquiries.

The Telecommunications Industry Ombudsman, which also deals with some privacy-related complaints in the telecommunications sector, reports that in the 2003-2004 year, it dealt with 1271 telecommunications complaints that related directly to issues concerning privacy. This suggests that the Office's NPP complaints represent approximately 6% of the privacy complaints in the telecommunications industry. 24

Compared to all NPP complaints received in the reporting period, complaints against telecommunications sector organisations were much more likely to concern use and disclosure issues and much less likely to concern access issues. 25

The following graph shows the NPP complaints received by the Office against telecommunications sector organisations according to the issues raised in the complaint. 26

 


Disclosure of silent numbers

The disclosure of silent numbers by telecommunications carriers was possibly the most recurrent single issue in NPP complaints received against telecommunications sector organisations. Similarly, the disclosure of silent numbers was a recurrent issue in the ten own motion investigations into organisations in the telecommunications sector commenced by the Privacy Commissioner under section 40(2) in the Act, during the reporting period. These figures reinforce the results in the Office's community attitude survey about the sensitivity of telephone numbers in the community.

Some of the own motion investigations in the telecommunications sector related to the personal information of many hundreds, and even thousands, of individuals.

Complaints closed

A total of 181 NPP complaints against telecommunications sector organisations were closed in this period of which 34 were closed as adequately dealt with under section 41(2)(a) of the Privacy Act following investigation or preliminary enquiries by the Office. An analysis of the number of complaints closed under this provision provides an indication of the number of complaints that were substantiated by the Office.

The following graph indicates the issues raised in NPP complaints against telecommunications sector organisations that were closed under section 41(2)(a) 27. As with complaints received against this sector, over half of the 34 complaints closed under this provision concerned use and disclosure issues.

 

The operation of other laws

Some use and disclosure complaints against telecommunications sector organisations may have been closed where it was assessed that the use or disclosure was required or authorised by or under another law. In addition, seven of the 181 NPP complaints against telecommunications organisations closed in the reporting period were declined, having been assessed as being more appropriately or currently dealt with under another law, including the Telecommunications Act.

Small business exemption

The Office recently contacted a wide range of Internet Service Providers (ISPs) in the course of its enquiries into an industry-wide practice. At least 25% of the ISPs that responded advised that they could claim the small business exemption. Between 10 and 15% of telecommunications sector respondents to NPP complaints received by the Office were ISPs.

What the submissions say - issues

Overlap of privacy and telecommunications legislation

Electronic Frontiers Australia (51) argues that the telecommunications sector has, of necessity, access to a great deal more information about individuals than do most private sector organisations. This information not only relates to customers, but also to the public in general, and includes the contents of their communications.

To illustrate the scope and importance of the personal information at issue in this sector, Electronic Frontiers Australia (51) quotes at length from an internet service provider executive who said, in 2000 that:

‘we have the username and password for every one of our users, we have their credit card details, we have a lot of information about their liquidity, we can know about every purchase they make online, with whom, when and for how much. We can know every site they visit on the web – every page, every newsgroup, every picture they look at. We could read all of their e-mail and know all about their romances and the jobs they're applying for. The commercial opportunities arising from this are endless …'.

Telstra (110) says that there is an over-regulation of privacy and information-handling practices, causing regulatory uncertainty and additional compliance costs. Telstra also submits, however, that the private sector provisions of the Privacy Act are working well, and that industry-specific regulation such as Part 13 of the Telecommunications Act is working well.

Electronic Frontiers Australia (51) expresses concern that, in the online environment, individuals have almost no privacy rights, and the obligations that do exist may be difficult to have enforced. It argues that this arises from factors such as uncertainty regarding the definition of ‘personal information', the ability of organisations to collect personal information without an individual's consent, the use of ‘bundled' consents, the small business exemption and technological developments.

Protections on use and disclosure

Sensis (84), the Australian Communications Authority (94), and Electronic Frontiers Australia (51) note that Part 13 of the Telecommunications Act contains different standards for the use and disclosure of personal information than does NPP 2.

Uses and disclosures permitted by the Telecommunications Act

Section 303B of the Telecommunications Act provides that uses and disclosures of personal information that are permitted by Divisions 3 and 4 of Part 13 of that Act, are ‘authorised by law' for the purposes of the Privacy Act. The Telecommunications Act also allows legal proceedings or administrative action to be taken under both the Telecommunications Act and the Privacy Act, in relation to uses and disclosures of personal information. 28

Telstra (110) suggests that despite the provisions of section 303B of the Telecommunications Act, there may still be uncertainty regarding whether a disclosure of customer information that falls within one of the exceptions in Division 3 or 4 of Part 13 of the Telecommunications Act may nonetheless breach the NPPs or the credit reporting provisions in Part IIIA of the Privacy Act.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) raises a further question about the interaction between the Privacy Act and the Telecommunications Act in that section 280(1)(b) of the Telecommunications Act provides that uses and disclosures that are required or authorised by another law are not prohibited by Part 13 of the Telecommunications Act. One possible interpretation of this provision is that the uses and disclosures permitted by the secondary purpose exceptions to NPP 2.1 (for example, for direct marketing) may be available to telecommunications companies, in addition to the exceptions in Part 13 of the Telecommunications Act.

Different standards of protection

Section 289 of the Telecommunications Act permits the use or disclosure of personal information if the person to whom the information relates is either reasonably likely to be aware of the use or disclosure, or has consented to it. Electronic Frontiers Australia (51) argues that section 289 of the Telecommunications Act offers greater privacy protection in relation to use or disclosure for the primary purpose of collection than does NPP 2. For secondary purposes, however, that section is significantly less protective. Unlike NPP 2, section 289 of the Telecommunications Act does not require the use or disclosure to be related to the purpose of collection. As a consequence, a disclosure for a secondary purpose may be permitted by section 289, but not by NPP 2.

Electronic Frontiers Australia (51) also argues that section 291 of the Telecommunications Act is less privacy protective than NPP 2, for example, allowing disclosures for the unrelated secondary purpose of direct marketing by other organisations. Electronic Frontiers Australia also identified section 290 as requiring attention in relation to the disclosure of personal information about third parties.

Section 285 of the Telecommunications Act relates to the use and disclosure of customer information to produce public number directories, and includes a prohibition on the use or disclosure of customer information in connection with a directory with a reverse search capability (that is, where searching on a number provides a person's name and address). Sensis (84) suggests that the NPPs, rather than industry specific regulation, would be adequate regulation in relation to reverse search functionality.

Small business exemption

A number of submissions noted that the small business exemption may leave unregulated some organisations operating in, or close to, the telecommunications sector.

The Australian Communications Authority (94) notes that Part 13 of the Telecommunications Act does not apply to producers of public number directories (including list brokers). Where a public number directory producer falls within the small business exemption of the Privacy Act, then there may be few or no privacy protections in place.

Electronic Frontiers Australia noted that a range of smaller businesses could fall under the small business exemption, including internet service providers (ISPs), resellers of carrier and/or ISP services; carriage service intermediaries and telecommunications contractors. This is confirmed by the Office's experience, which suggests that approximately 25% of ISPs may claim the small business exemption.

After the private sector provisions of the Privacy Act commenced in December 2001, the Australian Communications Authority decided to de-register the code ACIF 523 - Protection of personal information of customers of telecommunications providers (October 2001) (CPI Code), to avoid a duplication in the telecommunications privacy jurisdiction 29.

The CPI Code applied to large telecommunications companies, as well as small businesses including ISPs, resellers of carrier and/or ISP services, carriage service intermediaries and telecommunications contractors.

Electronic Frontiers Association (51) says that a net result of the introduction of the private sector provisions and the removal of the CPI Code may be that individuals currently have less protection, overall, in relation to the handling of their personal information by small businesses in the telecommunications sector, than they did prior to 2001. Given the nature and scope of the personal information that is collected, used and disclosed by the telecommunications sector, there would appear to be a notable gap in privacy regulation.

These considerations are also relevant to the broader consideration of the small business exemption in Chapter 6.

Telecommunication regulators

Submissions generally do not indicate that regulatory overlap is a major problem in the telecommunications sector, however there are issues deserving attention according to the Australian Communications Authority (94), Optus (98), and Telstra (110). For example, the Australian Communications Authority says that in the handling of complaints, while regulatory overlap may not have been a significant barrier to resolving complaints, it may have led to some delays, frustration and waste (94).

Spam

Submissions highlighted the recent Spam Act as an example of appropriately specific legislation to deal with a particular challenge posed by new technology.

What submissions say – addressing the issues

Overlap of privacy and telecommunications legislation

No change required

Telecommunications companies Virgin Mobile (26), Optus (98), Telstra (110) and Vodafone (112) are generally opposed to further regulation, however some call for further clarification of specific issues (see below). Virgin Mobile (26) considers the current level of regulation applying to telecommunications companies to be very significant and that further regulation is not warranted, noting that the current set of legislative requirements impose significant compliance costs.

Protections on use and disclosure

Uses and disclosures permitted by the Telecommunications Act

Telstra submitted that Part 13 of the Telecommunications Act should be amended to clarify that a disclosure that fits an exception to Part 13 of the Telecommunications Act is not a breach the Privacy Act, or that the Office should publish information sheet outlining its views in relation to privacy complaints in the telecommunications sector.

Uses and disclosures permitted by NPP 2

Electronic Frontiers Australia (51) recommends that the law be clarified to ensure that NPP 2.1 does not authorise uses or disclosures that would otherwise be in breach of the Telecommunications Act.

Different standards of protection

A range of submissions from consumer and industry perspectives feel that the relationship between the Telecommunications Act and the Privacy Act could be further clarified, either through additional guidance or through legislative change 30. Electronic Frontiers Australia (51) argues that privacy protections should be at least maintained, and in some cases strengthened, in the course of that clarification.

Optus (98), Telstra (110) and Electronic Frontiers Australia (51) saw merit in considering the appropriateness of the privacy protections in Part 13 of the Telecommunications Act. Optus argues that, notwithstanding the usefulness of Part 13 of the Telecommunications Act, it would be beneficial to review it with the aim of making it easier to interpret.

Small business exemption

Electronic Frontiers Australia (51) recommends that the small business exemption be deleted from the Privacy Act.

Telecommunications regulators

Telstra (110) suggests that in the first instance complaints should be investigated by the appropriate industry body, for example the TIO.

Spam

A range of submissions suggest that the relationship between the Spam Act and the Privacy Act could be further clarified, for example through guidance issued jointly by the Office and the Australian Communications Authority. 31In particular, the different approach to ‘opting out' between NPP 2.1(c) and the Spam Act was noted by both industry (for example the Australian Bankers Association 70) and consumers (for example, Electronic Frontiers Australia 51). For more discussion on direct marketing see Chapter 4.

Options for reform

Overall it appears from the submissions that the combination of general privacy regulation through the Privacy Act, with technology and sector-specific regulation, is working reasonably well in many areas relating to the telecommunications sector.

Overlap of Privacy and Telecommunications legislation

Exclude telecommunications from the Privacy Act

While excluding telecommunications companies from the Privacy Act may simplify the regulatory arrangements for companies that operate solely in the telecommunications sector, the additional protections offered by NPPs, particularly relating to collection, data quality, data security and access, would be foregone. There does not appear to be sufficient reason to support this option, particularly considering the special nature and broad scope of personal information handled in the telecommunications sector.

As telecommunications is the third most complained about sector under the NPPs, it appears that the Privacy Act provides an important contribution to protecting privacy in this sector.

Repeal Part 13 of the Telecommunications Act

While repealing Part 13 of the Telecommunications Act may simplify the regulatory arrangements for companies that operate in the telecommunications sector, the relatively strong protections on use and disclosure of telecommunications-related personal information offered by Part 13 of the Telecommunications Act would be foregone. There does not appear to be sufficient reason to support this option, particularly considering the special nature and broad scope of personal information handled in the telecommunications sector.

The relatively large number of privacy-related complaints handled by the Telecommunications Industry Ombudsman may suggest that the regulatory scheme provided by the Telecommunications Act is critically important to protecting privacy in this sector.

Transfer Part 13 of the Telecommunications Act to the Privacy Act

The intention of this option would be to retain the protections of both the NPPs and Part 13 of the Telecommunications Act, but to do so under the one Act. In doing so, careful consideration would have to be given to the relationship between the definition of ‘personal information' in the Privacy Act, and ‘information' as used in Part 13 of the Telecommunications Act. Similarly, careful consideration would have to be given to whether the requirement in section 16B of the Privacy Act that the Privacy Act applies only to the collection of personal information for inclusion in a record (or a generally available publication) would narrow the application of the provisions of Part 13 of the Telecommunications Act, were they to be transferred to the Privacy Act.

Guidance

Detailed guidance, issued jointly by the Office and the ACA may assist in increasing understanding of the interaction of the Privacy and the Telecommunications Act. This guidance could concentrate on the issues raised in the submissions, such as the operation of section 303B of the Telecommunications Act. Detailed guidance could also assist to clarify that the exceptions to NPP 2 do not provide an ‘authorisation' under law, for the purposes of other Acts such as the Telecommunications Act.

However, where there is genuine legal uncertainty about the joint operation of the two acts, guidance would not assist.

Amendments to the Privacy Act and the Telecommunications Act

Changes to the Privacy Act alone are unlikely to resolve concerns about the potential for inadequate or inconsistent use and disclosure protections. The overall standard of protection for personal information, set by the combination of Part 13 of the Telecommunications Act and the Privacy Act, could be addressed through coordinated amendments to those Acts which clarify their relationship, particularly in terms of the respective provisions concerning what constitutes authorised uses and disclosures under the two Acts.

At a minimum, amendments could clearly specify that the Privacy Act cannot be used to lower the overall standard of privacy protection, so that an exception under NPP 2.1 cannot ‘authorise' a use or disclosure under section 280(1)(b) of the Telecommunications Act. For example, it should be clear that a disclosure permitted by NPP 2.1(c), for a secondary purpose of direct marketing, would not, through appealing to NPP 2.1(c), also be permitted by section 280(1)(b) of the Telecommunications Act. Amendments should clarify that if a use or disclosure of personal information is not permitted by Part 13 of the Telecommunications Act considered in the absence of the Privacy Act, then it is not permitted even when considered in the context of the Privacy Act.

Amendments to ensure that the higher privacy standard always operates

Recognising the significant quantity, scope and sensitivity of the personal information that is held by, and that flows through, organisations in the telecommunications sector, a further step could be to amend both the Privacy Act and the Telecommunications Act to ensure that the higher privacy standard always operates. This would require amending or repealing section 303B of the Telecommunications Act to ensure that uses or disclosures prohibited by NPPs 2, 7 and 9 are not permitted by the Telecommunications Act, unless there is a clear, sector-specific requirement that meets the public policy goals of the private sector privacy regulatory scheme.

Small Business Exemption

Public number directory producers are authorised under the Telecommunications Act to access the Integrated Public Number Database (IPND). The IPND is a database of all listed and unlisted telephone numbers. It is a repository of personal information (including names and addresses) relating to the end-users of telephone numbers. According to the Australian Communications Authority:

'In addition to the publication of public number directories, Public Number Directory Producers (PNDPs) are understood to use telecommunications customer information for a variety of other purposes. These uses are referred to by the industry as ‘database enhancement', ‘data cleansing', ‘data verification', ‘list management' services or ‘information management tools' 32.

Some of the significance of IPND data is that it provides a means for directly contacting a large proportion of the Australian population. The use of telephone numbers to direct market is discussed in Direct Marketing, Chapter 4, including evidence from submissions both that there is a level of irritation in the community about the intrusiveness of phone marketing, and that some customers like direct marketing. The option of establishing a ‘Do Not Contact' register is also discussed there.

The Australian Communications Authority has decided to determine an industry standard to regulate the use of telecommunications customer information. The Office understands that this standard, in conjunction with the NPPs, will aim to regulate the appropriate use of IPND data.

Producers of public number directories clearly handle personal information, and typically in quantity. In the case of any public number directory producer that has an annual turnover of less than $3 million, there may then be some uncertainty about whether or not the small business exemption applies.

Subsections 6D(4)(c) and (d) provide that a business is not eligible for the small business exemption if it trades in personal information. Subsections 6D(7) and (8), however, permit a business that has an annual turnover of less than $3 million, and trades in personal information, to nonetheless benefit from the small business exemption if the trading in personal information is conducted with the consent of the individuals whose information is traded, or if another law requires or authorises the trading of the information.

Regulate-in small telecommunications businesses

The small business exemption could be removed for a nominated class of telecommunications-related small businesses and public number directory producers, by way of a regulation under section 6E of the Privacy Act. This option is less likely to lead to the kind of regulatory confusion that may arise under other options (outlined below). However, it has the disadvantage of further complicating the nature of the small business exemption.

Telecommunications businesses not eligible for the small business exemption

An alternative to regulation would be to amend the Privacy Act to provide that telecommunications businesses and public number director producers are not eligible for the small business exemption. This may have the disadvantage of further complicating the structure of the small business exemption.

Self-regulatory privacy code registered with the ACA

Making use of the self-regulatory scheme for the telecommunications sector, under the Telecommunications Act, a new telecommunications industry privacy code could be registered with the Australian Communications Authority, so that all telecommunications organisations and public number directory producers will have NPP obligations through that means.

Disadvantages with this approach include the duplication of privacy regulation for the great majority of telecommunications companies who are already bound by the Privacy Act, and are also bound by registered industry codes, and the confusion and uncertainty that may arise as a result; and a further splintering of privacy regulation, because the Privacy Commissioner may not be the complaint handler for all privacy complaints in the sector.

Commissioner to issue mandatory code

If the Commissioner had a power to issue a mandatory code which covered a certain group of businesses (see recommendation 7), this power could be used to develop and issue a telecommunications sector privacy code.

Remove the consent provisions from the small business exception

This would ensure that all organisations that ‘trade' in personal information (as described by subsections 6D(4)(c) and (d) of the Privacy Act) would be regulated by the Privacy Act. This would assist in ensuring that public number directory producers cannot make use of the small business operator exemption. This option is also discussed in Chapter 6, Small Business Exemption.

Overlapping regulators

See Chapter 5, Complaint Handling, for further discussion of options for minimising problems arising from overlapping regulators.

Spam

The issue of different standards for opting out of direct marketing is taken up in Chapter 4, Direct Marketing. Beyond the recommendations there, the Office and the Australian Communications Authority could work together to issue joint guidance on the operation of the Privacy Act and the Spam Act

2.4 Recommendations: Telecommunications consistency

  1. The Australian Government should consider amending the Privacy Act and the Telecommunications Act to clarify what constitutes authorised uses and disclosures under the two Acts, and to ensure that the Privacy Act cannot be used to lower the standard of privacy protection in the Telecommunications Act.

  2. The Australian Government should consider making regulations under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.

  3. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and Part 13 of the Telecommunications Act.

  4. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and the Spam Act.

 

2.5 Consistency in protection of health information

Research on community attitudes towards privacy, conducted by the Office 33, shows the importance that Australians place on the protection of their health information. There are risks of serious harm arising from a failure to adequately protect an individual's health information, for example when handling genetic information that indicates an individual's susceptibility to a serious disease or information about an individual's sexual health. Some individuals may be stigmatised or discriminated against if their health information is mishandled.

While a health service provider's principal concern is for the health care of their patient, the individual's right to have their health information protected, and to retain control over it, is also important.

Law and policy

Privacy regulation for health information across Australia consists of a set of overlapping, incomplete and sometimes inconsistent federal, state and territory legislation. The shared intent is to regulate the handling of this sensitive information, and to ensure its protection. However, the multiplicity of laws and provisions, many very similar but not the same, results in confusion and undue complexity.

Commonwealth, state and territory privacy legislation

At the Commonwealth level, the handling of health information is regulated in the private sector and Australian Government public sector through the Privacy Act by the National Privacy Principles (NPPs), the Information Privacy Principles (IPPs) and Public Interests Determinations 34.

Some state and territory jurisdictions 35 have developed privacy legislation for their public sectors. Others have administrative arrangements for this purpose. For example, Queensland has established two administrative standards for privacy in its public sector (one scheme for health sector agencies, and one scheme for other government agencies) 36. Each jurisdiction's scheme is slightly different, as are the principles on which they are based.

For privacy in the private sector, two states (in addition to the ACT, which in 2001 already had law covering health services in the private sector) have enacted law seeking to regulate the handling of health information in the private sector. Victoria has enacted the Health Records Act 2001 and in NSW, the Health Records Information Privacy Act 2002 came into force on 1 September 2004. 37These Acts contain similar, though not identical, principles to the NPPs. For example, the Victorian legislation has certain provisions regarding access to ‘old' personal health information; there are no equivalent provisions in the NPPs. 38

Other forms of regulation

Additionally, there are other forms of protection for an individual's health information. These include ethical and professional codes of conduct adhered to by health professionals, common law obligations of confidence that health professionals must abide by, as well as federal, state and territory statutes about matters such as public health. Also, the enabling legislation of many health agencies often contains secrecy provisions.

Proposed National Health Privacy Code

At the request of Health Ministers, the National Health Privacy Work ing Group of the Australian Health Ministers' Advisory Council was set up in 2000 to develop a national framework for health privacy. This proposed framework has become known as the National Health Privacy Code.

After public consultation on the draft code in 2003, a revised version, as well as draft mandatory guidelines for research, and draft explanatory notes for the use or disclosure of genetic information, were developed. 39These documents are yet to be considered by Health Ministers. The Department of Health & Ageing (99) states this will occur in 2005.

What the submissions say - issues

Problems for health privacy

Submissions overwhelmingly support the conclusion that the existing state of health privacy laws in Australia is unsatisfactory for health service providers and individuals.

Submissions from health services (and organisations representing them) and from insurers identify problems raised by this lack of consistency. A confidential submission says that health insurers, for example, have gone to the expense of setting up systems consistent with the private sector provisions and then have had to look at separate state and territory legislation, regulations and guidelines, involving them in more expense. The Investment and Financial Services Association Ltd (89) says that the inconsistencies cause a significant compliance burden, resulting in increased compliance costs for many of their member organisations. Furthermore, inconsistencies make it difficult for consumers to understand their rights.

The experience of the Office also indicates that this issue represents one of the biggest obstacles to effective and consistent national developments in the health sector, such as electronic health records systems.

The Australian Law Reform Commission (ALRC) and Australian Health Ethics Committee (AHEC) considered the need for harmonisation of privacy regulation in the context of protecting genetic information. Their report recommended ‘as a matter of high priority', the development of nationally consistent rules for the handling of all health information 40. This has also been acknowledged in regard to other national initiatives, such as Health Connect 41.

Obstacles to national consistency

The obstacles to national consistency in health privacy protection are summarised by the Insurance Council of Australia (59):

Submissions identify a number of recurring issues which are discussed below.

Compliance issues

A number of submissions noted the additional compliance costs which are incurred by having multiple layers of privacy legislation.

The Australian Compliance Institute (16) submits, in regard to privacy regulation generally, that ‘as each State introduces new legislation, legal costs are incurred in understanding any potential impact'.

In regard to health privacy specifically, the Law Council of Australia (36) states that:

'…increased compliance costs are incurred, particularly by organisations operating in more than one state or territory, which costs will be passed on to the consumer'.

The Pharmacy Guild of Australia's (93) submission concurs with this view, noting also that many pharmacies may be small businesses (though they are still regulated by the Privacy Act because they handle health information and provide a health service).

A practical problem was identified in a stakeholder forum. A national medication service operating via a call centre must read different statements to obtain consent depending on the location of the individual (and the law that applies in that jurisdiction).

The Insurance Council of Australia (59) notes that these compliance costs may be incurred by any organisation which handles health information.

Forum shopping

A submission from a not-for-profit organisation (11) notes that ‘…potential complainants/plaintiffs [may] ‘shop around', to select the most suitable legalisation to further their case or grievance'.

This view is supported by the Mental Health Privacy Coalition (58) which states that:

'…small differences also allow legal practitioners the avenue towards arguing different aspects of privacy law in different jurisdictional legal settings, thus creating unnecessary headaches for healthcare providers'.

Confusion about which law to apply

A number of submissions contest that multiple privacy regimes create confusion for providers and consumers. Comcare (12) submits that:

‘our assessment is that some health professionals are unsure as to which privacy regime they are subject to when dealing with information relating to people in the Commonwealth jurisdiction'.

However, it also notes that ‘having said that, the incidence of this issue does seem very low.'

The Mental Health Privacy Coalition (58) submits that ‘a plethora of different laws or guidelines tends to confuse the health sector'. The AMA (29) states that ‘the mish-mash of privacy and health specific privacy legislation is confusing to both doctors and their patients'. A number of other submissions concur that the current arrangements create confusion 42.

Individuals uncertain about enforcing rights

The Insurance Council of Australia (59) notes that multiple privacy regimes affect the ability of individuals to exercise their rights, as individuals need to be aware of the range of bodies to which they may seek recourse.

The Law Council of Australia (36) has expressed the view that “consumers are less likely to be able to clearly understand their rights in any particular situation and are likely to experience increased difficulty and frustration in enforcing those rights”.

The Australian Nursing Federation (ANF) (127) has submitted that there is consumer uncertainty about their rights, at least partly due to the exemptions in the Privacy Act, particularly the small business exemption, the employee records exemption and the journalism exemption.

In addition, the ANF (127) also holds that ‘general confusion exists regarding complaints processes'. Other submissions concluded also that multiple privacy regimes contribute to consumer uncertainty, as consumers may be unsure which regulator to complain to, and which law applies to their matter 43.

A confidential submission refers to the ‘inequitable' situation where individuals in some states can access their health information regardless of its collection date, but others can access only information collected after 21 December 2001 (the commencement date of the private sector provisions).

The Royal District Nursing Service of Melbourne (78) submits that while there appears to be adequate awareness of privacy rights in the general community, there ‘…is some difficulty in the awareness or understanding of the elderly'.

Options for reform

Adoption of the proposed National Health Privacy Code

Submissions support the work of the National Health Privacy Work ing Group in developing the proposed National Health Privacy Code. Adoption of the code by all jurisdictions would promote national consistency in the handling of health information.

The success of a national code will depend critically upon how it is implemented. Achieving consistency would involve all jurisdictions implementing the code unamended and in the same manner.

Therefore, one option is for each jurisdiction to incorporate the agreed code, as is, within its laws. The manner for legislatively enabling the code would also need to be the same in each jurisdiction.

Code to be adopted as a Schedule to the Privacy Act

For the Australian Government jurisdiction, the code could become a Schedule to the Privacy Act. The Schedule would apply the code to those bodies already within the jurisdiction of this legislation and that handle health information; that is, many Australian Government agencies and a range of private sector organisations.

This step could occur whether or not all jurisdictions adopt the proposed code. However, it is preferable that this step by the Australian Government is mirrored by each jurisdiction.

The need to ensure that the code is reflected in the Privacy Act is noted by the Victorian Health Services Commissioner (27). Similarly, the National Health and Medical Research Council (32) recommends that ‘a single, simplified national health privacy regulatory scheme' (that is, the code) should replace and not supplement existing regulatory arrangements. The Australian Nursing Federation (127) highlights the importance of consistency between the Privacy Act and the code, and looks forward to a national regulatory framework that incorporates ‘a national process for [addressing] complaints and breaches'.

Once the code is adopted into the Privacy Act (particularly if as a schedule), the Australian Government could seek agreement from all jurisdictions for any subsequent regulatory measures in this area by them to be consistent with these provisions.

The code, as established through the Privacy Act, could become the de facto national standard for health privacy. If agreed, all other jurisdictions would be expected to adhere to this standard. Through this approach, the Australian Government would provide national leadership in this complex area. Success, however, again depends upon agreement by all jurisdictions.

Code to be adopted by amending the NPPs

Similar to the previous option, whether or not all jurisdictions adopt the code in the same way, the NPPs in the Privacy Act could be amended to ensure consistent privacy protection for Australian Government agencies and private sector organisations that handle health information. The NPPs would be amended to incorporate the provisions of the code.

This approach would entail one set of privacy principles to regulate the handling of health information. These principles would be based on the NPPs, and include the provisions of the code. This would go some way toward addressing broader national consistency issues identified in this report; such as the differences between the IPPs and the NPPs.

However, the resulting principles would be longer and more complex. This option would require the insertion of multiple sub-principles and exceptions to the NPPs to take account of the code.

This approach would run counter to the intent of delivering general, high-level principles for all business and government sectors. For instance, the approach would mean that non-health organisations and agencies would need to deal with a more complex set of privacy principles, where much of the content may not apply to them. This would not improve, and may even increase, regulatory complexity overall.

Stakeholder awareness and education

If national consistency is pursued by legislative or regulatory intervention, and whether or not it is fully achieved, substantial awareness and education programmes could be developed to explain how the various privacy regimes interact.

This approach would involve providing awareness and education for consumers, providers and other stakeholders about the roles of the various schemes, the differences between them, and how to assert rights or to comply with obligations. The approach could reduce perceived uncertainties surrounding which laws apply to various organisations and agencies, including which complaint handling arrangements would operate. It would seek to assist stakeholders to work their way through the multiple and interacting privacy schemes.

This is likely to be resource intensive, not only for the Office and those in the Australian Government jurisdiction, but for state and territory agencies with regulatory and education/awareness responsibilities, and for private sector professional entities. It would not resolve national consistency issues (or the lack thereof) at law, nor would it create assurances about how health privacy laws interact.

2.6 Recommendations: Health Consistency

  1. The Office urges the National Health Ministers' Council to finalise the National Health Privacy Code. This should include agreement by all jurisdictions on the contents of the code and on its consistent implementation in each jurisdiction.

  2. The Australian Government should consider adopting the National Health Privacy Code as a schedule to the Privacy Act. This would recognise the Australian Government's part in the consistent enabling of the Code. Should agreement not be reached by all jurisdictions about implementing the Code, the Australian Government should still consider adopting the code as a schedule to the Act to provide greater consistency of regulation for the handling of health information by Australian Government agencies and the private sector. (See also recommendations 29, 33 and 35.)

2.7 Residential tenancy databases

What are residential tenancy databases?

Residential tenancy databases are privately owned electronic databases that contain information on the tenancy history of tenants. Property managers and landlords use them to assist in assessing risk and identifying potential problem tenants during the rental application process. Most property managers and real estate agents routinely subscribe to at least one tenancy database to screen prospective tenants. There do not appear to be industry standards or codes of practice which apply to them.

Application of the Privacy Act

The Privacy Act applies to tenancy databases with an annual turnover of more than $3 million. They also apply to tenancy databases with a turnover of $3 million or less, despite the small business exemption, because they trade in personal information. If, however, a tenancy database that is a small business, gains consent for the collection or disclosure of an individual's personal information, then the Privacy Act does not apply.

Issues

There is a wide range of concerns about how tenancy databases operate. This section of the report is not concerned with the substantive issues. It is concerned only with the national consistency issues.

Tenancy databases are regulated by the Privacy Act and state and territory privacy legislation, including specific legislation regulating tenancy databases in some jurisdictions. Queensland and New South Wales have introduced legislation to prescribe listing and notification practices, and dispute resolution frameworks, and the ACT has foreshadowed similar legislation.

The Real Estate Institute Australia (13) draws attention to the lack of consistency in the various legislation, federal and state and territory, relating to tenancy databases. As this impacts negatively on consumers and business, the Institute suggests that a nationally consistent framework, with guidelines, should be developed for the operation of tenancy databases.

Options for reform

Australian Government could regulate tenancy databases

Tenancy databases operate nationally. The issues addressed by state and territory legislation are not confined to those states and territories, but are national. A patchwork of legislation is emerging and adding to the lack of national consistency in privacy protection. The Australian Government could regulate residential tenancy databases.

Commissioner could make a binding code

Earlier in this chapter, the Report recommends that the Australian Government should consider amending the Privacy Act to give the Privacy Commissioner a power to make binding codes. One of the policy reasons for doing so is that there may be some business activities that give rise to issues that demand a regulatory response on a national basis. In the absence of federal legislation or uniform, or at least consistent, state and territory legislation, and assuming that the Australian Government amends the Act in accordance with the recommendation, the Privacy Commissioner could make a binding code to apply to residential tenancy databases.

MCCA/SCAG process

In August 2003, the Ministerial Council on Consumer Affairs (MCCA) and the Standing Committee of Attorneys-General (SCAG) agreed to establish a joint working party to consider residential tenancy databases. The Office is represented on the working party, which is chaired by the Attorney-General's Department of the Australian Government. The working party intends to report to MCCA and SCAG by the middle of 2005. The Australian Government could make this process a matter of high priority.

2.8 Recommendations: Residential tenancy databases

  1. The Australian Government should advance as a high priority the work currently being undertaken by the Working Group on Residential Tenancy Databases of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General.

  2. The Australian Government should consider, depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, making the Privacy Act apply to all residential tenancy databases. This could be done by using the existing power under section 6E to prescribe them by regulation, or by amending the consent provisions (section 6D(7) and section 6D(8)) that apply to the small business exemption. (See recommendation 53.)

  3. If the Privacy Act is amended to provide for a power to make a binding code, (see recommendation 7), and depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, the Privacy Commissioner could make a binding code that applies to tenancy databases.

 

3 International issues and obligations

3.1 EU Adequacy and APEC

Law and Policy

EU adequacy a driver of the legislation

An object of the private sector provisions was to ensure that Australia would be able to meet international obligations and not be disadvantaged in the global information market. The provisions aimed to provide adequate privacy safeguards to facilitate further trade with the European Union (EU). In the absence of the new provisions, the Explanatory Memorandum stated:

‘there are serious questions surrounding the ability of Australia to meet the requirements for continued trade with EU members under the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data' 44.

Privacy Act is not yet EU ‘adequate'

Negotiations with the European Commission regarding the adequacy of the Privacy Act in meeting the EU Directive have been continuing. The amendments to the Privacy Act in April 2004 were a result of these discussions 45. These amendments to the legislation make it clear that the protection provided by NPP 9, which regulates transborder data flows, applies equally to the personal information of individuals who are Australian and those who are not. They remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information. They also give businesses and industries greater flexibility in developing privacy codes by allowing the codes to cover otherwise exempt acts and practices where the authors of the code wish to do so. However, there are ongoing discussions with the European Commission regarding the small business and employee records exemptions from the Privacy Act.

The EU has not granted Australia ‘adequacy status' regarding the EU Directive nor has it stated that Australia 's privacy regime is inadequate. At this stage, the EU has declared Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's Safe Harbour Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection as providing ‘adequate' privacy protection.

Asia-Pacific Economic Cooperation (APEC) framework

The endorsement of the APEC Privacy Framework by APEC Ministers in November 2004 means that APEC countries, including Australia , need to make sure that their privacy regimes meet a new set of international obligations. The APEC privacy framework has a number of aims including promoting electronic commerce, providing guidance to APEC economies and helping to address common privacy issues for business and consumers in the region. The initiative has the potential to accelerate the development of information privacy schemes in the APEC region and to assist in the harmonisation of standards across national jurisdictions.

The APEC framework, like the NPPs, was designed to be consistent with the core values of the Organisation for Economic Cooperation and Development's (OECD) 1980 Privacy Guidelines 46. The APEC Principles cover areas such as notice, collection, use and disclosure, choice, integrity of personal information, security safeguards, access and correction and accountability. APEC will continue making decisions about the implementation of the APEC principles during 2005.

Issues

The issues paper noted that it was not clear whether organisations are finding that their commercial activities are impeded by the private sector provisions in their current form. It raised issues such as whether the private sector provisions are working for businesses in relation to their global operations and whether they will work in the future and what strategies businesses are using to deal with any issues that are arising, for example, using contractual provisions.

What submissions say - issues

Lack of EU adequacy has not inhibited trade

One submission (confidential) says the Privacy Act does not seem to resolve the question of whether privacy laws meet the standards of international obligations. Nevertheless, only a very small proportion of the submissions that the Office received from stakeholders 47 and few of the comments made in consultation meetings indicate that the failure to achieve EU adequacy has impaired business and trade with European organisations. One confidential submission, for example, raised concerns that Australian organisations are unable to state that their privacy policies actually meet contractual obligations of international agreements. On the other hand, the Australian Direct Marketing Association (67) states:

‘it is clear that although Australia 's privacy regime has not been recognised as ‘adequate' for the purposes of the EU this has not hindered organisations' ability to conduct business with European counterparts' 48.

The Australian Bankers Association (70) and the Investment and Financial Services Association Ltd (89) call for the Privacy Commissioner to press for EU adequacy.

3.2 Recommendation: EU ‘adequacy' and APEC

  1. There is no evidence of a broad business push for ‘adequacy'. Given the increasing globalisation of information, however, there may be long term benefits for Australia in achieving EU ‘adequacy'. Certainly the globalisation of information makes the implementation of frameworks such as APEC important. The Australian Government should continue to work with the European Union on the ‘adequacy' of the Privacy Act and to continue work within APEC to implement the APEC Privacy Framework.

 

3.3 NPP 9

Law and policy

The operation of NPP 9 is an important aspect of the global operation of the private sector provisions. NPP 9 outlines the circumstances in which an organisation can transfer personal information it holds to other countries. This principle is based on the restrictions on international transfers of personal information set out in the European Union Directive 95/46.

In its simplest terms, NPP 9 prevents an organisation from disclosing personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the individual's consent or some other circumstances apply including where:

NPP 9 does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned. On the other hand, a company transferring personal information overseas to a related company must comply with NPP 9.

Issues

The issues paper noted that it is not clear how easy or otherwise organisations are finding it to work with the provisions of NPP 9 when transferring information, or the extent to which organisations are complying with NPP 9.

What submissions say – issues

Related companies

The Law Council of Australia (36) and the Investment and Financial Services Association Ltd (89) call for clarification in the way NPP 9 and section 13B(1) operate together. These submissions argue that it is not clear whether section 13B(1) enables a body corporate in Australia to transfer personal information to a related body corporate located outside of Australia without reference to NPP 9. One confidential submission states that transfer between related companies should not require additional consent.

Establishing a law is substantially similar

Comments made during the consultation process indicate that there are a number of problems faced by organisations in respect to NPP 9. Many stakeholders express frustration at the fact that there is a lack of guidance regarding the countries whose regimes provide adequate protection equivalent to the NPPs 49. In this situation the onus is on the organisation to assess the regime of the country in which their trading partner resides. Many stakeholders, especially small businesses, have criticised the efficiency of this system arguing that they neither have the expertise or the resources to assess a foreign country's privacy laws.

Contract

From submissions and the comments received during stakeholder workshops, it appears that organisations are fulfilling their NPP 9 obligations of ensuring that personal information is protected when it is transferred to regions without privacy regimes through contractual arrangements with their trading partners 50. While some submissions find this to be an effective solution 51, others are concerned about the costs associated with monitoring the compliance of their trading partners 52.

Other Issues

During stakeholder consultations, many consumers expressed concerns about overseas call centres 53. The recent growth of international call centres has also attracted some attention in the media. The transfer of personal information overseas brings with it a perceived loss of privacy and control.

What submissions say – addressing the issues

Publish a list of countries with adequate privacy regimes

It has been suggested during consultations that the Privacy Commissioner should publish a list of countries found to have adequate privacy regimes 54. Coles Myer Ltd (60) argues that publishing such a list would require the Commissioner to review and rate laws and governmental directives beyond privacy legislation which would need to be constantly updated. Coles Myer Ltd (60) does not recommend the Commissioner's resources be used on NPP 9.

Greater guidance

Some submissions suggest that the Office could provide greater guidance through publishing approved standard contracts to be signed by Australian companies and international trading partners which include provisions that protect information collected in Australia when it is transferred to organisations overseas 55. The Australian Direct Marketing Association (67) states that an information sheet outlining the issues that should be addressed as part of a contractual agreement would also be beneficial.

Require notice that information sent overseas

Electronic Frontiers Australia (51) argues that the NPPs should be amended to require organisations give individuals notice that their information will be sent to a foreign country and that the individual will be required to deal with call centres located in a foreign country. Electronic Frontiers Australia (51) also supports requiring organisations to notify individuals of the means by which the Australian organisation has ensured their personal information will be adequately protected, unless the overseas organisation is subject to substantially similar privacy laws or the individual has consented to the transfer.

Options for reform

Exclude related companies from complying with NPP 9

Disclosure of personal information about an individual by a body corporate to a related body corporate is not ‘an interference with the privacy of an individual' under section 13B(1)(b). Section 13B relates to the purposes for which information can be disclosed. NPP 9 on the other hand relates to whether or not information can be sent overseas. As section 13B(1)(b) enables disclosure of information, compliance with NPP 9 for transfers of information to a foreign country is still required.

If a company has an organisational link with Australia under section 5B, the extra-territorial provisions in the Privacy Act will apply. Therefore, if personal information is sent overseas to the same company, it will continue to be protected by the Privacy Act because the extra-territorial provisions apply. Section 5B does not appear to apply to related entities outside of Australia . As such, if information is sent to a related company, it may not be protected by the Privacy Act.

Where information is transferred outside of Australia and the extraterritorial provisions do not apply, it is in the public interest that NPP 9 applies. NPP 9 ensures that once the information is transferred, it will be treated in a way that is consistent with Australian privacy laws, or in a way in which the individual consents. The Office does not recommend excluding related corporations from NPP 9.

Publish a list of countries with substantially similar laws

Publishing a list of countries with substantially similar privacy laws would give organisations that transfer information overseas certainty about the countries to which they can safely transfer information. Establishing whether laws are substantially similar is, however, a very complex task. It would require considerable resources and would have implications for our relationships with other countries. It is not clear that this is an appropriate role for the Office.

Publish standard contractual provisions

The Office could provide greater guidance through publishing approved standard contractual provisions for use by Australian companies and international trading partners. These contractual provisions could provide for how the international company must protect information when the information collected in Australia is transferred to organisations overseas. The EU has issued contract provisions. Developing standard contractual provisions would have resource implications for the Office.

Provide greater guidance through information sheet

The Office could provide greater guidance through publishing an information sheet that outlines the types of issues that should be addressed as part of a contractual agreement and how to more easily assess whether a privacy regime is substantially similar. Although still resource intensive, this may be a more practical approach to take than issuing standard contractual provisions

3.4 Recommendation: NPP 9

  1. The Office will provide further guidance to assist organisations comply with NPP 9 by issuing an information sheet outlining the issues that should be addressed as part of a contractual agreement and how to more easily assess whether a privacy regime is substantially similar.

 

4 Protecting individual's right to privacy

4.1 Control over personal information

Law and policy

The NPPs reflect the policy that an individual should generally know what personal information an organisation has about him or her and how it intends to use it. The organisation must not collect information unless it is necessary for one or more of its functions or activities (NPP 1). Whether the information is collected directly from the individual or indirectly from a third party, the organisation should ‘take reasonable steps' to tell the individual, among other things, the purposes for which the information was collected, to whom the organisation usually discloses such information and the consequences of not providing it (NPP 1.3 and NPP1.5).

Generally speaking, the organisation cannot use or disclose the information for a purpose other than that for which it was collected (a secondary purpose) unless:

The NPPs apply to the collection of personal information for inclusion in a generally available publication, such as a telephone directory. They do not apply, however, once the information has been collected.

Issues

Possible topics for submissions

The issues paper suggested possible topics for submissions. They are:

Information collected indirectly

The issues paper noted that it may be more difficult to ensure the individual is aware of the matters listed in NPP 1.3 and NPP 1.5 when the organisation collects personal information indirectly. It acknowledged that in some cases it may be ‘reasonable' to make less effort to give people NPP 1.3 information than it would otherwise be, or even to do nothing at all.

If the individual is not informed, however, he or she may have lost the control over personal information that the NPPs intended individuals should generally have. Information given to one organisation (compulsorily in the case of some publicly available information) may be used by another organisation for a completely different purpose without the individual's knowledge.

Bundled consent

The issues paper noted that the NPPs do not specifically require organisations to get an individual's consent to collect personal information (except sensitive information). An organisation can use and disclose personal information without consent as long as the use or disclosure is for the main purpose of collection, or a related (or directly related in the case of sensitive information) purpose and is within the individual's reasonable expectations. Generally speaking, an organisation need only get an individual's consent for uses and disclosures of personal information that are for unrelated secondary purposes 56.

The issues paper focussed on bundled consent, that is, the bundling together of consent to a wide range of uses and disclosures of personal information without giving the individual an opportunity to choose which uses and disclosures they agree to and which they do not, often sought as part of the terms and conditions of a service.

Community attitudes survey

The Office commissioned research into community attitudes towards privacy in 2001 and 2004 57. Community Attitudes Towards Privacy 2004 , reports that while the quality of a product or service was rated as the most important element of customer service by respondents, respect for and protection of personal information was rated almost as highly.

The survey also reports that privacy policies are not necessarily being read, partly due to the length and complexity of the information. Respondents were asked what aspects of privacy policy are most important to be included in a short privacy notice. The order of importance is:

What submissions say - issues

Collection practices

Submissions raise a number of issues arising from the collection of personal information. In the view of the Australian Privacy Foundation (90), there is widespread non-compliance with the requirements of NPP 1.3 and NPP1.5, which will not be likely to be exposed by complaints. Nevertheless, it is satisfied with the qualification that an organisation take ‘reasonable steps' to ensure that the individual is aware of the matters listed in NPP 1.3.

An organisation's functions or activities

NPP 1.1 limits the collection of personal information by an organisation to that necessary for its ‘functions or activities'. The organisation itself, however, determines what its functions and activities are and the limitation on the collection of information may be seen to be illusory.

A number of participants in stakeholder forums raised the issue of the collection of unnecessary personal information. It was said, for example:

Privacy notices

It was suggested that some NPP 1.3 and 1.5 notices are unhelpful and confusing and probably do more harm than good in terms of public awareness and understanding. The Law Council of Australia (36) notes that a practice has emerged of organisations providing lengthy privacy collection notices. It believes organisations are trying to address the criteria required by NPP 1.3 and to put individuals on notice as to what uses and disclosures they might reasonably expect. As a result, it says, consumers are confused.

Electronic Frontiers Australia Inc (51) expresses concern about the practice of including NPP 1.3 information in privacy policies that are subject to change without notice and often are not dated. It provides examples of such notices, including:

[Mobile phone company] reserves the right to change this Privacy Policy at any time and notify you by posting an updated version of the Policy on its web site. The amended Privacy Policy will apply between us whether or not we have given you specific notice of any change. We encourage you to review this Privacy Policy periodically because it may change form time to time.

Confusion about who should notify

Another issue is the question of who should be responsible for notifying the individual when personal information is rented or sold by one organisation to another: the organisation that collected the information in the first place, or the organisation to whom it has been sold for use. Australia Post (109) and two confidential submissions address this issue.

Indirect collection

Finally, the Australian Consumers Association (15) raises the issue of indirect collection. It is concerned that an individual has no control when personal information is collected indirectly. The collector may collect the information for a primary purpose quite unrelated to the individual's expectations when he or she handed over the information in the first place:

‘Many of the ‘protections' in the Act revolve around the control of secondary uses of personal information. However indirect collection can have a primary purpose unrelated to the consumers' expectations when the data was originally given up – and hence the data is magically transmuted into information the use and possession of which at best the consumer can expect to be informed in retrospect.'

Bundled consent – consumer viewpoint

Most submissions that address the issue of consent discuss bundled consent. The submissions fall into two categories. Submissions from consumer groups are highly critical of the practice of bundling consent. Submissions from business organisations say why it is necessary.

‘Bundled consent' refers to the practice of bundling together consent to a wide range of uses and disclosures of personal information without giving individuals an opportunity to choose which uses and disclosures they agree to and which they do not. Many submissions address the issue. Submissions from consumer groups criticise the practice.

The Australian Consumers' Association (15) describes it as ‘where consent is sought too broadly for the consent to have any real controlling influence on the relationship the consumer has with the business.' Xamax Consultancy Pty Ltd (3) says that it totally undermines the requirement that consent be meaningful, informed and freely given.

In the view of Electronic Frontiers Australia Inc. (51), individuals cannot give free and informed consent when they are presented only with broad and/or vague statements concerning possible uses and disclosures, and/or told that services will not be provided if they do not ‘consent' to the bundle.

The Consumer Credit Legal Centre's (62) submission includes a case study highlighting a credit contract which included the statement:

‘I hereby authorise [Finance Corp] or their agents or employees to discuss any information about my account with anyone (emphasis added).'

Some insurers insist members sign a release form allowing the insurer to access any of their records at any time for any reason. The Australian Physiotherapy Association (37) says that this is inappropriate for sensitive health information. It also identifies another unacceptable practice, namely the use of bundled consent by third party insurers to obtain information, sometimes years after the treatment.

The Australian Communications Authority (94) is concerned that individuals are not given the opportunity to consent to some uses and not to others. It says that denial of service is common and that organisations also bundle the receipt of commercial electronic messages from the organisation itself or others with delivery of service or membership arrangements. It is not, in its view, good practice to make provision of a service or other benefits conditional on consent to receive commercial electronic messages.

The Australian Privacy Foundation (90) distinguishes between bundling consent to use or disclosure for a variety of purposes, which may be reasonable in some circumstances, and making consent for a non-essential secondary purpose a condition of doing business, which is not.

Bundled consent – business viewpoint

Many submissions from business, in particular the finance and telecommunications industries, outline the reasons why it is often necessary to bundle consent. Submissions from the health sector also address this issue.

Telecommunications

Both Virgin Mobile ( Australia ) Pty Ltd (26) and Vodafone Australia Ltd (112) state that obtaining consent for each specific use of an individual's personal information would significantly increase the complexity and the costs of compliance. Virgin says that these costs would inevitably be passed on to consumers. Furthermore, says Vodafone, unbundling consent would result in an undesirable customer experience for both consumers and suppliers because of the increased volume and frequency of communications that would be necessary to achieve the same result that bundled consent achieves more efficiently.

Finance

Submissions from the finance industry explain why, in the industry's view, bundling consent is necessary. The Australian Finance Conference (AFC) (63) states that bundled consents have arisen because the meaning of ‘primary purpose' is uncertain. ‘Primary purpose' can be interpreted narrowly or broadly. When a customer submits an application for finance, it asks, is the processing of the application the primary purpose of collection, or is it, more broadly, the provision of finance. If the latter, it would include, in addition to processing the application, managing the account, administering insurance claims, recovering money owed and maintaining the value of the asset. The Investment and Financial Services Association Ltd (89) makes a similar point. Both submissions state that to require individual consents for each process would be very costly. In the view of the AFC (63):

‘It was not Parliament's intention that a financier should be obliged to separately identify each of these uses and provide the individual with the option of selecting which of them he or she consents to . While a computer program could be designed to implement this the cost would be prohibitive and the daily management of customer choices virtually impossible.'

The AFC (63), the Australian Bankers Association (70) and Suncorp Metway Ltd (35) identify other reasons relevant to the issue of bundled consent in the finance industry. For example, the banker's duty of confidentiality and motor vehicle licensing and registration may require a disclosure notification beyond that required by the Privacy Act. Banks outsource many of their functions to service providers, many of whom are offshore, and if a customer failed to consent to the disclosure of their information to the service provider it would be unlikely that the organisation could provide a service to the customer. Finally, they say customers have extensive freedom and choice of product and provider in the finance sector.

Doctors

The Australian Medical Association Ltd (29) states that doctors will continue to bundle consent as long as the primary purpose for collecting personal information in NPP 2 is taken to relate to an episode of care. If, on the other hand, primary purpose were the health and well being of the patient then there would be no need for doctors to bundle a series of consents. In addition, in the view of the Department of Health, South Australia (53) it is impractical not to have bundled consent in the context of existing electronic architecture and general medical practices, and that it is impractical to make a decision in one sector (for example, the private health sector) because it will inevitably affect the other because of the interconnectedness of the public and private medical sectors.

Residential tenancy databases

Residential tenancy databases are a particular case. Many real estate agents use tenancy databases to help them decide whether or not to let a property to a particular person. When applying to rent a property a prospective tenant will be expected to provide personal information for disclosure to a tenancy database. He or she has little choice but to consent. The Tenants' Union of Queensland (69) says:

‘Through one signature, individuals' consent is gained for a range of matters, and without this they will be denied the tenancy. By gaining this consent, the collecting organisation has a greater ability to use and disclose the information. The uneven bargaining power means consumers have little or no power to resist the invasion of privacy and are pressured to consent to a range of things they may not really agree with'.

The Tenants' Union ACT (87) agrees. It believes that, because of this practice, a prospective tenant has no real choice about handing over their personal information, so the protection that would otherwise be provided by the NPPs is lost to them, that is, the NPPs do not work.

At recommendation 7, this report suggests that the Australian Government should consider amending the Privacy Act to provide for a power to make a binding code. It also recommends that, assuming the Act is amended, the Commissioner could make a binding code that applies to tenancy databases. (See recommendation 16 in Residential Tenancy Databases section.)

Publicly available information

Many people are uncomfortable with the notion that publicly available information, including the electoral roll and the white pages, can be used for purposes other than those for which the information was collected. In the survey, Community Attitudes towards Privacy 2004 , commissioned by the Office, for example, 77% of respondents thought that the electoral roll should not be used for direct marketing and 46% thought that the white pages should not be. The issue is more critical as technological developments make it easier to manipulate the material, for example, by reverse sorting it to identify a person's address from their telephone number.

Submissions are divided as to whether or not publicly available personal information should be subject to the NPPs. Some, for example, Xamax (3) say that publicly available information should be used only for the purpose for which it was collected. The Australian Privacy Foundation (APF) (90) urges the reconsideration of the breadth of the exemption of publicly available information from the operation of the NPPs, other than the collection principles.

The Australian Communications Authority (94) states that the use of publicly available information should be conditional so that ‘it is not automatically assumed an individual agrees to it being used for a myriad of purposes simply as a result of it being readily available'.

Charities are of the opinion that access to generally available information is necessary in order to raise funds. According to the Cerebral Palsy League of Queensland (44), ‘access to publicly listed information is the key to the survival of many organisations'. Not having access would limit its ability to raise funds and to assist in providing services to people with cerebral palsy 58.

Some businesses use publicly available personal information to cleanse their data. Coles Myer (60) is concerned that access to public registers is diminishing as they are ‘a valuable tool to ensure data quality and accuracy obligations under the Privacy Act are met.' 59 In the view of the Australian Direct Marketing Association (ADMA) (67), the industry would struggle to maintain current levels of accuracy without publicly available information, which it regards as an ‘essential updating and validation tool'.

For members of the Australian Finance Conference (63), it is imperative to be able to continue to collect personal information from public sources to verify objectively the identity of an applicant for finance and his or her asset holdings, and to confirm capacity to repay. They believe also that access to public sources is essential to meet their obligations under NPP3.

The Australian Institute of Private Detectives (38) and the Institute of Mercantile Agents , the Australian Collectors Association and the Australian Institute of Credit Management (115) argue in favour of the continued availability of publicly available information to enable them to carry out their investigative and debt collecting functions.

Finally, some submissions want no change to the existing law. Australia Post (109), for example, believes that any proposal to review the collection and use of publicly available personal information is unnecessary. Similarly, the Victorian Automobile Chamber of Commerce (113), whose members use publicly available personal information, among other sources, to identify potential customers, would oppose any proposal to prohibit or limit its use.

What submissions say – addressing the issues

Short form privacy notices

One of the consequences of the requirements of NPP 5 (Openness) and NPPs 1.3 and 1.5 is that privacy notices are often very long. In the view of Australia Post (109), the obligations imposed on organisations by NPP 5, particularly NPP 5.1 have had the positive effect of creating privacy awareness in the community.

The Law Council of Australia (36) supports the move by the Data Protection and Privacy Authorities internationally to develop a condensed or short privacy notice. Furthermore, it considers that organisations should not be required to include information which is obvious to the ordinary consumer in a privacy collection notice. The need for short privacy notices was also raised in consultations. On the other hand the Investment and Financial Services Association (89) says that although disclosure documents issued by its members may appear lengthy they contain detailed information assisting consumers to understand their rights.

Office should give more guidance

The Australian Privacy Foundation (90) suggests that further guidance from the Office as to what constitutes an acceptable NPP 1.3 or NPP 1.5 notice, or what does not, would be helpful. It also suggests the Office could play a role in improving the intelligibility and clarity of notices. It suggests the Office should become much more proactive in issuing template notices for different sectors and that these should be developed in consultation with industry bodies and relevant non government organisations.

Stricter regulation of privacy notices

Electronic Frontiers (51) suggests that privacy policies containing NPP 1.3 and NPP 1.5 information should have to include the date of issue and changes made since the earlier version should have to be highlighted or noted. It also suggests that changes to NPP 1.3 and NPP 1.5 information involving new uses or disclosures should not be able to apply to previously collected information, unless the organisation has directly notified the individual concerned of the changes and provided an opportunity to opt-out of the new uses or disclosures, or to terminate the relationship with the organisation without detriment.

Finally, Electronic Frontiers (51) suggests an organisation should not be able to rely on NPP 2.1 to use or disclose an individual's personal information, unless the information in the NPP 1.3 or NPP 1.5 notice is specific enough to enable the individual to give free and informed consent, or to make and informed choice about whether to provide the information. A confidential submission also states that the notification requirements should be strengthened in the context of the transfer of health information within multidisciplinary teams.

Onus should be on supplier of personal information

A confidential submission states that list brokers and telecommunications companies that supply lists to other organisations should be required to ensure that their list collection and generation processes are compliant with NPP 1.3 and NPP 1.5 to reduce complaints to the organisations using the lists.

Limit collection

The Australian Privacy Foundation (APF) (90) suggests that, unless NPP 1.1 requires an objective test of what is necessary for an organisation's functions or activities, that is, that the organisation cannot determine for itself whether or not information is necessary. It says NPP 1.1 should be amended to make it clear that compliance can legitimately be challenged by a third party, particularly by the person whose information is being collected.

APF (90) goes on to say that there should also be a proportionality requirement, that is, the type and amount of personal information collected should be no more than is required for the collector's primary purpose. Consideration should also be given to including a provision that collection should be allowed ‘only for purposes that a reasonable person would consider are appropriate in the circumstances' 60.

The Australian Retailers' Association (111) recommends that the collection of personal information for the purpose of making refunds should be explicitly allowed under the Act. This is because, it says, the ability to collect personal information when making a refund provides some degree of protection against a possible fraud where the goods have been stolen and exchanged for cash.

The Privacy Law Consulting Network (66) suggests that, in the light of the judgment in a case decided in 2004 61, it would be desirable to define the phrase ‘functions or activities' to provide more certainty for business.

Publicly available personal information

The Australian Finance Conference (63) recommends that the definition of personal information be amended to exclude information obtained from public sources and unsolicited information.

Options for reform

Amend NPP 1.1

NPP 1.1 limits the collection of personal information to that necessary for its ‘functions or activities'. This limitation could be strengthened by making the test of what is necessary for an organisation's functions of activities an objective one. The organisation itself would not be the judge of what information is necessary. NPP 1.1 could be amended to make the test an objective one. This would make it possible for an individual to challenge the collection of particular information. However, in practice it would be difficult to implement. Furthermore, it is not likely that the benefits of doing so would outweigh the costs.

Amend NPP 5.1

NPP 5.1 requires an organisation to set out in a document clearly expressed policies on its management of personal information. It is, however, somewhat vague about what it requires organisations to do. Short form notices would improve the quality of an organisation's communication with its customers. NPP 5.1 could be amended to clarify the openness obligation.

Privacy notices could be dated

Privacy notices are often not dated. This makes it difficult for consumers to establish exactly what he or she was told, or agreed to, at a particular time. Privacy notices could be dated as a matter of ‘best practice', and the Office could publish an advice to that effect.

Develop short form privacy notices

Privacy notices have become very long. A long privacy notice may not fulfil its purpose of informing a consumer because the consumer may be overwhelmed and confused because it is too long. The Office's Community Attitudes Survey reports international research that shows that people do not necessarily read privacy notices, partly because they are too long and complex 62.

Longer privacy notices have come about partly as a result of organisations' uncertainty as to the distinction between the primary and secondary purposes of collection and their attempt to avoid ‘bundling' consent to a number of purposes of collection. There are international moves to develop short form privacy notices. There could be provision for short form notices, followed by a longer notice that includes all the information required by NPPs 1.3 and 1.5. A consumer who is satisfied with the information provided in the short form notice need not read the longer notice, yet all the information is available to the consumer who wants it. This may also satisfy the Openness requirement in NPP 5.

Office could assist organisations with notices

The Office is currently working towards developing a short notice for its own personal information handling practices with a view to demonstrating how such a notice might work in a public sector agency. It acknowledges that getting notices right may be difficult for some organisations, especially smaller businesses that do not have access to extensive legal advice. Subject to the availability of resources, the Office could play a more active role in assisting businesses develop their notices by developing template notices for different sectors, in consultation with them, and by issuing examples of both satisfactory and unsatisfactory notices.

Office could publish guidance on bundled consent

Bundled consent is a practice that may confuse consumers and may derogate from their rights under the Act. It is also an issue that confuses a lot of organisations. The Office could play a role in working with stakeholders to clarify the issue. The Office could publish guidelines about bundled consent.

Publicly available personal information

It is clear that restricting the use of publicly available personal information further than has already occurred may inhibit the operations of some businesses and the fundraising activities of charities. However, as currently applied, it is consistent with the policy underlying the Privacy Act that information provided for a purpose should be used only in accordance with that purpose.

Office could play greater educative role to raise community awareness

Community awareness of individuals' privacy rights and confidence in the protection of individuals' rights is growing slowly but is not high. The greater the awareness an individual has about his or her rights, the more likely he or she will exercise control over what is done with the information. The Office could play a significant role in raising community awareness and confidence. Business and consumer groups alike agree that this should be so. An enhanced educative role would have resource implications for the Office. This is discussed in more detail later in this chapter.

4.2 Recommendations: Control over personal information

  1. The Australian Government should consider amending NPP 5.1 to provide for short form privacy notices. This could also clarify the obligations on organisations to provide notice, and to clarify the links between NPP1.3 and NPP 5.1.

  2. The Office will encourage the development of short form privacy notices. It will also play a more active role in assisting businesses develop their notices by developing template notices for different sectors, in consultation with them, and by issuing example of both satisfactory and unsatisfactory notices

  3. The Office will develop guidance to the effect that privacy notices should be dated.

  4. The Office will develop guidance on bundled consent, noting the possible tension between the desirability of short form privacy notices and the desirability of lessening the incidence of bundled consent.

4.3 Direct marketing

What is direct marketing?

Direct marketing refers to the promotion and sale of goods and services directly to the consumer. Direct marketers promote their goods and services by mail, telephone, email or SMS. They compile lists of consumers and their contact details from a wide variety of sources. These include public records, including the white pages, the electoral roll, registers of births, deaths and marriages and land titles registers. They also include membership lists of business, professional and trade organisations, survey returns, mail order purchase information and so on. Organisations that have their own database of consumers to whom they supply goods or services, for example, telephone companies and other utilities, may also use their database for direct marketing. Direct marketers may also acquire databases from other direct marketers.

Law and policy

When can personal information be used for direct marketing

Direct marketing is directly addressed by NPP 2.1, which governs the use and disclosure of personal information. NPP 2.1 distinguishes between the primary and the secondary purposes of collecting personal information, and limits the use and disclosure of information for a purpose other than the primary purpose of collection.

Information collected for the purpose of direct marketing

An organisation that collects information for the primary purpose of direct marketing, whether directly from the individual who owns the information or from someone else, can use and disclose it for that purpose. The same applies if direct marketing is related to the purpose for which the information was collected (directly related in the case of sensitive information) and the person from whom it was collected would reasonably expect the organisation that collected it to use or disclose it for direct marketing.

Information not collected for the purpose of direct marketing

In some circumstances an organisation can use personal information for direct marketing even if direct marketing was not the primary purpose of collection and direct marketing is unrelated to the purpose of collection and not within the reasonable expectations of the person who owns the information. The organisation may use the information if:

Individual may not know that information has been collected for the purpose of direct marketing

An individual whose information is collected by a direct marketing organisation for the purpose of direct marketing may not necessarily know that this has occurred. The organisation may, for example, purchase a list from another organisation. The purchasing organisation must then ‘take reasonable steps' to ensure the individual has been made aware of, among other things, the purposes for which the information was collected 64.

Whether or not the individual is made aware hinges therefore on what constitutes reasonable steps to make him or her aware. It may be reasonable to do very little to ensure that all the people on the list are made aware that the list has been acquired for the purposes of direct marketing. Even when the information is collected from the individual directly he or she may not understand it is being collected for direct marketing purposes. For example, an organisation may run a competition for the primary purpose of collecting information; awarding prizes to successful entrants being a secondary purpose. The individual, on the other hand, may assume that the purpose of the competition is to provide an opportunity to consumers to win prizes. Even if he or she reads the fine print, an individual is unlikely to draw a distinction between a primary and a secondary purpose and to understand the consequences of the distinction.

Rationale

The provisions are intended to strike a balance between the business interests of organisations involved in direct marketing and the privacy interests of consumers affected by the activity. The legislation acknowledges the commercial practice of direct marketing and the related activity of acquiring personal information about individuals to enable organisations to market their products efficiently and effectively. It also recognises the privacy interests of individuals who may find themselves the unwilling recipients of direct marketing material.

Community attitudes survey

The Office commissioned research into community attitudes towards privacy in 2001 and 2004 65. Community Attitudes Towards Privacy 2004 , reports that concerns about unsolicited marketing material have dropped slightly since the 2001. Nevertheless, 61% of respondents feel either ‘angry and annoyed', or ‘concerned' when they receive marketing material. While 77% of respondents are opposed to the use of the electoral roll for marketing purposes, respondents are roughly evenly divided about the use of the White Pages (44% in favour and 46% against) 66.

Issues

The issues paper drew attention to the fact that the NPPs require organisations to give individuals the opportunity to opt-out of receiving material when direct marketing is a secondary purpose of collection of personal information but do not do so when direct marketing is the primary purpose of collection. The issues paper suggested possible topics for submission, including:

What submissions say – the issues

Overview

Most submissions that address this issue focus on whether consumers should be able:

In general terms, consumer organisations favour opt-in and businesses, business organisations and charities favour opt-out.

Consumers

In the view of the Consumer Credit Legal Centre (NSW) Inc (62) and the Consumers' Federation of Australia (65), the direct marketing provisions of the Privacy Act favour the interests of business over those of consumers. The provisions start with the assumption that personal information can be used for direct marketing. Their submissions favour opt-in because it gives consumers some control over the use or disclosure of their personal information.

The Australian Consumers' Association (15) points out that the corollary of not needing to seek consent (when the personal information has been collected for the purpose of direct marketing, whether directly or from a third party) is that the consumer has no capacity to withdraw consent. It nominates as a useful guide to contemporary thinking the eMarketing Code of Practice 67. It also suggests that it would be better to adopt the approach of the Spam Act and to refer to ‘commercial messaging', which is wider than the traditional direct marketing and avoids boundary issues about what marketing is direct and what is not.

Electronic Frontiers Australia Inc (51) notes that the direct marketing provisions of the Privacy Act are inconsistent with the Spam Act, which requires consent. (The Spam Act on the other hand exempts some senders from the requirement to provide a means of opting out.)

Finally, the Australian Privacy Foundation (90) makes the point that if NPP 2 is working well, then NPP 2.1(c) adds nothing but confusion.

Business

Submissions from businesses and business organisations strongly favour opt-out that is, that it is sufficient that organisations give consumers an opportunity to opt-out of any further communication. Compvice Pty Ltd (48), a small business providing voice broadcast services says:

‘Most people do want to receive telemarketing and marketing material. I see this every day. I have developed a simple way for people to opt-out of our voice broadcast campaign pushing the number 9 on their phone. . . We have made 10 000s of calls using this system and found on average less than 5% of people opt-out'.

It goes on to say that the problem is that there is no simple and effective way for this 5% of people to opt-out of all marketing lists and that there is no ‘Do Not Contact' list apart from ADMA's, which is ‘too expensive for some small businesses to access.'

Opt-out works well for business

Submissions from business agree that opt-out works well. Suncorp-Metway Ltd (35), for example, provides its customers with an opportunity to opt-out from direct marketing when it collects personal information in the first place. It has had no complaints. ANZ (40) says opt-out is working well – 5% of its customers opt-out. The Australian Bankers Association (70) says there is a low opt-out rate across the industry (less than 10%) and that most customers want direct marketing material.

Coles Myer (60) also says that opt-out is working well. It maintains an opt-out register and regularly washes its direct marketing list against its own register and against the ADMA register. It has more complaints from people not receiving marketing material than it has complaints about junk mail. This is consistent with the experience of Optus (98). It accepts all opt-out requests, has very few complaints and reports that customers want its marketing material.

Economic considerations

A number of submissions address the economic implications of changing the law to require opt-in instead of opt-out. Telstra Corporation Ltd (110) says that amending NPP 2.1(c) would result in additional compliance costs that would be unwarranted and not required.

Other submissions look at the broader consequences of change. The Mailing House (79) points out that the direct marketing industry is a major contributor to the economic health of Australia . It says that any change impeding it:

‘would have a serious effect upon the health of this sector and accordingly the financial wellbeing of The Mailing House and the 50 or so families who rely on its financial strength and success to establish and provide their households, educate their children, and provide all the other essentials and luxuries that help make a strong Australian economy'.

Credit Union Services Corporation (CUSCAL) (64) considers the competition implications of any change which, it says, would favour its larger competitors in particular, the major banks.

Charitable organisations

Submissions from several charitable organisations express concern about the possibility of a change to opt-in. The Royal Institute for Deaf and Blind Children (24) says that direct marketing is the most effective way of communicating to the public.

The Cerebral Palsy League of Queensland (44) says that opt-in would result in a loss of income and a loss of employment.

The Fundraising Institute (52) does not support changes to NPP 2.1(c) because, in its view, the provision provides adequate and appropriate opt-out options for individuals

A participant in one of the stakeholder forums said that to take away the ability of charitable organisations to market directly would impose a significant burden on the community as services provided by charities would be unable to continue.

ADMA submission

In its submission, which is supported by a number of organisations 68, the Australian Direct Marketing Association (ADMA) (67) states that the most important aspect for an individual when providing personal information to an organisation is to understand how the organisation is going to use it. This is based on ADMA's own research.

It acknowledges that where an organisation indirectly collects data for the primary purpose of direct marketing the individual may, in some instances, lose control of their personal data. It would support a recommendation that organisations indirectly collecting information for unsolicited direct market purposes be obliged to ensure that at the time of collection or as soon as possible after collection (that is, at the first marketing approach) the individual is given an opportunity to opt-out of further direct marketing.

ADMA goes on to say that 80% of respondents to its research are comfortable with organisations collecting and using personal information for direct marketing purposes if, within the first marketing communications and at any time subsequently, they are given an opportunity to opt-out of future communications.

ADMA reports that 68% of respondents to its research would be comfortable with giving organisations their details for direct marketing purposes if they had a right, at any time, to ask the company to stop using it for direct marketing purposes. ADMA says it is standard practice for its member organisations to comply with any request received by an individual not to receive further marketing approaches, even when not required to do so by law.

What submissions say – addressing the issues

General right to opt-out

As discussed above, consumer groups favour opt-in as the general rule and businesses and charities opt-out. In its submission, ADMA states that it would support a recommendation that:

This is consistent with the Privacy Commissioner's submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000. The submission argued that all organisations using personal information for direct marketing should be required to give the individual the express opportunity at the time of first contact to express a wish not to receive any further direct marketing communications. This could possibly be qualified where the use is within the reasonable expectations of the individual or consistent with the ongoing business relationship of the direct marketer and individual. It would overcome the current distinction in the NPPs between personal information collected for the primary purpose of direct marketing from a third party and personal information and personal information used for the secondary purpose of direct marketing. As long as the process for opting out was not difficult and the request acted on promptly, this would give individuals a degree of control.

On the other hand, the proposal does not go beyond what ADMA says is the current practice. In the view of the Australian Privacy Foundation (APF) (90), a simple across the board requirement to offer an opt-out with every communication is justified by the level of irritation with direct marketing and general lack of awareness and understanding of marketing methods. It goes on to say:

‘This should not be taken as surrendering our position in relation to a positive consent requirement (opt-in) for direct marketing which is outside the reasonable expectations of individuals when their information was collected'.

APF says opt-in should apply to direct marketing which is outside the reasonable expectations of individuals when their information was collected. In addition, the APF supports national ‘do not market' registers.

Consent

In the view of Electronic Frontiers Australia Inc (51), a general right to opt-out of future communications is not enough. It says that the NPP2.1(c) exception permitting secondary use of personal information for direct marketing without consent is inconsistent with the recently enacted Spam Act and is totally unacceptable and must be amended. It says personal information should only be used for marketing purposes with explicit consent, not by default.

Other submissions refer to the Spam Act, which requires an individual's consent to the use of personal information for the purpose of direct marketing. The Australian Communications Authority (94) says that an opt-out regime was found to be unworkable in relation to the sending of commercial electronic messages. The Law Council of Australia (36) recommends that consideration be given to harmonising the direct marketing provisions of the NPPs with the Spam Act.

In Canada , a note to Principle 4.3 of the Personal Information Protection and Electronic Documents Act 2000 , dealing with consent, acknowledges that seeking consent may be impractical for a charity or direct marketing firm that wants to buy a mailing list from another organisation. It says that, in such cases, the organisation providing the list would be expected to obtain consent before disclosing personal information.

More effective ‘Do Not Contact' registers

Some submissions refer to ‘Do Not Contact' registers. ADMA maintains such a register. Individuals may register their name on a Do Not Contact list in relation to mail, telephone, direct response television, the internet and mobile phones. ADMA members and other organisations can wash their lists against the ADMA list.

However, it is not an absolute and universal ‘Do Not Contact' list as not all direct marketers are ADMA members, and likewise some businesses may not make the commercial decision to access the names on the list. In addition some small businesses may not be able to afford to use it. Compvice Pty Ltd (48) says there needs to be a cheaper way to access the register.

The Australian Privacy Foundation (90) and Sensis (84) favour ‘Do Not Contact' registers. In Sensis' view, the introduction of a national ‘Do Not Contact' register, could improve privacy protection for individuals.

Inform individuals where information came from

In its submission, ADMA says its experience is that informing individuals of the source of the data being used gives them more control over their personal information and reduces the number of repeat complaints about unsolicited marketing. It goes on to say:

‘Although ADMA would support a recommendation that NPP 5.2 be amended to require an organisation, on the request from an individual, to inform the individual where the data was sourced, there is a concern that many small organisations, in particular charities, do not currently have the technical capability to comply with such a requirement'.

That being said, ADMA believes the issue is of sufficient importance that organisations should be taking appropriate steps to ensure this requirement can be met. As it is clear that some organisations will need time to make necessary adjustments, ADMA recommends that the requirement to disclose the source of data on request be introduced initially as a best practice guideline with the understanding that, after a period of 18-24 months, the requirement will become mandatory through either a Code rule or legislative amendment.

Few written submissions address this issue. In stakeholder forums, there was considerable support for the idea. In Adelaide , for example, a number of people were in favour of introducing a requirement for direct marketers to tell people from whom they got an individual's personal information. Participants representing charitable organisations argued that to do so would be too costly and difficult for many charities to implement.

Options for reform

General right to opt-out

It appears that most organisations give consumers a right to opt-out of future direct marketing approaches whether or not direct marketing is a secondary purpose of collection. This gives consumers a degree of control over the use of their personal information they would not otherwise have. It may not add unduly to compliance costs if organisations are required to give all consumers the right to opt-out of future direct marketing at any time and to comply with the request within a specified timeframe.

No direct marketing without consent

A more stringent requirement would be to require direct marketing organisations to acquire the individual's consent before using his or her personal information for the purpose of direct marketing. The Spam Act provides a precedent for this. On the other hand, requiring consent would increase costs for business and for charities that are dependent on direct marketing to raise funds.

Require organisations to tell individuals where their personal information came from

One of the aspects of unsolicited direct marketing that appears particularly to irritate consumers is that the direct marketer has acquired his or her personal information without the individual's knowledge or consent. The direct marketer is under no obligation to inform an individual where it acquired the personal information. If it were, the individual could then complain to the organisation that had released the information and, if appropriate, make a formal complaint to the Office. Organisations could be required to tell individuals, on request, the source of their personal information. The organisation would have to tell the individual only where it got the information from, not the original source.

Establish a ‘Do Not Contact' register

ADMA maintains a ‘Do Not Contact' register for the use of its members and other organisations. Its existence could be more widely known in the community. Membership of ADMA and the cost of accessing the register on a regular basis may be beyond the resources of some small businesses. A well publicised national register may reduce the level of unwelcome direct marketing. There are precedents in the United States (where 62 million phone numbers were registered in the first year of operation) and the United Kingdom . Different models exist which may exempt certain organisations.

4.4 Recommendations: Direct marketing

  1. The Australian Government should consider amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.

  2. The Australian Government should consider amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information.

  3. The Australian Government should consider exploring options for establishing a national ‘Do Not Contact' register.

4.5 Awareness of, confidence in and capacity to exercise rights

Law and policy

One of the objects of the private sector provisions is to establish a scheme for the handling of personal information that recognises individuals' interests in protecting their privacy. The provisions recognise those interests by:

The provisions aimed to ensure that ‘Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way' 69.

Issues

The issues paper suggested a number of topics for submissions related to individuals' capacity to exercise their right to privacy. It asked about:

Role of the Office

The Office plays an active role in raising awareness about individuals' privacy rights and in addressing their concerns about possible interference with their rights. It provides information by way of its information hotline and its web site. The web site contains all the Office's publications, answers to Frequently Asked Questions, media comments, media releases, speeches, case notes, an online complaint checker, multi-lingual web pages, guidelines, information sheets, brochures and the annual report.

To the extent that the Office's activities in raising awareness are successful, community confidence that individuals' rights are protected is likely to be increased. If an individual's privacy rights are interfered with and he or she cannot resolve the issue with the organisation concerned, the Office will investigate the complaint, conciliate it, if appropriate, or make a determination.

Role of organisations

Organisations also play a role in raising awareness and in addressing the concerns of individuals who fear their privacy may have been breached. Organisations collecting personal information are required to take reasonable steps to provide NPP 1.3 or 1.5 notices and must have a privacy policy available to anyone who asks for it (NPP 5). This kind of information may also increase confidence that individuals' rights are protected. In the event of a breach of privacy, the individual's first port of call to resolve it is the organisation.

Community awareness survey

Awareness of rights

Community awareness was one of the issues canvassed by the research into community attitudes towards privacy commissioned by the Office in 2001 and 2004. 70. In general terms, it showed levels of awareness were low, although higher in 2004 than in 2001. Only about one in four respondents claimed to know an adequate amount or more about privacy. The number of respondents who were aware that federal privacy laws existed, however, increased from 43% in 2001 to 60% in 2004.

The research showed that 53% of respondents know that government agencies are covered by privacy law; 56% know that banks, insurers and other financial institutions are covered; and 47% that there are some restrictions on charities, private schools and hospitals and other non government organisations.

Confidence rights are protected

The research showed differing levels of confidence that rights are protected depending on the industry. Health service providers have the highest levels of trust (89%), followed by financial organisations (66%), government organisations (64%), charities (54%), retailers (39%), market research organisations (35%), real estate agents (26%) and mail order companies.

Only 9% of respondents trust internet companies, which were intended particularly to benefit from the introduction of the private sector provisions.

Individuals' ability to exercise their rights

The research showed that 34% of respondents were aware that the Federal Privacy Commissioner existed. (In 2001, 36% were aware.) However, 29% of respondents said they did not know to whom they would report the misuse of their personal information. Of the rest, only 7% mentioned the Federal Privacy Commissioner, the others mentioning a number of different organisations.

Demographic information about complainants

As noted in the issues paper the Office had not previously collected demographic information about complainants. To identify which sections of the community were making privacy complaints to the Office, the Office conducted a three month complainant demographic survey from December 2004 to February 2005.

The Office received a very small response to the survey – 36 responses from over 250 surveys sent. The response rate is too small to rely on as an accurate representation of total complainants, however the Office was able to extract information from its complaint management software that suggests, at least in respect of gender, the survey results may be representational. The figures suggest that it could be the case that the demographic profile of complainants to the Office is not representative of the wider community.

The results of the survey are described in Appendix 13. The Office will continue to collect complainant demographic information.

Multicultural Tasmania (4), while commending the Office on having multilingual pages on its website, recommends the Office think about others ways to distribute privacy information to people from diverse language backgrounds.

What submissions say - issues

Awareness

Most submissions that address this issue believe that community awareness of individuals' privacy rights is not high 71. In the view of the Australian Direct Marketing Association (ADMA) (67), community awareness of rights is important and is fundamental to the effective operation of the private sector provisions and the NPPs.

Business SA (92) says there is a widespread lack of understanding of privacy provisions in the community and a significant burden on the private sector to educate the general community about their privacy rights and responsibilities. The Australian Medical Association (29), for example, says that patients still complain to it about possible breaches of privacy.

The Australian Consumers' Association (15) narrows the issue. It argues that the critical issue is that the consumer is aware of his or her rights when it matters, that is, when he or she has a problem, not at the time of signing up to the service. Lack of awareness goes beyond awareness of consumer rights.

The Australian Compliance Institute (16) says that the obligations imposed on business by privacy laws may undermine consumer expectations. For example, a person may believe he or she is entitled to information about a spouse's insurance or bank accounts and may not understand why the organisation will not give it to them.

In some areas, however, submissions express a belief that there is a satisfactory level of awareness. The Australian Finance Conference (63) says that in the finance sector, for example, customers are aware of their privacy rights but few exercise them. The Royal District Nursing Service (78) believes its clients are sufficiently aware, except perhaps for its elderly clients. Sensis Pty Ltd (84) believes there is a reasonable level of understanding in the community about its activities.

Participants in stakeholder forums had a lot to say about lack of awareness. One participant, for example, said that people are unaware of their rights and are ‘mystified by multiple jurisdictions.' Further, they do not understand the differences between policies, procedures and legislation. Another said there must be more awareness raising for the NPPs to work and a better injection of the issues into the culture and that this has to be done by the federal government as the smaller states and territories do not have the money. Some participants asked if the Office was adequately resourced to do what it was supposed to do in raising awareness.

Confidence

Not many submissions address the issue of community confidence in the protection of rights. The Investment and Financial Services Association (ISFA) (89), a body representing the superannuation, investment management and life insurance industries, states that low level of complaints received by its members, compared to the very large level of transactions, suggests that the community is satisfied with the level of protection provided by its members. The Australian Association of Permanent Building Societies (91) says that public confidence that privacy rights are protected has been substantially increased as a result of the implementation of the private sector provisions.

The Australian Consumers' Association (15), however, links confidence that an individual's rights will be protected with the speed and effectiveness of the remedy and expresses concern with the delays and queues that characterise the Office's complaints handling. Electronic Frontiers Australia (51) goes further in relation to the protection of rights online. Referring to the finding of the Office's community attitudes survey that individuals trust internet companies less than any other sector, it says that:

‘any attempt . . . to encourage the community to believe that their privacy “rights” are protected online would be highly misleading at best
. . . Individuals have almost no privacy “rights” in the online environment and even the few rights they allegedly have are not protected adequately and are difficult, sometimes impossible, to have enforced'.

The submission then goes on to report some collection and disclosure practices of some internet companies. Optus (98), on the other hand, says that the community attitudes survey indicates that a significant proportion of people do not have confidence in companies that do business online, rather than companies that provide internet services.

What submissions say – addressing the issues

Public awareness campaigns

A number of submissions suggest that there should be a campaign to increase awareness about individual privacy rights. Business and consumers alike suggest the Office is the body best placed to conduct public awareness campaigns and that it should be adequately resourced to do so. Acxiom Australia (71) says that what is needed now is a far-reaching education program about rights and responsibilities under the existing law. More specifically, the Salvation Army (74) says that the Commissioner should give special attention to providing information and education and support to social welfare groups.

Telstra (110) suggests the Office should take steps to lift its profile and should offer regular community education about its own role and the steps individuals can take to protect their privacy. On the other hand, Optus (98) suggests the campaign should be targeted to sectors of the community who have not yet become aware of privacy regulations.

In the view of the Australian Compliance Institute (16), the campaign should focus not only on consumer rights but should also educate consumers about business responsibilities. In the context of health, says Australian Federation of AIDS Organisations Inc (54), plain English guides explaining all relevant legislation, not just the Privacy Act, are needed.

Change privacy notices

Some submissions link community awareness of rights and improved privacy notices. Australia Post (109), for example, notes that obligations imposed on it and other organisations by NPP 5 have had a positive effect of creating privacy awareness in the community. It suggests that the content, structure and placement of NPP 1.3 notices should be standardised. Privacy notices were discussed earlier in this chapter (4.1).

Office should improve community confidence

Submissions generally look to the Office to take action to improve community confidence that rights are protected. The Fundraising Institute (52) suggests a number of things the Office could do, including both promotional and compliance actions. The promotional actions include:

ADMA (67) says that with its limited resources, the Office needs to develop strategies that seek partnerships with business to encourage community confidence that privacy rights are protected.

The Australian Consumers' Association (15) says that one of the ways the Office can encourage community confidence that privacy rights are protected is by more vigorous and apparent enforcement action. The Consumers' Federation of Australia (65) agrees. It also suggests ways in which organisations can encourage community confidence.

Encouraging individuals to exercise their rights

The AMA (29) suggests that it would be helpful if the Office kept statistics of complaints against doctors to identify where the medical profession is not complying (to assist in developing education programs for doctors) and where complaints are unfounded (to inform community awareness campaigns).

Resources and educative role

Some submissions explicitly suggest that the Office should be better resourced to fulfil it educative role. ADMA (67), for example, says that the education aspect of the Office's role needs to be more adequately and suitably funded, and until this is so the effectiveness of the NPPs in protecting personal information will be compromised.

Baycorp Advantage (86) supports an increase in resources to the regulator to support its functions. Finally, the Association of Market Research Organisations and the Australian Market and Social Research Society (61) says that the Office should be resourced to assure the public that the law protects their privacy and that the Office should raise the public's confidence in what is a good system that is in place to protect their privacy.

Options for reform

Community education and awareness programs could be developed

The scheme established by the private sector provisions of the Privacy Act is complaints based, that is, the Privacy Commissioner primarily acts only in response to a complaint made by an individual. Individuals' awareness of their privacy rights and how to exercise them, and individuals' confidence that their rights will be upheld, is critical to the integrity of the scheme. Consumer organisations and business alike acknowledge the importance of community awareness of privacy rights and confidence they are protected. Businesses around Australia have invested considerable resources into ensuring they are privacy compliant and are calling for improved community awareness. The Office could form partnerships with community organisations to develop education programs to raise community awareness about privacy, individual privacy rights and enforcement of rights.

The Office could undertake the program

The functions of the Privacy Commissioner include, among other things:

‘for the purpose of promoting the protection of individual privacy, to undertake educational programs on the Commissioner's own behalf or in co-operation with other persons or authorities acting on behalf of the Commissioner' 72.

The Office of the Privacy Commissioner is best placed to undertake an education program to raise community awareness of privacy and privacy rights. Submissions support this view.

Specifically funded program

The Office would need specific funding to allow it to engage in such a program. Business and consumer organisations have both called for more resources for the Office for this purpose 73. The Government could consider funding the Office to undertake a systematic and comprehensive education program to raise community awareness of privacy and privacy rights. This will benefit both consumers and business, which will no longer have to use its resources to explain to consumers why it cannot release personal information.

Office to develop promotional strategies

One way to promote awareness of privacy, and good privacy practice would be to authorise the use of a logo to indicate an organisation's commitment to good privacy practice. Submissions did not, however, reveal particular interest in it and there is as yet no demand from consumers. Any logo scheme would need to have mechanisms to handle potential breaches of the Privacy Act by logo users. This may have implications for the role of the Office in any logo scheme, particularly in the context of its statutory complaints handling function.

Remove barriers preventing the making of privacy complaints

The complainant demographic survey undertaken by the Office, although somewhat unreliable given the low response rate, suggests that there may be barriers that are preventing certain groups within the community from making privacy complaints to the Office. The Office could take steps to ascertain if there are barriers, for example language barriers, preventing individuals from knowing about and exercising their privacy rights. The Office could then seek to implement initiatives that would remove these barriers.

4.6 Recommendations: Consumer education

  1. The Australian Government should consider specifically funding the Office to undertake a systematic and comprehensive education program to raise community awareness of privacy rights and obligations.

  2. The Office will continue to collect demographic information about complainants. It will seek to identify and then remove any barriers that prevent sectors of the community from knowing about and exercising their privacy rights.

4.7 Access generally

Law and policy

Introducing the private sector provisions, the then Attorney-General said:

‘It is a fundamental principle of fair information handling that individuals be able to access and correct information about themselves' 74.

Subject to specified exceptions, an individual has a right to access personal information an organisation holds about him or her. If one of the exceptions apply, the organisation must, if reasonable, consider using mutually agreed intermediaries. If the individual establishes that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is. An organisation may charge for providing access (but not to lodge a request for access) but the charges must not be excessive (NPP 6).

NPP 6 applies to health information as well as other personal information, supporting ‘what is already good practice among many health professionals' 75.

An organisation may withhold access to health information when ‘providing access would pose a serious threat to the life or health of any individual' 76.

Issues

The Office receives a number of complaints about failure to provide access, especially in the health area 77. The issues paper suggested possible topics for submissions:

What submissions say - issues

Overview

Most of the submissions that discuss individuals' access to their personal information are concerned with health information and/or the costs of access either for individuals or for organisations providing it. Some submissions discuss access to personal information in the context of retail, tenancy, insurance and telecommunications.

Health information

Several submissions express concern that giving patients access to their medical records, especially when there are mental health issues involved, may cause harm. The Australian Medical Association Ltd (AMA) (29), for example, supports a person's right to access information held about them but states that there are occasions when that access can cause harm to the patient or interfere with the therapeutic relationship. The exception in NPP 6.1(b), that providing access would pose a serious threat to the life or health of any individual, sets too high a threshold to overcome the harm that might occur to a doctor-patient relationship or the patient.

Furthermore, says the AMA, NPP 6 does not protect a doctor's private or preliminary views in the thinking processes required for assessment, diagnosis and formulation of a treatment program. This is of particular concern for psychiatrists who take down facts as described, which may or may not be true, and record their own reactions, which may include an adverse reaction to the patient. In the AMA's view, it is not appropriate that a patient have access to such notes; even if not life threatening, it can cause disruption to the therapeutic relationship.

Other submissions agree with the AMA's views. The Mental Health Privacy Coalition (58) would want to ‘white out' the practitioner's private thoughts if a patient sought access. Similarly, members of the Australian Psychological Society (103) believe clients may misinterpret what is written.

Life insurance providers have a particular concern. They assess an applicant's risk on the basis of medical reports but have no knowledge of what the health professional who wrote the report has told the client or whether the client's life, health or safety might be at risk if they receive the information directly from the insurer 78.

On the other hand, the AMA (29) says there is not enough account taken of the need of a carer to know information about the person for whom they are responsible.

Finally, a confidential submission says consumers are often confused about access when there is an Advanced Health Directive or a Power of Attorney in place, or when seeking access to the records of a deceased person.

Health information – use of intermediaries

Some submissions state that the obligation in NPP 6.3 to ‘consider' the use of an intermediary is not strong enough. Privacy Law Consulting Australia (66), for example, says:

‘this principle is effectively meaningless as the requirement to ‘consider' the use of a mutually agreed intermediary does not place any obligation on an organisation other than to ‘turn its mind' to providing access through an intermediary' 79.

Furthermore, the principle does not state what should happen if the parties cannot agree on an intermediary.

Health information – fees

Submissions show a variety of views about the level of fees charged for access to health information.

The Private Health Insurance Ombudsman (10) has received complaints about unreasonable fees charged by a medical practice for access. On the other hand, the Royal District Nursing Service (78) is often left out of pocket when responding to a request for access to information, particularly when the records are no longer on site. In its view the maximum fee allowed under the Victorian Health Records Act is too low. Because the Privacy Act does not include a schedule of fees, a confidential submission says a wide variety of fees are charged giving rise to enquiries from consumers.

Finally, the Australian Physiotherapy Association (APA) (37) says that lawyers often ask for records for use in legal proceedings even though, written for the express purpose of providing treatment, they are unsuitable for use in court. The APA speculates that, as some state legislation caps the amount a practice can charge, ‘some lawyers request records in order to avoid paying reasonable costs for a medico-legal report'. Further, it contends that:

‘some legal firms in Victoria and the ACT are abusing this loop-hole and requesting records under privacy legislation so as to shift expenses to the physiotherapist'.

Access to other records

The experience of the Tenants' Union (ACT) (87) is that it remains very difficult for private housing tenants to access tenant files held by real estate agents, unlike public housing tenants who can use freedom of information legislation. On the other hand, a large retailer, Coles Myer Ltd (60) has had very few requests for access, fewer than 10 since the Act commenced.

Similarly, member organisations of the Australian Direct Marketing Association (ADMA) (67) have received very few requests for access to personal information. Some submissions, including, for example, Clubs Australia and New Zealand (75) express concern about the costs of providing access. Vodafone Australia Ltd (112) states that it is important to be able to implement cost recovery mechanisms for access to personal information.

What submissions say – addressing the issues

Considering the therapeutic relationship

Submissions suggest a number of ways to address these issues. Some submissions from health care organisations consider circumstances when access should not be given. The Australian Medical Association Ltd (AMA) 29 expresses concern that, in the health care context, there are occasions when access to records could cause harm to the patient or interfere with the therapeutic relationship. The Mental Health Privacy Coalition (58) also suggests that the Privacy Act should be clarified to indicate that the threat of destruction to a therapeutic relationship is a serious risk.

Other aspects of access to medical records

Submissions address other aspects of access to medical records. The AMA (29) says that it is necessary to disclose information about the patient's ongoing care when he or she is discharged from hospital to the patient's carer, whether or not the patient consents.

The Investment and Financial Services Association (89) says that insurers want to be able to give information to a patient not directly but via the health professional who supplied the information in the first place, or to the patient's GP, without having to rely on the NPP 6.1 exception, as is possible under the Health Records and Privacy Information Act 2002 (NSW)

Finally a confidential submission says the Office should issue a fact sheet about access to patients' health records when there is an Advanced Health Directive or and Enduring Power of Attorney in place.

Use of intermediaries

In the view of Privacy Law Consulting Australia (66), NPP 6.3 which provides for consideration of the use of an intermediary when access is denied should be removed altogether or else amended to impose obligations on both the organisation and the individual.

Fees for access

As discussed above, a number of submissions consider the fees payable for access to health information. A confidential submission says that the Privacy Act should set a maximum fee for access that is realistic.

The Australian Privacy Foundation (AFP) (90), on the other hand, is happy with the NPP 6.4 provision that charges for access must not be excessive. Its concern is that the Office considers reasonable what the AFP considers manifestly excessive and recommends that the provision is amended to make access free or to set a reasonable cap.

Consumer perspective

The Australian Privacy Foundation (90) makes a number of suggestions for change from the point of view of consumers. These suggestions are:

Options for reform

Address concerns about access and the threat to the therapeutic relationship

There are a number of possible ways of addressing these concerns, including further limiting the circumstances in which access might be granted and providing guidance on the existing law. There is no doubt that there are circumstances when access to records may cause a breakdown in a therapeutic relationship and that the breakdown in the therapeutic relationship may constitute a serious risk to the patient's health. However, this does not justify changing the law. Rather, it indicates that there are good reasons for addressing the uncertainties through guidance.

Similarly, the issue of the privacy of the therapist's personal views may be best addressed through guidance. The NPPs allow an organisation to deny access where it would have an unreasonable impact on the privacy of someone else 80. This could include a therapist's views.

Notify others of corrections made to personal information

When inaccurate information has been passed on to others, it is of little comfort that it has been corrected at source but not elsewhere. When an individual's personal information is corrected in response to a request from the individual, the organisation, where practicable, could be obliged to notify third parties that they have received the inaccurate information.

Use of intermediaries

NPP 6.3 provides that an organisation must, ‘if reasonable, consider' the use of an intermediary where it has refused access on the grounds of one of the exceptions to access in NPP 6.1. The right is a very limited one. There is a stronger right to the use of an intermediary under the proposed National Health Privacy Code. An intermediary, a nominated health service provider, may, among other things, consider the validity of the refusal and, if he or she thinks it appropriate to do so, discuss the content of the health information with the individual. The relevant provisions are prescriptive and detailed and are not suitable for inclusion in the NPPs. The NPPs could, however, include a similar right. Alternatively, if the AHMAC code becomes a schedule to the Privacy Act 81, the matter will be dealt with by that means.

Set fees for access

There is a significant difference in the cost of providing access to records, depending on a number of variables, including whether the records are on site or not, the number of pages involved and the amount of scrutiny necessary. It is not therefore appropriate to set a single fee for access. What may be suitable in one case may be wildly unsuitable in another.

It may be appropriate for the Office to offer some guidance as to what it thinks is appropriate. Alternatively, the Australian Government could introduce a table of recommended fees in a schedule to the Privacy Act. And, if the AHMAC code becomes a schedule to the Privacy Act 82, the matter may be dealt with by that means.

Office could give guidance re ‘able to establish' in NPP 6.5

NPP 6.5 requires than an individual ‘establish' that information is not accurate before the organisation needs to take reasonable steps to correct it. This may be an unduly high standard. It is also unclear. The Office should provide guidance about ‘able to establish' in NPP 6.5.

4.8 Recommendations: Access generally

  1. The Australian Government should consider amending NPP 6 to provide that when an individual's personal information is corrected in response to a request from the individual, the organisation should be obliged to notify third parties, where practicable, that they have received the inaccurate information.

  2. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) Code as a schedule to the Privacy Act (see also recommendations 13, 33 and 35). This will address the issue of intermediaries, and the issue of fees for access.

  3. The Office will develop further guidance on the operation of NPP 6.1 on ‘serious threat to life or health', explaining that a serious threat to a therapeutic relationship could be a serious threat to a person's health. This will go some way towards addressing what appears to be a too narrow interpretation of NPP 6.1(b) by some practitioners.

  4. The Office will develop guidance on fees for access to personal information.

  5. The Office will develop guidance on the meaning of NPP 6.5 which requires than an individual ‘establish' that information is not accurate before the organisation need to take reasonable steps to correct it.

4.9 Transfer of health records to another health service provider

Law and policy

The NPPs do not create specific obligations regarding the transfer of medical records in circumstances where an individual changes from one health service provider to another. In some circumstances, individuals and their providers will simply agree for the records (or copies of them) to be transferred to the new provider. If necessary, an individual may exercise their general access right (under NPP 6) to their health information. If they obtain a copy of their record they can take this to their new provider. However, there is no specific obligation in the Privacy Act requiring a provider to transfer a medical record in full to another provider.

Other regulation may require health providers to do certain things. For example, the Victorian Health Records Act 2001 requires that if an individual asks, then a health service provider must provide ‘a copy or written summary of the individual's health information' to another provider. Furthermore, some professional bodies have noted that in line with good clinical practice and relevant codes of ethics, health service providers should ensure that an individual's new provider receives adequate information to provide treatment.

What submissions say

This issue did not figure prominently in submissions. However, during consultations it was suggested that while this issue is significant, it may be better addressed at the state and territory level, rather than at the Australian Government level. A reason for taking this approach is that health service providers are registered at the state or territory level, usually by registration boards or similar bodies created under state legislation.

Moreover, the management and handling of patient records generally forms part of a health service providers professional responsibilities for which they are registered. This could be a more appropriate mechanism for setting out, and addressing as necessary, health services providers obligations in this area.

Options for reform

Amend the NPPs – add additional principle

The NPPs could be amended to add a principle (for example, NPP 11) similar to the relevant principles in the Victorian Health Records Act (HPP 10) and draft National Health Privacy Code (NHPP 11).

This principle would state that health service providers would have express obligations to transfer medical records, or copies of them, to a different provider at the request of the individual concerned.

However, this approach introduces a greater degree of prescription to the NPPs than is currently the case. This may not sit comfortably with the high-level, cross-sectoral intent of the NPPs. It should be noted that if the AHMAC code becomes a schedule to the Privacy Act, the matter will be dealt with by that means 83.

No amendment to the Privacy Act – encourage responses by states and territories

Accepting the view that the transfer of medical records between health service providers is a predominantly professional practice issue, the states and territories (for example, through their medical registration boards) could be asked to set out providers' obligations in this area.

Jurisdictions could determine whether to set out these obligations in statute or through other professional practice rules and mechanisms connected with provider registration. There would be a need to consider how to ensure national consistency for providers and their obligations across Australia , particularly for those operating (and sharing personal information) across jurisdictions regularly.

Adopt AHMAC code

It is anticipated that the draft AHMAC code will be considered by all Australian health minsters in 2005. Following this, the Australian Government could adopt the AHMAC code. If so, the matter will be dealt with by that means.

No change

As this was not a high-profile issue in submissions, it may be appropriate to make no regulatory change. Those responsible for health policy across all jurisdictions, as well as the Office, could monitor any emerging issues.

4.10 Recommendations: Transfer of health records

  1. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) code as a schedule to the Privacy Act. This will address the issue of the transfer of health records to another health service provider. (See also recommendations 13, 29 and 35.)
  1. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 11 in the AHMAC Code.

4.11 Access to health records when health service ceases to operate

Law and policy

When introducing the private sector provisions, the Australian Government recognised that ‘Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by those who come into contact with it.' 84

One element of fair and appropriate handling of health information is that individuals have a right to access information that a health service provider holds about them. Also, individuals ought to have some control over how their information is handled and by whom.

These choices can be difficult to exercise when a health service provider ceases to operate. Under common law, a provider generally retains ownership of the medical records they create. 85However, this should not reduce an individual's right to access their health information should they wish to do so in the context of NPP 6, including the prescribed exceptions to granting access.

Health services ceasing to operate

The Office has become aware of a number of cases where individuals have not been able to gain access to their health information because their health service provider has ceased to operate. For example, a practitioner may have retired, they may have died, or their practice may have closed. Records may be left with other providers, or family members or executors of the previous practitioner, for ‘safe-keeping'. In such cases, an individual's right of access to their health record can be difficult to guarantee.

In some jurisdictions, specific legislative provision is made for ‘abandoned' records to be retained by a central body, such as a medical registration board. For example, in Queensland , section 260 of the Medical Practitioners Regulation Act 2001 says the Board may take possession of records it considers abandoned. 86In NSW, the Medical Practice Regulations 2003 impose obligations on how medical practitioners should handle health records in the event of the disposal of a practice. 87

In Victoria , the Health Records Act 2001 through Health Privacy Principle (HPP) 10 sets out obligations for health service providers when they cease to operate. These obligations include advertising the fact of ceasing operations in local newspapers. 88

When a health service ceases to operate, this also brings into question a provider's data security obligations under NPP 4. There is a risk that ‘abandoned' records may not be afforded adequate levels of storage and security.

What submissions say

Similar to the transfer of medical records, t his issue did not figure prominently in submissions. During consultations, however, it was suggested that this matter also could be addressed at the state and territory level. Again, a reason for taking this approach is the registration of health service providers at the state or territory level, usually by registration boards or similar bodies created under state legislation.

The Investment and Financial Services Association (89) says that:

‘occasionally, our members encounter the situation where medical records are not available because the GP has retired, died or moved. From an underwriting perspective we would strongly support a national policy whereby an individual's medical records are retained in a central body when this situation arises'.

The inability for an individual to get access to their medical record because a health service has ceased to operate can affect not only their health care needs, but also their ability to gain other services such as insurance.

Options for reform

Amend the NPPs – add additional principle

The Privacy Act could be amended in a manner similar to the Victorian HPP 10 and the proposed National Health Privacy Code's NHPP 10, by adding a similar principle into the NPPs. Such a principle could require providers to do certain things to ensure access arrangements are in place upon the cessation of service, as well as to make individuals aware of how they can seek access to their records.

No amendment to the Privacy Act - encourage responses by states and territories

Similar to the approach suggested with the transfer of medical records, it may be reasonable to take the view that the obligations upon providers for handling health records generally is a predominantly professional practice issue. States and territories (for example, through their medical registration boards) could be asked to set out providers' obligations for securing records upon cessation of a service, and to ensure that access arrangements are maintained.

Jurisdictions could be asked to create central registers for securing and managing ‘abandoned' records, in a manner similar to that created under the Queensland Medical Registration Board Act.

Adopt AHMAC code

It is anticipated that the draft AHMAC code will be considered by all Australian health minsters in 2005. Following this, the Australian Government could adopt the AHMAC code. If so, the matter will be dealt with by that means.

No change

As this was not a high-profile issue in submissions, it may be appropriate to make no regulatory change. Those responsible for health policy across all jurisdictions, as well as the Office, could monitor any emerging issues.

4.12 Recommendations: Health service ceases to operate

  1. The Australian Government should consider adopting the AHMAC code as a schedule to the Privacy Act. This will address the issue of access to health records when a health service ceases to operate. (See also recommendations 13, 29 and 33.)

  2. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 10 in the AHMAC Code.

 

5 Enforcing individual rights and ensuring compliance

5.1 Introduction

For the private sector provisions to be most effective in protecting individuals' privacy and in promoting the public interest in privacy, organisations subject to the private sector provisions should be complying with them.

The private sector provisions include a complaints process to enable individuals to complain to the Privacy Commissioner if they believe their privacy has been breached. The Act also gives the Office a power to investigate, on its own initiative, if it thinks an organisation may have breached the private sector provisions.

The scheme does not provide for strict black letter penalties or fines; nor can the Commissioner specify how a particular organisation should comply with the NPPs 89.

The Office also has a role in providing information and advice to organisations to help them to comply. This issue is discussed in Chapter 6.

5.2 Law and policy

Approach to compliance

The Office takes the approach that compliance will be best achieved by helping organisations to comply rather than seeking out and punishing the few organisations that do not. It assumes that most Australian organisations in the private sector wish to comply with their legal obligations. The Office's emphasis is therefore on providing advice, assistance and information.

This approach is set out in Information Sheet 13 – The Federal Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act which is in Appendix 7.

However, the Office actively pursues cases when it identifies breaches of the Privacy Act. It seeks to ensure that organisations remedy breaches and address complainants' concerns, including by compensating them where that is warranted.

To date the Office has made limited or no use of the more formal enforcement powers, such as making complaint determinations or seeking injunctions from the court, or publicly ‘naming' and ‘shaming' 90. This is in part due to:

Complaints process

Process

The complaint handling framework set out in the Privacy Act, and reflected in the Office's approach, emphasises:

If a complaint cannot be resolved by these processes the Privacy Act gives the Commissioner a range of powers including the power to make determinations.

The Office currently receives approximately 1250 complaints per year. Approximately 66% of these are complaints under the private sector provisions.

Typical outcomes following conciliation include:

See Appendix 8 for information about the Commissioner's powers of investigation and Appendix 9 which includes statistics on how complaints are finalised.

Where the Commissioner formally determines that an organisation has interfered with the privacy of a person, there are a number of options available to address the issue 92. The options include:

Loss or damage can include injury to the person's feelings or humiliation suffered by that individual.

If the organisation does not comply with a determination it may be enforced by the Federal Court or Federal Magistrates Court 93.

Information about complaints

The Office publishes de-identified 94 case notes of some of its finalised complaints that are considered to be of interest to the general public. They illustrate the types of cases resolved by the Office and usually involve a new interpretation of legislation, illustrate systemic issues, or illustrate the application of the law to a particular industry. The case notes do not identify the parties to the complaint. The Office has published 39 case notes since the practice commenced in December 2002.

The Office publishes Commissioner's determinations in full but suppresses the names of the complainant. It also publishes a variety of complaint statistics and case studies on its website, and in its annual reports.

Powers supporting complaints process

The Privacy Act provides a range of powers and functions to support the complaint handling process and to encourage compliance with the provisions.

These include the power to:

The Commissioner also has functions to provide advice and to undertake education and awareness programs 97.

In addition, the Privacy Act also provides for the Commissioner or others to seek an injunction from the Federal Court or Magistrates Court to stop acts or practices that may be an interference with privacy or to require action to prevent an interference with privacy 98.

This enforcement framework is essentially the same as that applying to the Australian public sector since 1989, although with some variations, to reflect the intention that these provisions be ‘light touch'. For example, the Privacy Commissioner's power to audit agencies, credit providers, credit reporting agencies and tax file number recipients is not replicated in the private sector provisions. Further, the Commissioner cannot report to Parliament the failure of an organisation to respond to any recommendations following an investigation under section 40(2) of the Privacy Act (own motion investigations).

Survey of complainants and respondents

The Office recently surveyed complainants and respondents seeking feedback on the Office's complaint handling process and suggestions for improvements. The Office is now considering the responses and will feed this information into the review of its complaint handling processes. An overview of the survey responses is at Appendix 14. While to some extent responses were coloured by the outcome of the complaint (that is, whether or not it was upheld), many complainants were dissatisfied with the timeliness of the process.

Review rights

Commonwealth Ombudsman

The Office is subject to review by the Commonwealth Ombudsman with respect to 'a matter of administration'. The Ombudsman often will resolve a complaint through a process of conciliation, but when this is not possible, the Ombudsman has the capacity, through a report to the concerned agency, to request remedies, for example, where the action:

Administrative Decisions (Judicial Review) Act 1977

Complainants and respondents may apply to the Federal Court or the Federal Magistrates Court for a review of ‘administrative decisions' made about a privacy complaint under the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act). The ADJR Act provides quite a broad right of review.

However, it is important to note that the ADJR Act reviews the process followed to make the decision, not the substance of the decision. The Court cannot hear the matter afresh or substitute the decision of the Commissioner with its own. Grounds for a review include a breach of the rules of natural justice, or excess of power, or error of law. If the court finds, for example, that there has been a misuse of power or error of law, the matter will be remitted back to the Commissioner for a reconsideration according to law.

Matters that could be the subject of an ADJR application include:

Administrative Appeals Tribunal

There is no right of appeal to the Administrative Appeals Tribunal (AAT) in respect of determinations about private sector organisations. The Privacy Act does provide a limited right of appeal to the AAT for a merits-based review of the Commissioner's decisions where the respondent is a federal or ACT agency and only in relation to whether or not to make a determination that a complainant is or is not entitled to compensation 100.

Review/enforcement by Federal Court or Federal Magistrates Court

In addition to the above rights of review, where the Commissioner makes a determination following an investigation of a complaint and the organisation does not comply with the determination, the Commissioner, code adjudicator or complainant, may apply to the Federal Court or Federal Magistrates Courts to have the determination enforced 101. The courts will hear the matter afresh and apply their own decision.

However, there is no recourse to the courts if the Commissioner does not make a determination or the respondent organisation has complied with a determination (although, as noted above, the ADJR Act is available if the process by which the Commissioner made these decisions is considered unfair or unlawful).

5.3 Issues

The issues paper suggested a number of topics for submissions related to enforcement and compliance. These included whether:

5.4 What submissions say – issues

Approach to compliance

Support for approach

Many of the submissions from organisations and business or industry bodies, including Restaurant and Catering Australia (5), Promina (34), Insurance Council of Australia (59), Coles Myer Ltd (60), Australian Bankers' Association (70) and Optus (98) support the Office's approach to compliance and argue that it should continue. These submissions say that the Office's approach has enabled organisations to implement flexible policies to protect the privacy of individuals without hindering business development. They generally consider that the right balance has been achieved.

In particular Restaurant and Catering Australia (5) commends the Privacy Commissioner's limited use of formal enforcement powers and its focus on the cooperative resolution of issues. The Insurance Council of Australia (59) also supports the Office's educative approach to complaint handling.

The Investment and Financial Services Association Ltd (ISFA) (89) suggests that:

‘the effectiveness of the current dispute resolution mechanism has resulted in few judicial decisions on the application and the private sector provisions… [It] strongly supports the continued resolution of complaints by negotiation'.

A number of submissions say that the approach should extend to complaint handling where the focus should emphasise information/advice and conciliation over legalistic determinations 103. One confidential business submission thought that existing enforcement powers including in relation to determinations were a ‘powerful enough incentive for organisations to comply'.

Approach ineffective

Submissions from the consumer and privacy advocacy groups, including the Consumers' Federation of Australia (65), the Australian Consumers' Association (15) Electronic Frontiers Australia (51) and the Australian Privacy Foundation (90) also note the low number of complaints. While the business sector sees this as a positive indicator (see discussion below) these submissions conclude that the educative approach deters individuals from complaining. They say this is because individuals see no strong action or consequences resulting from an organisation's poor privacy performance.

Level of compliance

Level is about right

Many submissions from organisations and business groups argue that they or their members have taken significant steps to comply with the Privacy Act. They say that the overall level of compliance is good and the Office's approach was working well.

A number of these submissions outline the compliance steps they have taken and note the expenditure involved 104. These submissions argue for the current approach to be maintained. Some also sought more emphasis on education and/or guidance for consumers and organisations.

Many of these submissions argue that the overall low level of privacy complaints they or their members have experienced is positive evidence of a satisfactory level of privacy compliance. They say this is particularly so taking into account the number of transactions processed. Submissions noting low complaint levels include Coles Myers (60), Optus (98) Sensis 84, ABA (70), Suncorp Metway (35), the Financial Planning Association (85), Australian Association of Permanent Building Societies (91), Australian Finance Conference (63), the ANZ Bank (40) and the Insurance Council of Australia (59). Some submissions put forward statistics supporting this view. For example:

Coles Myer (60) says that given the low level of complaints it considers the current compliance approach (and powers) to be sufficient.

‘The best protection for a customer…is the organisation's desire to maintain its reputation and competitive advantage in the market'.

On the other hand the Salvation Army Australia Southern Territory (74) suggests that low levels of complaints can be attributed to lack of awareness of complaints procedure.

Level may not be adequate

In contrast, submissions from the consumer and advocacy groups, including those from the Australian Consumers Association (15) and the Consumers Federation of Australia (65) express some strong concerns about the Office's approach to compliance.

It was also a theme in the Office's public consultations that while many organisations are trying to comply some are not worried about implications of a breach. Some saw this as a possible indication that compliance may not be as widespread and ‘deep' as it could be. A participant at the Adelaide consultation suggested that if the Office was to ‘out' poor privacy performance this would then be a point of difference between businesses for consumers to consider; privacy would matter more to business 105. Another participant stated that it is difficult to talk some company boards into being privacy compliant when no schedule of penalties attach to the NPPs and commented that ‘if you had audit powers, we might be able to convince our boards to comply' 106.

In a similar vein, the Consumers' Federation of Australia (65) and the Australian Consumers' Association (15) assert that the Office approach to compliance and the lack of visible enforcement of privacy rights means that organisations are lax about compliance with privacy obligations.

Others support the view that there is no incentive to correct system flaws and that it is easier to simply respond when (the very few) complaints come in rather than comply in a systemic way. 107

Comments from some submissions suggest that for smaller businesses, privacy may not be a high priority in the midst of other regulations. For example (83) observes that:

‘All business in Queensland currently negotiates a raft of government (local/state/federal) regulations. For smaller enterprises these regulations are often seen as annoying diversions to the primary purpose of the business: at times they can be very daunting and costly'.

The Australian Chamber of Commerce and Industry (22) makes the similar point (in arguing against the removal of the small business exemption):

‘that privacy compliance costs would be additional to the myriad of other compliance burdens stemming from legislative or regulatory requirements, be they in relation to occupational health and safety, industrial relations or, in particular, taxation'.

In general, the perceived lack of enforcement mechanisms in the Privacy Act especially in relation to determination enforcement is a matter of strong concern amongst the advocacy and consumer groups 108.

Office does not use existing powers

Submissions, from Professor Graham Greenleaf (47) and some consumer organisations note the very limited use the Office makes of the Commissioner's power to make determinations. As discussed elsewhere, submissions focus on the perceived lack of procedural fairness and transparency flowing from the lack of determinations.

Professor Graham Greenleaf argues that the limited use of determinations equates to a failure to visibly enforce the law with consequent impact on culture of compliance, compliance risk assessment and so on.

Systemic issues not being addressed

Incidence of systemic issues

Some submissions say that the Office has not paid enough attention to fixing systemic issues, which are causing a large number of complaints. These submissions suggest that the Office needs to consult more regularly with consumer groups to identify systemic issues and to formulate ways of addressing these issues with foresight, instead of merely dealing with complaints once they have arrived at the Office's door. 109

On the other hand a few business submissions are sceptical about the incidence of systemic issues. The Australian Bankers Association (70), in referring to a member banks' analysis of privacy complaints states that privacy complaints represented 0.0035% of its total customer base and that the complaints had no real pattern, indicating that there were no systemic problems. It states that many of the complaints involved ‘isolated instances of human error'.

Systemic issues and complaints process

A number of submissions are concerned that the Commissioner has limited ability to address broader systemic issues as a result of the Privacy Act's strong focus upon individual complaints.

The Consumer Credit Legal Centre (62) and the Consumers' Federation of Australia (65) state that reliance on individual or even representative complaints is ‘inefficient'. The Australian Consumers' Association (15) raises concerns that the complaints focus disconnects the Office from systemic issues. It argues that the Commissioner should have the power to address systemic problems outside the context of resolving an individual complaint.

The Consumer Credit Legal Centre (62) and the Consumers' Federation of Australia (65) states there is no incentive to correct systemic flaws:

‘In most cases, the worst outcome for a respondent is to amend the records. With respect to credit reporting, the cost of dealing with a small number of complaints is apparently less than the cost of ensuring the data is accurate in the first place'.

The Australian Privacy Foundation (90) argues this as well.

While not specifically relating to the NPPs, the Consumer Credit Legal Centre (NSW) (62) raises particular concerns that the Commissioner is not effectively using powers to deal with systemic issues in the credit reporting sector.

The Australian Consumers' Association (15) argues that over time more enforcement of systemic issues may lower the number of complaints.

More information when systemic issues raised

A number of submissions 110 raise concerns about the lack of information provided when systemic issues are raised with the Office. The Consumer Credit Legal Centre states:

‘we are concerned about the lack of information provided to us when we raise issues of what we believe may be a repeated or systemic problem. While our client's problem may be resolved, we are rarely advised whether there has been any response to what might be a broader problem with a particular credit provider'.

Some also suggest that there is some failure on the part of the Commissioner to recognise the seriousness of broader systemic issues raised by consumer groups and NGOs, accompanied by the suggestion that these groups want closer interaction with the Commissioner.

Not enough powers to ensure compliance

A number of submissions put the view that at present the Privacy Act does not provide sufficient powers to ensure that businesses are aware of their obligations to protect privacy, or know how to implement them in practice and carry through on implementation. They note the lack of audit powers in the private sector provisions and they comment on what they see as a fact that the Office cannot require organisations to comply with ‘own motion investigations' the Office undertakes 111.

Ineffectiveness of determinations for compliance and systemic issues

A number of consumer and privacy advocacy groups comment on the effectiveness of determinations in addressing systemic issues in the light of the Commissioner's determinations in April 2004 following representative complaints about a series of issues arising from the operation of tenancy databases.

The Tenants Union of Victoria (23) claims that evidence suggests the determinations have failed to achieve compliance. It notes that in order to achieve compliance an application must be made to the Federal Court, which is both time and resource intensive.

In addition, it claims that determinations are unlikely to be effective in the awarding of small compensation payments and most importantly, determinations are only applicable to the individual complaint, not to industry wide practice.

Submissions from advocacy groups and representatives 112 are concerned about the implications of the Privacy Commissioner's view 113 that a determination under section 52 cannot require a respondent to do something or refrain from doing something unless the activity relates to matters raised by the complainant.

They are concerned that this view means that the Office cannot address systemic issues raised by a complaint. For example, the Tenants Union of Queensland (69) states that:

‘this can, and has in our view, result in a ‘cat and mouse' game whereby the respondent makes changes, but not those recommended, but still fails to meet the requirements of the NPPs. Aggrieved parties and their advocates are left to raise new complaints and the process is perpetuated 114.'

Professor Graham Greenleaf (47) makes similar points. He notes that respondents are free to ignore recommendations and the only remedy for individuals is to then make a further complaint and that:

‘this could end up in a continuing charade whereby the respondent is told what he cannot do, but cannot be giving binding directions as to what they must do' 115.

The overall view from consumer/privacy advocate submissions is that representative complaints, whilst useful in raising systemic issues, were not viewed as being effective in addressing broader systemic issues as the Privacy Act does not provide the Commissioner with a power to enforce systemic remedies.

However, the Investment and Financial Services Association Ltd (89) opposes any proposal to implement systemic remedies as it sees that the current approach is working effectively. Telstra (110) approves of the focus of the NPPs being on interference with the privacy of individuals and submits that the current powers of the Commissioner are sufficient.

Complaints process

Process is not transparent

Lack of transparency in the complaints process was a major focus of many submissions 116.

People don't understand the process

Professor Graham Greenleaf (47), the Consumers' Federation of Australia (65) and the Australian Privacy Foundation (90) argue that the Office's complaints process lacks transparency because the Office does not publish a manual which outlines the Office's policies and procedures when it investigates and resolves complaints. They say that, as a result the parties to complaints can only infer these procedures and policies from the piecemeal information that is publicly available.

People don't know what decisions are made or why

A number of submissions say that people do not know enough about the outcomes of complaints. They say the consequences of this are:

Professor Graham Greenleaf (47) observes that there is no publicly available criterion which reflects how the Office selects complaints for publication.

Submissions from privacy advocates and consumers, 117 observe that the lack of reported statistics on some aspects of the complaint process means that the nature of remedies that complainants achieve is not widely known nor is it possible to assess the Office's overall performance in complaint handling. The Fundraising Institute Australia Ltd (52) makes a similar observation.

Some submissions observe that while the published statistics in the 2003-2004 Annual Report show the number of complaints received and closed and the basis for closing the complaint, there is no indication of the nature of resolutions achieved.

Fairness of process

No review power

Submissions from consumer and advocacy groups, for example, Professor Graham Greenleaf (47), Consumer Credit Legal Centre (NSW) Inc (62), and the Australian Privacy Foundation (90) note the lack of a right of review for complainants or respondents in relation to section 52 determinations made by the Commissioner.

This issue is set out in detail by Professor Graham Greenleaf (47). The submission includes the following observations.

‘In my submissions to the Government and to Parliament on the Bill leading to the private sector provisions I stressed (as did other commentators) that the lack of any right of appeal against section 52 determinations (to the Federal Court, Federal Magistrates Court, or at least to the AAT), was extremely unfair to complainants.'

The submission goes on to say that as is noted by the Office's issues paper, one of the reasons for this unfairness is that:

‘Respondents have the possibility of having a case heard afresh by refusing to comply with a determination and waiting for the Commissioner to seek to have the case enforced in court. However, this strategy is not available to an aggrieved complainant. Quite apart from the inherent bias towards respondents in the Act as it stands, it is unfair and is unnecessary that there should be no appeal from determinations by the Privacy Commissioner.'

Another common concern in the submissions is the Privacy Act's lack of a merits-based review process for decisions made under section 41. Submissions say this is particularly a concern, for example, where the Commissioner chooses not to investigate, or investigate further, a complaint on the basis that the Commissioner considers that the respondent has adequately dealt with the complaint, regardless of whether the complainant is satisfied with the respondent's response.

A few submissions, for example from the Chamber of Commerce and Industry, Western Australia (77) argue that the lack of a appeal rights is not unique to the Privacy Act and that it is not clear that it is problematic.

Ending partially complete investigations

Professor Greenleaf (47) submits that there is a lack of procedural fairness in the complaints handling procedure in that the Office may complete partial investigations and then decline to investigate a matter further. In his view procedural fairness can only be ensured if the proper process is in place for the Commissioner to make a formal determination in such cases. Indeed the submission asserts that individuals should be able to insist on the Office making a final determination on a complaint.

Process is too bureaucratic

The Consumers' Federation of Australia (65) and Australian Privacy Foundation (90) say that the Office is overly bureaucratic in requiring individuals to first raise the specific issues with the respondent before the Office will handle the complaint. 118The submissions report that, in some cases, this involved writing to the respondent, or respondents several times 119.

People are confused about who to complain to

Some submissions from business, government and consumer organisations and from individuals in the health and telecommunications sectors, outlined the difficulties experienced because a complaint could be pursued in a number of forums.

In particular, Telstra (110) notes that its customers could complain to the Telecommunications Industry Ombudsman (TIO) and the Australian Communications Authority or the Privacy Commissioner. In its view the number of possible complaint bodies causes confusion and additional costs. Its preferred view is that the Privacy Commissioner should be the body of last resort and should only get involved after the TIO had considered the matter.

The Department of Health and Ageing (99) put a similar view in relation to complaints in the health sector noting that there was a lack of clarity and definition relating to recourse when consumers feel privacy has been breached. It sought a more consumer friendly approach for dealing with privacy complaints, for example it encourages the Office to develop a Memorandum of Understanding with Health Complaints Commissioners.

However, submissions from regulators with overlapping jurisdiction were more comfortable with the operation of the current arrangements. For example the Australian Competition and Consumer Commission (ACCC) (128) comments that although some complaints may fall within both jurisdictions, this has not been a barrier to resolution. It notes that the Office and the ACCC generally refer complaints to one another and the Memorandum or Understanding has assisted in this.

The Australian Communications Authority (94) says that the lack of clarity about jurisdictional responsibility has not been a barrier to resolution of complaints as parties generally liaise closely and adopted a co-operative approach. However it notes:

Delays in handling complaints

A number of submissions questioned the resourcing of the Office to adequately undertake key functions, including complaint handling including ANZ (40), Coles Myer (60), Australian Finance Conference (63), Australian Bankers Association (70), and Baycorp Advantage (86). For example, Coles Myer says:

‘We are aware of consumer advocate criticism of the long delays of matters raised with the Commissioner. We share these concerns. . . . we would recommend the Commissioner be sufficiently resourced to:

Likewise the Australian Finance Conference (63) says:

‘…on the more specific level of complaint handling involving our members individually, there has been concern expressed about the delay in raising the complaint with the member. . . . we recognise that the limitation on the resources of the OFPC may have impacted.'

Other submissions are also concerned about delays in complaint handling. 120

A confidential submission from an individual highlights the frustration they felt whilst waiting for their complaint to be investigated. The Australian Consumers' Association (ACA) (15) notes it is:

‘aware of and concerned by the delays and queues that have characterised complaints handling by the Office over the term of the review. These in turn may well have fed back into a public perception of the Office as being incapable of delivering a satisfactory outcome'. Further, the ACA states a belief that ‘the OFPC has a high rate of discouraged complainants, abandoned complaints and unhappy consumers'.

Tenants' Union of Queensland (69) says that the ‘resource issue needs to be addressed to allow the Office to discharge its complaint handling function and embed a ‘real respect' for individual privacy into Australian businesses.'

Respondent organisations are also aware of the problems that have arisen due to the underperformance of the complaint handling function. The ANZ (40) says, that in one case there was a period of 12 months between the time the Office had told an organisation that the complainant had written to the Commissioner and when the complaint was finally forwarded to the respondent.

The ANZ Bank (40) highlighted two problems caused by delay in its submission, in particular:

Respondents emphasise that swift resolution of complaints is essential to ensure confidence in the Office and the law.

A number of submissions highlight the fact that prolonged delays in complaint handling reduce the success of complaint resolution and make it difficult to ‘mend' the relationship with the complainant 121.

5.5 What submissions say – addressing issues

Transparency

Publish complaints manual

A number of submissions, including Professor Graham Greenleaf (47) the Australian Privacy Foundation (90), the Consumers' Federation of Australia (65) and the Consumer Credit Legal Centre (62) say that in order to cast more light on the way that the Office handles complaints the Office should publish online a comprehensive manual of its complaint resolution policies and procedures, and keep it up-to-date.

Publish more about complaints outcomes

Submissions concerned about lack of transparency call for better reporting of the Office's processes and complaint outcomes in terms of statistical information and more detailed real life examples of closed complaints and how they were resolved.

A number of submissions state that while there has been a marked increase in the number of case notes published on the Office's website, there is still a need for more examples of real life cases which represent the range of complaints which the Office receives. In addition, these submissions seek detailed information about how complaints are resolved to assist readers to understand the legal issues involved and the Commissioner's reasoning leading to a resolution 122.

Submissions acknowledge that publication of case notes detailing a conciliated outcome may adversely affect the conciliation of a complaint. However they argue this may be overcome by de-identifying complaints or if not possible, considering publication of complaints on a case by case assessment.

To achieve a more systematic approach to the publication of case notes, Professor Graham Greenleaf (47), the Australian Privacy Foundation (90), Consumer Credit Legal Centre (62), the Consumers' Federation of Australia (65) recommend that the Office adopt a ‘Criteria of Seriousness' and confirm its adherence to this criteria in the Office's Annual Report. Professor Greenleaf (47) also recommends that the Office:

Greater use of existing powers

More proactive

The Consumer Credit Legal Centre (62) states the Office should be more proactive in addressing systemic issues. The Consumer Credit Legal Centre (62), and the Consumers' Federation Australia (65) state that reliance on individual or even representative complaints is ‘inefficient'.

More determinations

Professor Greenleaf (47) says that there would be more transparency in the complaints process if the Office made greater use of its power to make determinations.

More own motion investigations

Many advocacy and consumer groups submit that the Commissioner should make greater use of available powers, including the own motion investigation powers, to address systemic issues. The Australian Privacy Foundation (90) states that:

‘Problems that we see constantly repeated over many years are not being adequately addressed. It should not be necessary to keep bringing individual or even representative complaints, which are a very inefficient way of addressing systemic problems. Instead, the OFPC should be more pro-active in addressing systemic issues using her own-motion investigation powers' .

Fairness

More review

Professor Greenleaf says that both the complainant and the respondent to a privacy complaint should have a right of appeal against any section 52 determinations, in the form of merits review. This could be either to the Federal Court, Federal Magistrates Court, or the Administrative Appeal Tribunal. Other submissions also support this, for example, Consumer Credit Legal Centre (62) Australian Privacy Foundation (90), Professor Graham Greenleaf (47) and the Electronic Frontiers Australia (51).

Right to ask for complaint to go to a determination

Professor Graham Greenleaf (47) argues that if the Commissioner dismisses a complaint under section 41(2)(a) of the Privacy Act on the grounds that the Commissioner is satisfied that the respondent has dealt adequately with the complaint, the complainant should be able to insist that the Commissioner make a determination under section 52 of the Privacy Act. A number of other submissions also support this. 123

Professor Greenleaf says that if compensation was involved, this would give the complainant a right to appeal the amount to the Administrative Appeals Tribunal. 124If the respondent was found in breach of the Privacy Act the complainant would have the satisfaction of having the breach publicly acknowledged, even if other remedies were not awarded. He says that the Privacy Act should be amended to clarify that the complainant has this right.

Mixed views about whether the Office should make more use of the determinations power were evident at the Darwin stakeholder forum and included that:

More help to complainants – streamline process

The Australian Privacy Foundation (90) says there should be an express power for the Office to ‘sort out' what principles have been breached and who is the appropriate respondent. The submission argues the onus should not be on the complainant as responsibilities for handling personal information can be confusing.

Improving levels of compliance

Powers to enforce own motion investigations

The Australian Consumers' Association (15) says that the Commissioner should ‘be able to enforce any directions given in relation to findings after an own motion investigation' which ensures that ‘light handed' interventions by the Commissioner have the ‘weight of possible further action attached to them'.

Power to audit private sector

The Australian Consumers Association (15), the Consumers' Federation of Australia (65), Tenants' Union of Queensland (69), Australian Privacy Foundation (90), and Xamax Consultancy Pty Ltd (3) see an extended audit power as one of a number of necessary strands to a greater level of compliance. Others also argue that an audit power is a necessary response to what they perceive as a current lack of confidence in the community in the Commissioner to protect privacy.

Power to issue binding codes

The Australian Consumers' Association (15) says that in order to be able to address systemic issues the Office should have the power to issue a standard or binding code.

The Australian Bankers' Association (70) is opposed to this idea. It states that it ‘would not support the Privacy Commissioner having an “own motion” power to initiate a Privacy Code affecting banks.' It argues that ‘from the ABA 's perspective the NPPs are working well and this issue is perhaps a matter for other industry sectors to address'.

Other powers to deal with system issues

The Australian Consumers' Association (15) says that the Office should:

Review of resources

A number of submissions 125 identify that funding to the Office should be reviewed by the government and increased to a level that allows the Office to carry out its functions in an expedient and efficient manner.

The Australian Consumers Association (15) suggests the establishment of a resource stream:

‘to the dispute resolution activities…that is commensurate with and scales to meet the volume of complaints coming to the Office. Preferably this funding would be provided by a scheme whereby organisations complained against bear the cost'.

Are levels of compliance adequate?

Level of compliance

There are grounds for arguing that there is a satisfactory level of compliance with the private sector provisions among organisations. For example, there is evidence that many organisations have taken substantial steps to ensure that they comply. There is also evidence that businesses have made some steps towards compliance. For example, many organisations provide their customers with privacy notices.

Submissions also indicate that they receive very few complaints relative to the number of transactions they process. It may also be argued that the Office receives few complaints considering the number of transactions taking place in the private sector.

The Office accepts these points. In particular it acknowledges that the number of privacy complaints received is very small given the millions of transactions involving personal information each day. It also acknowledges that many organisations are taking significant steps to comply.

However, it cannot be assumed that as a result of these factors, the level of compliance in the private sector is at an optimum level.

Complaints as an indicator of compliance

It may not be appropriate to draw definitive conclusions from the current low level of privacy complaints. There are complex reasons why people do not complain, and low complaint numbers are not necessarily indicative of high levels of compliance. Reasons why individuals may not complain may include:

Some commentators' views on this area indicate that most dissatisfied consumers never complain 126. A United States program, the Technical Assistance Research Program (TARP) has also suggested as many as 95% of dissatisfied customers do not complain to the company concerned 127. While companies may assume that a small number of complaints means that consumers are satisfied and that there are no systematic problems, TARP refers to this as the ‘tip of the iceberg' phenomenon 128. In addition, according to Hyman et al:

‘only a portion of the problems/defects that exist are actually perceived; only a portion of those perceived are voiced; only a portion of those voiced gain access to a complaint-resolving party; and only a portion at each stage are resolved successfully 129.

Research shows that while some dissatisfied consumers will voice their complaints to the company concerned, others complain by word of mouth to friends, family members, neighbours and their community 130. Others, instead of complaining, will simply change providers 131. In that case, it could be argued that the provisions and ‘the market' are working.

Factors such as the effort required to confront the organisation and to articulate the problems as well as anxiety over what may happen when the organisation is confronted have been raised as reasons why individuals would not make a formal complaint to management 132.

Compliance may be uneven

It is clear that the banking and insurance sectors have paid considerable attention to privacy compliance. However, there is anecdotal evidence from other submissions, the consultations and the Office's own experience that suggests that the depth of privacy compliance is not uniform and that some organisations may not be following up initial compliance efforts or may not have implemented privacy requirements at all. The Office notes here the comments in some submissions about the overall compliance environment. These include the lack of incentive in the Privacy Act and the Office's approach to compliance for many organisations to implement privacy in a systemic way and the complexity of the regulating environment in general.

As some submissions pointed out earlier, smaller businesses often see the raft of government, local and federal regulations, including occupational health and safety and particularly taxation, as annoying, costly and expensive diversions to the primary purpose of business. 133. Complying with privacy requirements, particularly if regarded as a low risk issue, is likely to be a lower priority than such matters as taxation or other more immediate regulatory concerns.

Monitoring compliance

The Office has limited ability to objectively assess current levels of compliance. This is in part because the Commissioner's monitoring powers are limited. The Office does not have the power to do random checks on organisations to see if they are complying. The currently available investigative options are the own motion power, which can be triggered where there may be an interference with privacy and the Commissioner considers it desirable to investigate, or by undertaking an audit by invitation 134. The Office could also rely on its educative functions to seek information via surveys, consultations and the like.

Also, in line with the ‘light touch' approach of the private sector provisions, organisations do not have any obligation to report to the Office on their compliance.

Is change needed?

Concerns raised in submissions and from the Office's own experience suggest that there is room for improving compliance and its complaints process. This can be done in a way that increases the incentive for businesses to comply while having little impact on organisations that are actively and fully complying. These could include greater guidance and education and awareness programs and improving existing processes, as well as strengthening enforcement powers.

Enforcement powers

The House of Representatives Standing Committee on Legal and Constitutional Affairs 135 noted without making a formal recommendation, that there appeared to be some limits to the enforcement regime in the Privacy Act.

This is supported by the Office's experience that more directive powers may be desirable particularly where systemic issues arise, either in the course of a complaint, or in the context of an own motion investigation.

The Office's experience also indicates that while a vast majority of organisations comply with the Offices directions when it finds a breach, there are some that do not. Although this occurs in few cases, the failure to comply devalues the privacy scheme and reduces the incentives for others to comply and also means that organisations that do comply do not receive the full benefit of their conscientious behaviour in terms of level playing fields. Apparent lack of enforcement also discourages individuals from complaining.

A more active and transparent approach

The benefits that are likely to flow from a more transparent and active approach to compliance could include:

Systemic issues

The Office has a strong focus on individual complaints although it does also respond to systemic issues raised in complaints or identified by other means to the extent possible. The focus on individual complaints is in part because complaint investigation is a non-discretionary function. 136

There is some evidence that the Office's limited focus on systemic issues and its lack of power to deal with systemic issues is out of step with best practice for complaint handlers. For example Louise Sylvan (then of the Australian Consumers' Association) in representing to the 2003 National Dispute Resolution Advisory Council Conference 137 in identifying good practice in complaint handling noted that:

‘A scheme must be underpinned by a comprehensive and efficient complaints handling mechanism. Systemic analysis is required which seeks to eliminate systemic recurrence of issues and to achieve resolution with finality….. the addressing of systemic issues to preventing recurrence, and public reporting (or name and shame)'.

A greater focus on analysing complaints, following up leads, conducting more own motion investigations to identify systemic issues and so on could also feed into education and guidance activities.

The Office has had some notable successes in encouraging organisations to make systemic changes to systems and practices 138. However, the Office has experienced difficulties in dealing with systemic issues in particular cases. For example there have been a number of cases involving the handling of old medical records both in terms of security and in ensuring that individuals can continue to access their records.

The Office has also encountered difficulty in dealing with privacy issues arising from the operation of tenancy databases. For example, the Commissioner cannot require tenancy database operators to take a particular set of compliance actions either in the course of a determination or following an own motion investigation.

5.6 Options for reform

More education and awareness

As outlined in Chapters 4 and 6 of this report, there is considerable room for greater education and awareness among organisations and consumers. Better informed consumers are likely to ask that organisations comply with their obligations. Also, if consumers demand this, businesses are more likely to see the business advantage in practicing good privacy. Also, it may be that some smaller organisations are still unaware of their need to comply with the private sector provisions, or even if aware, unsure how to go about complying. The recommendations in Chapter 4 and 6 relating to a new consumer and business awareness program are likely to have some impact on the level of business compliance.

Increase transparency in complaints process

Publishing more information

Good reasons for publishing more information

The submissions seeking greater transparency made a number of suggestions for reform. In general, the objective of greater transparency, short of routinely naming both parties, in complaint handling processes and outcomes, is likely to benefit both complainants and respondents. Individuals and organisations will be negotiating with greater knowledge of likely outcomes. Organisations and their advisors will have more detailed information about how to comply. The Office's decisions would be more open to scrutiny. However, it does not appear to be common practice for regulators to publish manuals which set out in great detail their complaints processes.

Publishing Outcomes of Conciliation/Complaints in other jurisdictions

Many complaints bodies publish de-identified case notes or similar. However these vary in length and number. Australian complaint-handling bodies that publish a select number of de-identified case notes include Office of the Victorian Privacy Commissioner, the Anti-Discrimination Commission Queensland. The Office of the New South Wales Privacy Commissioner does not publish any case notes or report on conciliated complaints. The full texts of cases that have gone through the New South Wales Administrative Decisions Tribunal are publicly available.

Decisions made by the Human Rights and Equal Opportunity Commission (HREOC) between 1985 and 1999 are available on the Australian Legal Information Institute website. From 2000, the public hearing and determination process was passed to the Federal Court of Australia. These decisions are available online through the Federal Court of Australia's website and the Federal Magistrates Service website. HREOC also maintains a de-identified register on its website of all conciliated cases 139. The complaint summaries in this register provide information about the terms of settlement including the amount of compensation awarded, if any.

The New Zealand Privacy Commission and the Office of the Privacy Commissioner for Personal Data, Hong Kong publish a number of de-identified case notes on their websites. The Office of the Privacy Commissioner of Canada publishes de-identified case notes for both settled and early resolution cases. The Canadian Commissioner has also published an incident summary. This is a summary of a case which is not the subject of a complaint but has been brought to the attention of the Commissioner (similar to an own-motion investigation under the Privacy Act).

It would appear from this survey that publishing more information would bring the Office more closely into line with other complaints handling agencies. However, it does not appear to be common practice to publish in a way that includes identified information.

The Office could maintain a de-identified register of the outcomes of all the complaints it conciliates. It could provide more information about the outcome of all complaints or it could continue to produce case notes.

Review use of determination power

Making more determinations would address a number of concerns about the transparency and fairness of the current approach to complaint handling. It could particularly address concerns expressed about situations where the complaint does not seem amenable to resolution by conciliation or where there is a public interest in proceeding to a determination. This approach could also provide a solution to the expressed concern of some consumers and advocates that the enforcement of the Privacy Act is ‘soft'.

In addition to promoting confidence for consumers, there would be clear benefits for organisation in terms of certainty. There would be more published decisions on how the Privacy Act applies.

The possibility of finalising more complaints by determination could have resource implications for organisations and the Office. Determinations, particularly where they involve oral hearing are potentially more costly for the Office to administer. The Office could focus more directly on monitoring compliance with determinations and if organisations do not comply, in seeking enforcement through the Courts.

More external review

Providing additional appeal rights may create a fairer process for individual complainants in areas where currently there is no review. It could create greater transparency and scrutiny for the Office's decisions on the private sector provisions. Although industry based complaint handlers do not have review rights, the lack of merits review for the Office's key decisions, particularly determinations, appears to be out of step with other government based authorities.

For example, the Privacy Act, when compared to other statutes providing for a right of complaint, is unusual both in terms of containing a power to make final determinations about a complaint and in providing limited avenues of appeal to judicial decision. Appendix 12 sets out the position in relation to a number of similar statutes. The role of positions similar to the Commissioner's is more often to attempt to resolve a complaint by conciliation. Where conciliation fails or is not possible the more usual process is a court hearing with accompanying rights of appeal.

On the other hand, it might be said that creating appeal rights might result in a more legalistic and burdensome process which is not consistent with a ‘light touch' scheme. It could be argued that rights of appeal that do exist have not been very much used, and so creating additional ones is unnecessary. Also, the Commissioner is in effect a body of appeal (from decisions made by the organisation) and that it would be unnecessary to provide additional levels of appeal, particularly given that the process the Commissioner uses is separately subject to ADJR Act review. In this regard it is worth noting that the Parliament provided for determinations by code adjudicators to be reviewable by the Commissioner 140.

The question of appeal rights was considered by the House of Representatives Standing Committee on Legal and Constitutional Affairs which inquired into the Privacy Amendment (Private Sector) Bill 2000 141. The Committee mentioned a number of issues, including concerns about perceived lack of appeal rights in respect of the enforcement regime in the Privacy Act. It also noted that some witnesses expressed concerns about the appeal framework as framed in the Bill, including higher compliance costs for business compared to an industry scheme with no appeal rights and the threat of judicial review would make complaint handling bodies more formal and legalistic.

The Committee noted both set of concerns. While its report did not make a recommendation, and consequently the Government response to the report did not consider the issue, it did note that the enforcement and appeal provisions in the Bill appeared to need further attention 142.

As discussed in this report, the Commissioner is reviewing the Office's complaint handling process, including the circumstances in which complaints will be finalised by determination. These circumstances could include where the complainant and respondent cannot agree on a resolution by conciliation. This change in approach, which would not require changes to the Privacy Act, and may meet one stream of concern in the submissions about lack of review rights.

Fairer process

Some submissions identify areas where the Office's complaint handling processes seem overly bureaucratic, for example where the complainant has not identified the correct respondent and is told they need to take this step before the Office will respond.

There would be clear value in looking at the process to ensure that it meets external standards for complaint handling and alternative dispute resolution (ADR) and to make it more user friendly for both parties where the law and resources allow.

Make better use of existing powers

Greater use of own motion powers

Existing practice

The Office undertakes own motion investigations in a range of circumstances. Typically, the Office becomes aware of these matters through reports by individuals, or the organisation concerned or through the media. In some cases, the Office also follows up matters that have been identified through complaints.

The table below shows the total number of own motion investigations logged on the Office's complaint handling system over the past five years. Not all incidents logged are investigated. The Office applies risk management criteria that include, the seriousness of the incident and the number of people affected (see Appendix 10 for more details about the Office's use of the own motion power).

Table: Number of own motion investigations and complaints registered

Time period No of OMIs Complaints (not including OMIs)
1 July 2000 - 30 June 2001 10 194
1 July 2001 - 30 June 2002 48 611
1 July 2002 - 30 June 2003 64 1090
1 July 2003 - 30 June 2004 69 1276
1 July 2004 - 1 Feb 2005 59 724

 

Value in more own motion investigations

Undertaking more own motion investigations would be a practical way of addressing systemic issues independently of complaints. However, doing this would have an impact on the Office's resources. In addition, for the investigations to be of greater benefit, the Office would need to have the power to direct organisations to address any issues found and then to enforce those directions.

It may be that if the Office carried out more own motion investigations with enforceable directions, this would be sufficient to enable it to address systemic issues.

Power to enforce own motion investigations

Problems caused by lack of enforcement power

The Office has experienced some difficulties in dealing 143 with potential privacy breaches where there is no individual complainant and where the respondent is not cooperative or where there is a need to respond quickly to systemic poor privacy practices, for example in relation to tenancy databases. In this respect it would appear that the Office's powers may be out of step with other similar regulators.

Other regulatory regimes

A number of similar regulatory regimes include more directive enforcement powers. For example, under section 48 of the Information Privacy Act 2000 (Vic) , an organisation must comply with a compliance notice served on it.

Under Section 44(1) of the Information Privacy Act 2000 (Vic), the Victorian Privacy Commissioner may serve a compliance notice on an organisation if the organisation has done an act or engaged in a practice in contravention of an IPP or applicable code of practice and the act or practice:

Section 44(5) enables the Victorian Privacy Commissioner to act on his or her own initiative. It is an offence under section 48 not to comply with a compliance notice. Section 66(1) of the Health Records Act 2001 (Vic) enables the Health Services Commissioner to serve a compliance notice on an organisation in the same way as the Information Privacy Act 2000 . Section 66(5) enables the Health Services Commissioner to act on his or her initiative. Failure to comply with a compliance notice is an offence under section 71 of the Health Records Act 2001 (Vic).

Under the Trade Practices Act 1974 , the Australian Competition and Consumer Commission (ACCC) has the power to accept court-enforceable undertakings 144. It may use this power to resolve a possible contravention of the Act by deciding to accept formal administrative settlements or undertakings from businesses, including in addition to or in lieu of taking legal proceedings. The ACCC advises that it does not accept offers of such undertakings unless the undertakings are to be made public and do not contain denial of contravention of the Act. The ACCC may enforce such undertakings in court if they are not honoured.

Under Section 155(2) of the Anti-Discrimination Act 1991 (Qld) , the Queensland Commissioner may initiate an investigation if

(a) during the course of carrying out the commission's functions, a possible case of a contravention of the Act against a group or class of people is discovered, the matter is of public concern and the Minister agrees; or

(b) an allegation is made that an offence against the Act has been committed; or

(c) during the course of carrying out the commission's functions, a possible offence against the Act is discovered.

Under Subsection 155(4), if the Queensland Commissioner investigates under subsection 155(2) and the matter cannot be resolved by conciliation, the Queensland Commissioner may refer the matter to the tribunal as if it were a complaint. In such an instance, the Queensland Commissioner acts as if they were the complainant (section 155(5)).

Power to audit private sector

Existing power

In general, the Commissioner does not have an audit power in relation to the private sector provisions 145. The Commissioner can audit an organisation if invited by the organisation to do so, however, to date there have been no audits under this function 146.

Benefits of audit power for private sector

Having a private sector audit power may increase community confidence in the efficacy of the Privacy Act and give the Office an additional power to identify systemic issues and to monitor responses.

However, if the Office were to have the power to audit the private sector, this would have resource implications. It currently carries out limited audits in those areas in which it has the power. In addition, it could be argued that this is a role that a number of private sector consultancy firms carry out, and should not be one taken on by the Office.

A more appropriate role may be for the Office to provide information on the value of auditing to organisations as evidence of compliance in the event of complaints. The Office could also develop and provide privacy audit training for organisations. Another option could be for the Office to provide privacy audit resources including auditors who have privacy expertise. In the latter case the Office could consider whether some form of privacy auditor accreditation would be useful or necessary.

Other power to address systemic problems in complaints

Extend section 52 powers

The Privacy Act could be amended to extend the Commissioner's powers under section 52 to apply specific systemic remedies to individual and representative complaints. This would enable the Commissioner to prescribe a specific course of action to eliminate acts and practices in a systemic way as part if its complaints system. This would be an efficient and effective way of addressing systemic issues that it comes across in the course of handling complaints. This is important as complaints are the main way that the Office becomes aware of privacy practices.

Power to issue binding guidelines

The Privacy Act could be amended to give the Commissioner the power to issue binding guidelines. This could be a useful tool in contexts where the Office becomes aware of systemic issues and wishes to issue general, but binding guidance to ensure that all organisations comply with them. This creates a more level playing field among organisations, and ensures that conscientious organisations are not commercially disadvantaged.

Such guidelines could address aspects of the NPPs as they are applied in specific contexts, for example, steps to be taken in a particular industry sector to ensure personal information is accurate, complete and up to date. They could overcome uncertainty in application of NPPs in particular situations. It would also benefit consumers to have a more specific idea of their rights.

Binding guidelines would be developed following consultation with affected stakeholders and may need to be disallowable instruments. The Commissioner could also take into account any potential negative impact in deciding whether to issue binding guidelines. Factors to consider here could include whether binding guidelines would add to the complexity of the privacy regime and whether this was warranted in the circumstances.

Power to issue binding codes

An alternative or addition to the options discussed above could be a power under the Act to be able to issue a binding code. Various options for this are discussed in Chapter 2. This may be the best solution in a narrow range of cases such as, for example, the operation of tenancy databases. While, in general, it is preferable and appropriate that the organisations are able to make their own judgments about the steps needed to comply with the NPPs, it may not be the best outcome for some sectors.

The possible value in a mechanism such as a binding code can be illustrated by looking at issues that were considered in the four determinations made in 2004 147 following representative complaints about a tenancy database operator and in the general context for these complaints. The determinations considered questions such as:

The Commissioner found breaches on a number of these issues and made a number of recommendations to prevent the problem reoccurring in the future. However, the Commissioner stated, for example, in Determination No. 2 of 2004 that:

‘The complainants have asked me to make a declaration requiring TICA to develop new forms to meet its obligations under NPP 1.5. I am not satisfied that I should do so. While I have declared that TICA should not repeat or continue conduct which constitutes an interference with the privacy of an individual, I do not, in my view, have the power under section 52(1)(b)(i)(B) to otherwise generally prescribe how TICA should act.'

In practice, the impact of the Commissioner's determinations on the tenancy industry appears to have been limited. The Office continues to receive complaints from individuals; about tenancy database operators and that these complaints raise many of the same issues that were dealt with in the determinations as well as new issues.

A number of database operators have called for the Commissioner to ‘rule' on a number of aspects of the NPPs, including for example, the timeframe for keeping listings and fees for access. The interest here seems to be in seeking certainty and to some extent a level playing field.

A binding code could set specific direction in relation to the accurate content of listings (NPP 3) or time limits for removal of listings from a tenancy database (NPP 2.1 and NPP 4.2). It could also address matters such as appropriate mechanisms for dispute resolution.

Improve liaison with overlapping complaint handlers

The Office could liaise closely with these bodies to ensure that privacy complaints are handled efficiently and to minimise confusion and costs for both individuals and organisations. It could have a memorandum of understanding to ensure that the most appropriate regulator is considering each complaint and to improve overall complaint-handling.

Care would be needed to ensure that any memorandum of understanding did not limit individual's rights under the Privacy Act. However, this is a matter that could be addressed, for example, by agreement that bodies would provide information about rights under the Privacy Act in their publications. That said, where individuals come to the Privacy Commissioner after their complaint has been considered by another body, the Office's approach generally would be to take account of investigations by other bodies in deciding whether it should investigate a matter and has done so in a number of cases.

The Office has had discussions with other bodies that handle privacy or privacy related complaints, including the Telecommunications Industry Ombudsman and the Banking and Financial Services Ombudsman. There is a common interest in ensuring that as far as possible a complaint is handled by the appropriate body. This avoids the complaint ‘merry-go-round' and ‘double-dipping' (where consumers approach consecutive bodies seeking a better outcome).

Advice about complaint rights

Many organisations already tell people in their privacy notices about how to complain to the organisation and also the Office. However, the NPPs do not currently require this.

This change could complement other measures to ensure individuals are aware of their rights and how to pursue them.

A partial model is found in paragraph 3.7 of the Credit Reporting Code of Conduct that requires credit reporting agencies to immediately inform individuals that they have recourse to the Privacy Commissioner, if the credit reporting agency establishes that it is unable to resolve the dispute.

This could be a useful tool in the overall strategy to raise awareness and identify and remedy systemic issues. It could be achieved by amending the NPPs or by the Office issuing an information sheet or other guidance.

Address delay in handling complaints

The issues paper highlighted that individuals who complain to the Office generally face a considerable delay (currently between 10 and 12 months) before the Office can handle their complaint. This is primarily due to the volume of complaints the Office has received since the private sector provisions came into effect.

The Office has given priority to its complaint handling function so as to minimise delay in complaint investigations for complainants and respondents. It has diverted resources from other areas of responsibility including auditing of Commonwealth agencies, towards complaint handling on the rationale that increasing complaint backlogs had the potential to undermine the operation of the Privacy Act.

Submissions from all quarters express dissatisfaction with the length of time it currently takes the Office to handle complaints. It complicates business relationships and consumers want outcomes.

Review practices

The Office is keen to ensure that complaints are dealt with in a timely manner and that the parties are not disadvantaged by any delay. To this end since 2001 the Office has reviewed and modified its practices by employing a number of strategies to deal with the complaint numbers. These include:

The following statistics give a brief overview of the extent of total complaints and enquiries to the Commissioner 148.

 

 
2000 - 2001
2001 - 2002
2002 - 2003
2003 - 2004
2004 - Feb 2005
Enquiries to Hotline 8177 21033 21290 20208 13541
Written Enquiries 884 2700 2382 2206 1301
Complaints under section 36 194 632 1090 1276 839

The Office is concerned the complaint resolution process is impaired if complainants wait a long period before their matter is investigated. As time passes the quality of evidence deteriorates. The Office is also concerned that the delay may allow poor privacy practices to continue unchecked and that systemic problems are undiscovered.

Further review complaints practices

The Office could consider further streamlining its processes but it would need to consider the extent to which it could do so without undermining principles of natural justice.

Cost recovery

The Office could consider charging respondents to handle complaints about them. It could also consider charging complainants. However, the Office notes that it is not aware that other complaints handlers apart from Courts charge applicants to handle disputes.

Power to decline to investigate and other strategies

Other options for responding to the delay could include giving the Commissioner stronger powers to decline to investigate complaints where there appears to be little public interest (for example, where there is minimal apparent harm, or the matter has been considered before and the organisation has changed practice).

As discussed above, the Office could give greater emphasis to complaints or investigation into systemic issues with a view to preventing future harm (and privacy complaints). However, in the short term the latter strategy may mean that the backlog of individual complaints gets larger.

5.7 Recommendations: Complaints handling and compliance

Approach to compliance

  1. The Office will maintain its current approach to compliance including the focus on attempting to conciliate complaints in the first instance as set out in Information Sheet 13. However, the Office will consider whether it might be appropriate in some circumstances to use its other powers earlier, such as the determination making power.

  2. The Office will consider options for providing more feedback on systemic issues either in advice or guidance or in some form of regular update to stakeholders.

  3. The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.

Review rights for complaint decisions

  1. The Australian Government should consider amending the Privacy Act to give complainants and respondents a right to have the merits of complaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

  1. The Australian Government should consider amending National Privacy Principle 1.3 to require organisations to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the Privacy Commissioner or (where relevant) the code adjudicator.
  1. The Office will review its complaints handling processes and will consider the circumstances in which it might be appropriate to make greater use of the Commissioner's power to make determinations under section 52 of the Privacy Act.
  1. The Office will also consider measures to increase the transparency of its complaints processes and complaint outcomes.

Additional powers

  1. The Australian Government should consider amending the Privacy Act to:
  • expand the remedies available following a determination under section 52 to include giving the Privacy Commissioner power to require a respondent to take steps to prevent future harm arising from systemic issues
  • provide for enforceable remedies following own motion investigations where the Commissioner finds a breach of the NPPs

  • provide a power for the development of binding codes and/or binding guidelines in cases where there is a strong public interest, where more detailed guidance is warranted or complaints reveal recurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

  1. The Australian Government should consider the strong calls by a wide range of stakeholders for the Office to be adequately resourced to meet its complaint handling functions.

  2. The Australian Government should consider amending the Privacy Act to give the Commissioner a further discretion not to investigate complaints where the harm to individuals is minimal and there is no public interest in pursuing the matter.

 

6 Balancing individual privacy interests with business efficiency

6.1 Introduction

Law and policy

The private sector provisions of the Privacy Act introduced what the then Attorney-General called a ‘light touch' approach to privacy protection. They established a co-regulatory regime which was intended to be responsive to both business and consumer needs 149. This was to be achieved by using high level principles rather than prescriptive rules and by encouraging organisations and industries to develop their own privacy codes.

The legislation also included a number of exemptions, including an exemption for employee records, on the ground this was better dealt with under workplace relations legislation, and an exemption for small business.

Issues

The issues paper considered the balance struck by the private sector provisions between individual privacy interests and business efficiency. It discussed, among other things, the high level principles approach, the costs of compliance, the level of compliance, industry and organisation codes and the small business exemption.

Striking the balance

Submissions are divided on the question of whether or not the private sector provisions strike the right balance between individual privacy and business efficiency. Electronic Frontiers Australia (51) and Xamax Consultancy Pty Ltd (3) suggest that the existing provisions are so inadequate that a new Act that makes a genuine attempt to protect individuals' privacy is the only solution.

On the specific issue of balance, the Communications Law Centre (72) says there is an overwhelming imbalance between the competing interests of organisations and individuals, where organisations' interests such as business efficiency clearly outweigh the privacy rights of individuals.

On the other hand, submissions from business are more likely to support the existing regime. Promina Group (34), an insurance and financial services corporation, for example, supports the regime and the approach taken by the Privacy Commissioner and says that this approach creates the right balance between commercial or business interests and the protection of an individual's privacy rights.

Similarly, Telstra Australia Ltd (110) states that the Act contains an effective balance between rights of the individual. In its view, this balance could be enhanced by the Office lifting its profile and providing more information about privacy issues to the community.

Principles or rules

Submissions generally support principles based approach

The submissions that address the issue generally support the principles based approach of the private sector provisions. It is the approach that best allows Australian businesses to adopt practices that are tailored to individual businesses while providing consumers with an assured level of protection 150.

It allows each business the opportunity to identify its own business practices and to apply the principles to them 151. It provides adequate levels of privacy protection without imposing unnecessary compliance costs on business 152.

High level non-prescriptive principles, adequately supported by guidelines and information sheets are the most appropriate way to meet the needs of individuals and businesses. A more prescriptive approach would increase compliance costs without necessarily delivering an improvement to the protection of individuals' privacy 153. The dangers of a more prescriptive system are that the system may be inefficient and/or unworkable in the many business circumstances in which it would apply and, needing ongoing amendment to keep up with technological change, would add to the confusion and compliance costs faced by business 154.

Some submissions offer qualified support of the principles. The Australian Chamber of Commerce and Industry (22), for example, agrees with the approach but says that the NPPs themselves are reasonably prescriptive, and that their content and the obligations they impose are onerous.

Principles may need some illumination

A few submissions want more than high level principles. They are concerned with what else is in place to illuminate the principles, or to support their operation in practice.

The Tenants' Union of Queensland (69), for example, believes that more specific regulation of tenancy databases is required 155.

The members of a charitable organisation, St Vincent de Paul (117), experience a lack of certainty and need practical guidance on what is permitted and what is not.

6.2 Approved Privacy Codes

Law and policy

Codes, both industry and organisation, were intended to be a key feature of the privacy regime established by the private sector provisions. The aim of the legislation was, in the words of the then Attorney-General:

‘to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice' 156.

The Privacy Commissioner may approve a code if, and only if the Commissioner is satisfied of specific matters listed in the Privacy Act. In deciding whether to approve a privacy code, the Commissioner may consider matters specified in guidelines issued by the Commissioner, if any 157.

Among the matters the Commissioner must be satisfied of is the requirement that the code incorporates all the NPPs or set out obligations that, ‘overall are at least the equivalent' of all the NPPs 158.

The Guidelines to the National Privacy Principles, developed by the Office, say that a code has to be reviewed every three years.

Codes are now legislative instruments under the Legislative Instruments Act 2003 . They are not disallowable by the Parliament. As a legislative instrument, the decision to approve a code is not reviewable under the Administrative Decisions (Judicial Review) Act 1977 . The decision not to approve one may be reviewable.

Issues

The issues paper noted that, despite the expectations at the time the legislation was passed, there have been very few applications for code approval. Only three codes have been approved, and three more are in the pipeline 159. The issues paper listed possible reasons for the apparent lack of interest in developing codes and reasons why an industry or organisation might want to develop one. It also noted perceived inadequacies in the approval process. These include a lack of transparency and the failure of the Privacy Commissioner to publish reasons for approving a code. It suggested a number of possible topics for submission, including:

What submissions say - issues

Overview

Submissions from the three industry groups that have a code throw some light on the code development and approval process. Submissions from other industry groups and organisations, which generally support codes, consider the reasons why there are so few of them. Finally, two submissions from consumer groups consider them from the point of view of consumers.

Insurance Council of Australia

The Insurance Council of Australia (59) supports co-regulation through industry codes because it provides a desirable level of flexibility for business. It looks forward to undertaking its three yearly review of its code in 2005. However, it found the code approval process complex and highly prescriptive. This made it an expensive process, involving costs such as staff time, external legal costs for drafting, extensive consultation with industry, costs of reviewing versions of the Code, implementing compliance systems specific to the Code and, if applicable, fees to an independent code adjudicator.

Clubs Queensland

Clubs Queensland (96) sees its code as an important service to its members. It noted, however, that the code development process was, however, extremely complex and costly because of the generic nature of the Code Development Guidelines issued by the Office. These required Clubs Queensland to consult not only members of clubs but the public generally. It fears that the review of its code will require a substantial administrative and financial commitment because of the complexity of the process and, if the cost is prohibitive, may tell its members to revert to the NPPs.

Association of Market Research Organisations and the Australian Market and Social Research Society

The Association of Market Research Organisations and the Australian Market and Social Research Society (61) state that most major research organisations operate within the framework of the approved industry code. It believes that, on the whole, the Privacy Act works well, providing research participants with appropriate privacy safeguards and helping the industry to differentiate itself from industries with less stringent protection practices.

Reasons why there are few codes

Business perspective

Most submissions from business support codes in principle. The Real Estate Institute of Australia (13), however, is ambivalent. It expresses concern about the multiplicity of government bodies seeking to use codes to regulate business, thereby shifting a heavy cost burden from government to industry. On the other hand, it believes there are benefits in industry playing a role in developing a code of conduct.

Other submissions from business suggest a variety of reasons why there are only three codes. The Australian Chamber of Commerce and Industry (22) states that the benefits to consumers of an organisation adopting a code, which it sees as a higher standard, do not outweigh the costs to the organisation. In any case, the NPPs are adequate and codes take some time to develop. Coles Myer (60) believes there are few codes because the NPPs work.

A number of submissions focus on the cost and complexity of developing a code. The Australian Direct Marketing Association (67) gives three reasons:

Several submissions say there is little point in developing a code. Privacy Law Consulting Australia (66) sees little benefit in developing and maintaining a code for the majority of organisations and industries. The Royal District Nursing Service (78) agrees, stating that:

In the view of Telstra Corporation Ltd (110), codes will generally only be attractive to industries with specific requirements.

Consumer perspective

The Australian Privacy Foundation (90), whose submission is endorsed by the Consumers' Federation of Australia (65), is not surprised there has been relatively little take up of the codes option by the private sector. In its view, there is little advantage to businesses in developing or adopting a code. The development and approval process is long and onerous and the inclusion of a complaints handling process effectively privatises costs that would otherwise be borne by government. It is concerned that a proliferation of codes would further confuse the public and detract from privacy awareness building.

The Australian Consumers' Association (ACA) (15) is also ‘not unhappy with' the lack of enthusiasm of business for developing and adopting codes having feared that a proliferation of poorly co-ordinated codes could fragment the regulatory landscape to an unacceptable degree. In its view, it would be far better to address the needs of the Office than to create a hothouse atmosphere to artificially encourage industry codes. The ACA also addresses the potential brand argument of codes. It does not see the role of regulation and regulatory processes to confer competitive advantage.

What submissions say – addressing the issues

Although codes have not proved as popular as might have been expected before the implementation of the private sector provisions, submissions show there is support for the concept. Certainly no-one suggests they should be abolished.

Most submissions that make recommendations focus on simplifying the process. The Insurance Council of Australia (59), for example, recommends that the capacity for co-regulation provided by codes should be retained; the approval process, however, should be made less complex and prescriptive. Australian Direct Marketing Association (67) agrees that there is a continued role for codes in the privacy scheme and that the approval process should be simplified. Clubs Queensland (96) recommends that the requirements in relation to the operation and review of a privacy code be simplified.

Telstra (110) recommends, among other things, that the development of codes would be encouraged if the Privacy Act were amended to give the Commissioner a discretion to approve codes with privacy protections not equivalent to those under the NPPs where it was in the public interest to do so.

There was some support for the proposition that the Office should have the power to initiate the development of a code. The Australian Privacy Foundation (APF) (90) says that the Privacy Commissioner should be able to initiate a code. The Australian Bankers' Association (70), on the other hand, specifically rejects this. The Investment and Financial Services Association Ltd (89) agrees, saying that it should rest with individual companies or the respective industry body 160.

The APF also makes a number of other suggestions:

Options for reform

Repeal code provisions

Since the implementation of the private sector provisions, there has been very few applications for approval of an industry or organisation code. This suggests that it may be appropriate to repeal the code provisions. On the other hand, as the value consumers place on their privacy increases and as industry bodies and organisations become more familiar with the notion of privacy, codes may come into their own.

Simplify the approval and review process

The legislation gives the Privacy Commissioner the power to approve a code. The processes for developing, approving and reviewing codes are in Office Guidelines. The Office has now had the experience of three years of the operation of the private sector provisions and is in a favourable position to review the Guidelines with a view to simplifying the processes without reducing code standards. Ensuring a code meets the equivalence test can be time consuming and costly both for the code proponent and the Office.

Modify equivalence requirement

The law could be amended to allow an industry or organisation, in developing its code, to provide for a lower level of protection in one area and maintain ‘equivalence' by providing for a higher standard in another. This would give more flexibility in developing a code that met the needs of the industry or organisation while at the same time protecting the interests of consumers. On the other hand, it would make the Office's oversight role more difficult and may be confusing for consumers. It could also add to the problems arising out of national consistency and undermine the technological neutrality of the NPPs.

Commissioner could give reasons for approving a code

The Privacy Commissioner's discretion to approve a code is circumscribed by the legislation. There is a broad discretion, however, not to approve one. The legislation does not impose on the Privacy Commissioner an obligation to give reasons for a decision to approve a code, or not to approve, although the Guidelines state that the Commissioner will give reasons for deciding not to. Improved accountability and transparency may require reconsideration of the issue. On the other hand, the scope of the Privacy Commissioner's discretion is limited, and giving reasons for approval may well have resource implications for the Office.

6.3 Recommendation: Approved Privacy Codes

  1. The Office will review the Code Development Guidelines dealing with the processes relating to code approval with a view to simplifying them

 

6.4 Compliance costs

Law and policy

Compliance with the legislation involves a cost burden on organisations. There was the cost of implementing the legislation in the first place, including developing and reordering systems, developing policies and procedures and training staff. There are also ongoing costs. These include the costs of continuous training and the costs of complying with obligations, for example, informing individuals from whom personal information has been collected, seeking consent for use and disclosure of the information for secondary purposes and providing individuals access to their personal information.

Issues paper

The issues paper suggested possible suggestions for submissions, including:

•  impact on business of compliance with the provisions

•  whether the benefits of having a privacy law outweigh the costs to business and

•  ways of reducing any unreasonable costs imposed.

What submissions say

Costs are important

Not surprisingly, most submissions on the issue of costs come from business. The Australian Chamber of Commerce and Industry (22) says compliance costs are critically important to the business community and should be of concern to everyone because they are ultimately borne by the broader community. It goes on to say that there has been no significant research on the costs involved in complying with the private sector provisions and, as a result, policy formulation is done in a vacuum. It suggests that an in depth study should be commissioned.

The Investment and Financial Services Association Ltd (89) says that its members report significant disruption and cost with the original implementation but relatively small ongoing compliance costs.

The Australian Consumers' Association (15) has little sympathy for complaints about compliance costs. It goes on to say that it is difficult to conjure a vision of a more bare-bones privacy framework:

‘There is no required reporting and no mandatory recording. The [Office] has scant investigative powers and none of audit in the private sector . . . [The Act] sets out little more than reasonably sensible data management practice. The [Office] has no power to seek anything other than restitution and so has little capacity to impose direct cost on industry.'

Actual costs

Some submissions outline the steps taken by organisations to comply with the private sector provisions initially and on an ongoing basis, and the costs involved in compliance. The Insurance Council of Australia (59) lists the initial compliance steps:

The most costly aspect of implementation was the systems changes, estimated to cost $10-15 million for its members.

The steps involved in continuous compliance are:

Costs include $1-2 million per annum for telephone sales, $300 000 to $500 000 per annum for staff training and between $5 000 and $50 000 for the handling of each dispute, depending on the complexity of the dispute.

One member of the Investment and Financial Services Association Ltd (ISFA) (89) spent $430 000 on initial implementation and spends $50 000 per annum on ongoing compliance costs. The company has had eight privacy complaints in the last 3 years. Another member of ISFA (89) spent $2.248 million on initial implementation costs.

At Coles Myer Ltd (60), more than 80 people were directly involved in the implementation program across the Coles Myer group. Coles Myer says a conservative estimate of costs in the lead up to the commencement of the provisions would be more than $300 000 in resource costs and systems development.

For the Suncorp Group (35), the set up and implementation cost was approximately $1.2 million.

Commerce Queensland (83) reports that for the National (National Australia Bank and MLC) the changes which, over a three year period cost about $28 million, included

State and territory legislation increases costs

A number of submissions focus on the additional compliance costs borne by national organisations that are subject to new and inconsistent state and territory health legislation.

The Australian Compliance Institute (16) and a confidential submission both say that the introduction of legislation by the states and territories has increased the compliance burden on business. As each state or territory introduces new legislation there is a new round of costs for businesses.

In the view of the Investment and Financial Services Association Ltd (89), State and Territory health records legislation with its inconsistencies results in increased compliance costs for its member organisations. The ANZ (40) says differing state and territory (workplace surveillance) laws add to compliance costs and complexity.

Costs and benefits

Most submissions from business focus on the costs of compliance rather than the benefits; some, however, acknowledge that there are benefits. A confidential submission says that the benefits are not commercial, but intangible, for example, increased standing with customers who become confident that the business will deal ethically with their personal information. In a similar vein, Fundraising Institute Australia Ltd (52), states that the benefits, community confidence and trust in the industry, outweigh the costs. Telstra (110) agrees:

‘The significant financial cost to Telstra in taking steps to comply with the Privacy Act has been offset by the value to Telstra of the improved systems and processes and from a brand perspective.'

Coles Myer Ltd (60) says that the costs outweigh the benefits to customers, while acknowledging that a simple cost benefits analysis fails to recognise the value of brand equity or public reputation, in which major companies invest heavily.

Change will involve more costs

A number of submissions note that even minor changes at this stage would involve significant costs. A confidential submission says that there is not justification for increasing the cost of compliance for business in this area. Virgin Mobile ( Australia ) Pty Ltd (26) wants the costs of changes to be weighed up against any perceived benefits. For Optus (98), it is important that the privacy regime is not changed lightly. Even seemingly minor changes can result in significant additional compliance costs for industry. Finally, Telstra (110) says that any significant changes to the NPPs are likely to increase the cost of compliance and that any changes resulting from the review should be kept to a minimum. Rather, the focus of the review should be on improving the operation of the existing regime.

6.5 Business awareness

Issues

The issues paper acknowledged that high level principles are less amenable to specific direction than a more prescriptive, rule based regime would have been. It noted that the Office has not made many determinations and that there had been few judicial decisions about the private sector provisions. It identified the Office's role in promoting awareness as an issue to be considered. It suggested, among other things, as possible topics for submissions:

What submissions say

Overview

Most submissions that address the issue report a relatively high level of awareness of the private sector provisions and of compliance with them. Nevertheless, a number of submissions suggest ways of improving awareness and compliance. Some submissions identify particular contexts in which problems are caused by a misunderstanding of the provisions on the part of business.

Industry generally familiar with provisions

In the experience of Privacy Law Consulting Australia (66) there is a high level of compliance among large organisations as they have allocated resources and implemented policies, procedures and systems to ensure they meet requirements under the Act. There is a significantly lower level of compliance, however, among mid to small size organisations that are covered by the Act. Reasons for this include lack of awareness.

The Credit Union Services Corporation (64) is of the view that industry generally has become familiar with the NPPs and has developed relevant policies. Optus (98) states that Australian industry is committed to addressing privacy issues positively.

On the other hand, the Victorian Automobile Chamber of Commerce (113) found, in a survey of its members in 2002, that knowledge and understanding of information privacy laws was not as thorough as it would have liked. There was confusion as to which law (Commonwealth or State) applied to the business and whether privacy laws conflicted with other obligations, for example, occupational health and safety obligations.

Some problem areas

Bankruptcy

Submissions identify particular areas where a lack of knowledge of the provisions or a misunderstanding of the obligations they impose give rise to problems. The Insolvency and Trustee Service Australia (25) says that a review of Part X of the Bankruptcy Act conducted in 2003 revealed a substantial level of misunderstanding about privacy obligations.

Some creditors suggested that the Privacy Act prevented them from giving information to the Trustee in Bankruptcy even though it might assist the Trustee's administration of the estate. It recommends that more should be done to educate the private sector about appropriately using and disclosing personal information. In addition, public confidence in the personal insolvency system should be recognised as an important social interest to be balanced against an individual right to privacy.

Medical research

The National Health and Medical Research Council (32) also identifies misunderstanding of the provisions, rather than the provisions themselves, as a cause of confusion in the complex regulatory framework of medical research. It suggests that the Office should design and implement a structured education and communication campaign with the objective of improving stakeholder understanding.

Dealing with people with a disability

The experience of the Australian Guardianship and Administration Committee (114) is that there is significant room for improvement in how service providers interpret and apply privacy legislation, especially in relation to people with a disability and their families. It believes that frontline staff implement inflexible policies as to how the provisions should be interpreted and applied and that this gives rise to nonsensical and frustrating situations where common sense solutions should apply. The committee recommends that the Office should divert a significantly greater resource commitment to education and training and that it should publish an information sheet or good practice guide that emphasises the need for a common sense approach, particularly in situations that involve relatively minor issues.

Other

The Police Association (Victoria) (116) states that organisations are not fully conversant with the exemptions to the Act, in particular the law enforcement exemption 161.

How the Office could assist business

Some submissions suggest ways the Office could assist business in complying with its obligations. The Australian Direct Market Association (67), for example, suggests that the Office should review its communications strategies, particularly with key stakeholder organisations. Business would like to see, it says, effective and comprehensive reporting of rulings complete with the reasoning behind decisions 162.

The St Vincent de Paul Society (117) says that charities need clear, practical guidelines.

The Australian Privacy Foundation (90) takes a different approach. It says consideration should be given to requiring:

Options for reform

Office should conduct a community awareness campaign about business obligations

There is no doubt that there is a degree of misunderstanding and confusion about the private sector provisions among some business sectors, especially small business. It is not only businesses that are covered by the Privacy Act, but businesses that are not, that are uncertain of their obligations. Many businesses including those who are not covered by the Privacy Act, err on the side of caution in not disclosing personal information in circumstances where it is appropriate that is should be, for example, the amount owing on a utility bill to a carer who wants to pay the bill. The Office could address this gap in awareness.

Review Office information sheets

The Office has published a series of information sheets on a range of topics including codes, privacy obligations for Australian Government contractors and the application of the NPPs to due diligence and completion when buying and selling a business. The consultation process has identified ways in which some of them could be made more useful. There could be a thorough review of the Office's information sheets with a view to amending them.

Review strategies for communication with stakeholders

The Commissioner takes advice from the Privacy Advisory Committee 163. The Commissioner also invites people to participate in ad hoc consultative bodies for particular purposes. There is, for example, a reference group for this review. There are, however, other measures the Office could take to ensure it communicates effectively with stakeholders. One such measure could be to establish a privacy contact officer network for the private sector along the lines of the privacy contact officer network in the public sector.

Impose obligations on organisations to keep records and report

One way to ensure that organisations continue to fulfil their obligations under the NPPs is to impose obligations on them to appoint a contact officer for contact by the Office, to keep records and to report on their compliance. This could ensure more effective oversight of organisations by the Office. On the other hand, it is not consistent with the principles based approach of the private sector provisions.

6.6 Recommendations: Business awareness

  1. The Australian Government should consider the benefits of greater business and community awareness of privacy and specifically fund the Office to undertake a systematic and comprehensive education program to raise business awareness.

  2. The Office will review existing information sheets and develop information sheets on key issues identified in submissions.

  3. The Office will develop strategies for communication with stakeholders, including establishing a privacy contact officer network for private sector organisations.

6.7 Small business exemption

Law and policy

Current law

Generally speaking, a ‘small business operator', that is, a business that has an annual turnover of $3 million or less is exempt from the operation of the private sector provisions. Some small businesses, however, must comply with the provisions. They are small business that:

In addition, a small business may voluntarily opt-in to be covered by the provisions. Currently 130 small businesses have opted in to coverage.

Finally, the Government may prescribe small business operators, or acts or practices of small business operators, bringing them within the operation of the Act. To date this provision has not been used.

Rationale for the exemption

There are two main reasons for the small business exemption. First, many small businesses do not have significant holdings of personal information. They may have customer records used for their own business purposes; however, they do not sell or otherwise deal with customer information in a way that poses a high risk to the privacy interests of those customers 164.

Secondly, it is necessary to balance privacy protection against the need to avoid unnecessary cost on small business 165.

Issues

The issues paper considered the operation of the small business exemption and suggested possible topics for submissions:

What submissions say

Overview

Submissions are roughly evenly divided between retention of the small business exemption and repeal. Submissions favouring retention generally come from businesses and business organisations. Submissions favouring repeal come from consumer groups and also from some businesses and a charity organisation. Some submissions that favour retention suggest that the definition should be changed.

Repeal the exemption

A number of submissions that favour repealing the exemption focus on the potential for confusing consumers. The Australian Consumers' Association (15) says it raises serious practical difficulties for consumers who do not usually know what the annual turnover of a business is and therefore if they can make a complaint or not. Electronic Frontiers (51) notes that individuals are rarely in a position to know whether or not the business they are dealing with is a small business for the purposes of the Privacy Act since annual turnover is not usually published. As the Australian Privacy Foundation (90) says, there is no easy way for consumers to know the turnover of a business and therefore whether or not it is subject to the Privacy Act.

Fundraising Institute Australia Ltd (52) notes that not only is the exemption confusing it has the potential to undermine public confidence about the protection of personal information. The Australian Direct Marketing Association (67) opposes exemptions that cause confusion in the minds of consumers and undermine confidence in the effectiveness of privacy protection.

Some submissions claim that some of the most privacy intrusive activities are performed by small businesses, even sole traders, including private detectives, debt collectors, internet service providers and dating agencies. 166 They also claim some, for example internet service providers, may hold significant personal information, including sensitive information 167.

Fundraising Institute Australia Ltd (52) says the costs argument is not enough to justify retention; and, in any case, says the Australian Consumers' Association (15), the cost burden of compliance is not significant.

At the very least, in the view of the Australian Privacy Foundation (APF) (90), the core requirements should apply to all businesses, large and small:

‘The core requirements of the NPPs - being open about the use of personal information, handling it in accordance with reasonable expectations, and keeping it secure, should apply to all organisations. It would however be reasonable to exempt many smaller businesses from any formal requirements to take particular actions, in advance of enquiries'.

In the APF's view, small businesses that collect and handle personal information for a purpose that is or should be obvious should not have to give specific notices under NPPs 1.3 and 1.5. They should, however, be required to answer enquiries (NPP 5) and give access and make corrections on request (NPP6). They should be able to be held accountable after the event for their collection and use of personal information and for any data quality or security breaches.

Finally, the exemption costs the members of at least one industry organisation. The Australian Collectors Association, Institute of Mercantile Agents, Australian Institute of Credit Management (115) say that debt collectors who are contractually bound by their clients not to outsource to non-compliant companies must send city based staff to service regional areas. In their view, this forces up their costs to unreasonably high levels.

Retain the exemption

Most submissions that favour retaining the exemption do so on the basis of the costs arguments, that is, that the costs of compliance would be too great for small business to bear.

Regulatory ‘red tape' and compliance costs have a major detrimental effect on the viability of small businesses in Australia , according to the Real Estate Institute of Australia (13). The Victorian Automobile Chamber of Commerce (113) says that small businesses would be greatly disadvantaged if they had to comply with the private sector provisions as their competitiveness and profitability would be reduced. The Housing Industry Association Ltd (106) says that removing or diluting the exemption would impose unnecessary significant costs on small businesses in the housing sector, including the more than 350 000 independent contractors that work in the residential building sector.

Certainly there should be no change in the absence of a substantial body of evidence suggesting there is a problem, in the view of the Chamber of Commerce and Industry of WA (Inc) (77).

The Australian Chamber of Commerce and Industry (22) estimates that there are about one million businesses in Australia currently exempt and that the bare minimum costs of their establishing a simple privacy regime would amount to a total of $2.4 billion, or about 0.3 per cent of gross domestic product.

Change the definition of small business

Some submissions suggest changing the definition of small business for the purpose of the exemption. The Australian Information Industry Association (43) suggests changing it to that used by all governments to describe small and medium enterprises. The Association of Market Research Organisations and the Australian Market and Social Research Society (61) notes that the current definition is at odds with that used by the Australian Bureau of Statistics and the Australian Taxation Office.

A number of submissions favour retaining turnover as the basis of the definition but say it should be increased to $5 million 168.

Other submissions consider focussing on the level of risk. The Communications Law Centre (72) suggests including within the operation of the Act industries that pose a particular risk. It identifies the internet/e-commerce as one where small internet businesses are able through the use of privacy invasive technologies to collect efficiently and easily a large amount of personal information about many individuals.

The Consumer Credit Legal Centre (NSW) Inc (62) and the Consumers' Federation of Australia (65) nominate telecommunications and finance as industries once dominated by large companies but now including many small businesses.

In the view of Electronic Frontiers Australia Inc (51), at the very least, all small businesses involved in the telecommunications and internet services sector must be required to comply with the NPPs. It says there are two reasons for this. First, the limited privacy protection provisions of the Telecommunications Act do not cover the collection of personal information at all. Secondly, individuals have less control and rights in relation to the collection, use and disclosure of their personal information by small businesses in the telecommunications sector than they did before December 2001 when the ACIF industry code, containing substantially the same provisions as the NPPs and enforceable by the Australian Communications Authority, was deregistered by the Authority. That code did not contain a small business exemption.

Other issues

Some submissions raise other issues relating to the small business exemption. The Consumer Credit Legal Centre (NSW) Inc (62) points out that a debtor who borrows money from a large financial institution that is covered by the private sector provisions may find himself or herself dealing with a debt collector who, being a small business, is not. The privacy protection he or she may have expected when entering the loan may no longer exist.

Privacy Law Consulting Australia (66) fears that it is possible that small businesses that are not bound by the Act may give the impression that they are by having a privacy statement, perhaps on their website, to the effect that: ‘We comply with the Privacy Act'. To avoid confusion, it may be desirable to require the business to state that is not bound by the Act, but that it chooses to do so.

In the view of Telstra Australia Ltd (110), which ensures compliance on the part of its small business contractors by contract, the voluntary opt-in for small business should be better promoted.

Options for reform

Retain the exemption as is

The main argument in favour of retaining the exemption is that the cost of compliance for small business would be too great if the exemption were abolished. It could also be argued that any change is likely to result in increased compliance costs. There does not appear to be evidence of large scale misuse of personal information by small businesses as a whole such that would warrant the removal of the exemption.

Abolish the exemption

The main reasons for abolishing the exemption are its capacity to confuse consumers and the fact that it does not differentiate adequately between those businesses that hold significant personal information and those that do not. On the other hand, as many small businesses do not hold much personal information it would in fact make little difference to them. Nevertheless, small business may find the costs of implementation and the additional red tape unduly burdensome. Finally, the exemption is a barrier to EU adequacy.

Retain the exemption and change the threshold

There is no apparent reason why the threshold should be a turnover of $3 million. Similarly, there are no compelling policy reasons why it should be increased or decreased. The turnover criterion has been criticised as being meaningless for consumers and as an irrational indicator of size. It is not commonly used as a way to define small business.

Retain the exemption and change the definition

A business's annual turnover is not generally known. The Australian Bureau of Statistics (ABS) defines small business (excluding agricultural businesses) as businesses with less than 20 employees. Although arbitrary, a definition of small business in terms of the number of employees rather than annual turnover may be more easily understood by consumers and other interested parties. If the definition is expressed in terms not of the particular number of employees but the definitions used by the ABS, from time to time, the need to amend the Act each time the ABS definition is changed is avoided.

Impose core requirements of NPPs on small businesses

A small business holding very little personal information is able to use or disclose it in a way that causes significant damage to an individual. The exemption could be modified to impose the core requirements of the NPPs on all businesses and to exempt them from others. They would be accountable for their actions only in the event of a complaint. This would add to the compliance burden of small businesses, but it would not be as onerous as if the exemption were to be removed completely.

Retain the exemption and include high risk sectors within the operation of the Act

It is sensible and consistent with the policy underlying the Act to include within the operation of the private sector provisions small businesses that belong to high risk sectors in that they handle a lot of personal information, including sensitive information, and give rise to a lot of complaints. To date, the evidence suggests telecommunication service providers and tenancy databases are such sectors.

There are two means by which small businesses that are in a high risk sector could be included: by amending section 6D (4), or by the Attorney-General using the power to prescribe the sectors under section 6E.

The use of the power to prescribe by regulation avoids amending the Act and sets a precedent for the inclusion of other sectors that may become high risk. The power has always existed. It has not yet been used but it was envisaged that the Attorney-General would use it in appropriate circumstances to bring into coverage under the Act industries and organisations that collect and use a lot of personal information.

Remove the consent provision

Small businesses that trade in personal information are not exempt from the operation of the Privacy Act. If, however, the individual consents to the collection or disclosure of the personal information then the business remains a small business and is exempt 169. This is clumsy and complicated. There is a considerable lack of certainty for small businesses who trade in personal information because it is not clear whether only a single failure to gain consent would change the status of the organisation. The provision could be removed.

6.8 Recommendations: Small business exemption

  1. The Australian Government should consider retaining but modifying the small business exemption by amending the Privacy Act so that the definition of small business is to be expressed in terms of the ABS definition, currently 20 employees or fewer, rather than annual turnover.

  2. The Attorney-General should consider using the power to prescribe under section 6(E) of the Privacy Act, the tenancy databases and telecommunications sectors including Internet Service Providers and Public Number Directory Producers as businesses to be covered by the Act. (See recommendations 9 and 15.)

  3. The Australian Government should consider amending the Privacy Act to remove the consent provisions (sections 6D(7) and 6D(8)).

6.9 Private sector contracting

Law and policy

Many organisations outsource some of their functions or activities. Some of these may involve handling personal information, including sensitive information, collected by the organisation. It might, for example, include health information. There is no clear obligation in the NPPs (unlike the IPPs) that would require the organisation to ensure that the contractor uses the personal information only for the purposes for which it is given and to keep it secure.

The contractor may not itself be bound, for example, if it is a small business. It may not be clear to consumers that they are dealing with a contractor because organisations often prefer the contractor to identify itself under the organisation's corporate name. The Privacy Act does not make any specific provision for a contractor to be regarded as acting as an agent for the organisation it is providing services for. It is generally regarded as a separate entity. This means the contractor collects personal information from the organisation, which discloses it to the contractor.

Issues

The issues paper noted that as the Privacy Act does not provide for the existence of an agency relationship between an organisation and a contractor, the contractor needs the consent of each individual to collect sensitive information, for example, health information, from the organisation. Similarly, a contractor that is collecting information for an organisation to whom it has contracted its services may need to identify itself under NPP 1.3 as being a separate organisation, and may need to get the consent of the individual from whom it collecting sensitive information to disclose the information to the organisation on whose behalf it is collecting it. The issues paper suggested possible topics for submissions:

What submissions say

Existing regime is working

Some submissions say that the existing regime is working and that no amendment is needed. Telstra Corporation Ltd (110), for example, says that any uncertainty has been addressed through guidelines and information sheets. Vodafone Australia Ltd (112) says that potential problems are dealt with by using contracts to bind service providers to comply with privacy law. It does not want this way of ensuring privacy obligations are complied with restricted in any way.

Distinction between data controllers and data processors

A number of submissions outline the ways they use contractors. The Australian Direct Marketing Association (ADMA) (67) says, for example, that it is extremely common place in nearly all industry sectors for organisations to engage a third party service provider or outsource agency to conduct a business operation on its behalf. It is also commonplace for a third party contractor or outsource agency to require access to an organisation's customer records and other personal information in order to perform such operations. The outsourced activities may include:

In ADMA's view, it is unduly onerous to impose the collection and disclosure requirements on both the organisation and the service provider. It is also unnecessary because one is merely performing an operation or processing data on behalf of the other. They should not continue to be regarded as two separate entities for the purposes of the NPPs. Instead, the European Union approach, which recognises the distinction between an organisation, a ‘data controller', and a third party service provider, a data processor, should be adopted.

This distinction is made by a number of submissions, including the Law Council of Australia (36) and the Australian Information Industry Association (43). A confidential submission notes that there is confusion as to whether each contractor, as well as the principal organisation, should disclose its name and function to an individual who is providing personal information. All three submissions recommend that the distinction should be recognised to allow business to achieve its objectives efficiently.

Relationship of principal and agent

Some submissions approach the issue from an agency law perspective. These include the Australian Finance Conference (63) and Optus (98). The Australian Finance Conference, for example, takes the view that the law of agency makes unjustifiable the conclusion that when an organisation discloses information to a third party contractor it is ‘disclosing' to a separate ‘organisation'. In its view the reference in the Office's Information Sheet 8 - Contractors to a ‘particularly close relationship' encompasses the principal/agent relationship. In any case, its members have established their compliance programs on this basis and would oppose moves to change this accepted understanding. On that basis, it recommends that there be no change to Information Sheet 8.

Promina (34) takes a narrow view of Information Sheet 8 – Contractors . It describes the circumstance where an insurer paying claims may decide to outsource its cheque printing process to a third party. Strict contractual provisions prohibit the contractor from using the personal information for any other purpose than to produce the cheques. In Promina's view, Information Sheet 8 – Contractors should be amended to support the position that there need be no further privacy disclosure in such a case.

Options for reform

Amend NPP 4

NPP 4 requires an organisation to take reasonable steps to protect personal information it holds. It does not deal specifically with what should happen when information is given to a contractor. IPP 4 does. It requires the organisation to ensure ‘everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure'. NPP 4 could be amended to strengthen it in line with IPP 4. This puts the obligation on the contractor. It addresses the problems that arise when a contractor subcontracts to a small business that is not covered by the Act.

Business should ensure contact imposes relevant obligations on contractors

One way an organisation can ensure that a contractor protects the personal information the organisation has given it for the purposes of performing an operation on behalf of the organisation is to impose the obligations by contract. The Office could amend its Guidelines to this effect.

Amend Information Sheet 8

There seems to be some confusion as to what exactly Information Sheet 8 – Contractors means. The Office should amend it to clarify issues relating to private sector contracting.

Distinguish data controller and data processor

The private sector provisions could be amended to distinguish between data controllers and data processors and to amend the NPPs accordingly. This would overcome the particular issue but would have an impact on the operation of the Privacy Act.

6.10 Recommendations: Private sector contracting

  1. The Australian Government should consider amending NPP 4 to impose an obligation on an organisation to ensure personal information it discloses to a contractor is protected.

  2. The Australian Government should consider, in the context of the wider review of the Privacy Act, (see recommendation 1) whether there should be a distinction between data controllers and data operators.

  3. The Office will amend the Guidelines to the National Privacy Principles to clarify that businesses that give personal information to contractors for the purpose of performing a function on their behalf should impose contractual obligations on the contractor to take reasonable steps to protect the information.

 

6.11 Due diligence on sale or purchase of business

What is due diligence?

‘Due diligence' is the term used to describe the process that a prospective purchaser of a business undertakes to assess the value of a business' assets and liabilities. The due diligence process may involve the disclosure and collection of a number of different types of personal information including:

Information Sheet 16

As a result of inquires from organisations buying and selling businesses and engaging in due diligence processes, the Office published Information Sheet 16 Application of key NPPs to due diligence and completion when buying and selling a business . Information Sheet 16 advises buyers and sellers about complying with their obligations under the Privacy Act.

A vendor organisation:

A prospective purchaser organisation:

Issues

The issues paper suggested that it may be difficult to determine how the NPPs apply to the disclosure of personal information during the course of due diligence.

‘Depending upon the nature of the business being sold, due diligence may involve disclosure of personal information about key employees or even sensitive information, for example, health information, about employees or clients'.

What submissions say

Few submissions address the issue of due diligence in the buying and selling of a business. There have been no complaints to the Office about a breach of privacy during a due diligence process. Two submissions address the content of Information Sheet 16. The Insurance Council of Australia (ICA) (59) notes that the relationship between the vendor and the purchaser in the Information Sheet is somewhat artificial and that, in reality, business practice requires extensive amounts of information, including personal information, to be divulged between the parties.

The ICA suggests that Information Sheet 16 consider and address the following issues:

A confidential submission suggests that Information Sheet 16 should consider the issues one would consider when transferring (as opposed to buying) a portfolio of business, such as when a portfolio of insurance business is transferred from one insurer to another.

Options for reform

Amend NPPs to take account of due diligence

Businesses are bought and sold. Businesses that hold sensitive personal information are bought and sold. Due diligence occurs. It may be technically a breach of the NPPs. The key NPPs are NPPs 1, 2 and 10. The buying and selling of medical practices or insurance companies, for instance, which requires the transfer of sensitive health information would require consent under NPP 10, unless one of the other exceptions in NPP 10.1 applied, for example, the transfer is required by law. It is not practical, and may not be possible, to require an organisation in the process of due diligence to gain the consent of everyone whose personal information is transferred. The relevant NPPs could be amended to take onto account the practical realities of due diligence.

Amend Information Sheet 16

Some submissions have made suggestions as to how Information Sheet 16 might be clarified. The issue is complex and the information published by the Office should be as clear and as comprehensive as possible.

6.12 Recommendation: Due diligence

  1. The Australian Government should consider amending the NPPs to take into account the practice of due diligence.

 

7 Balancing individual rights and other social interests

7.1 Media exemption

Introduction

One of the competing social interests identified in the private sector provisions is the free flow of information. One of the ways the legislation promotes the free flow of information is to exempt the acts and practices of media organisations in the course of journalism from the application of the provisions 170. This exemption applies where such a media organisation is publicly committed to observing published standards that deal with privacy in the context of the activities of a media organisation.

Law and policy

Privacy Act

‘Media organisation' is defined under section 6(1) of the Privacy Act. The term refers generally to organisations whose activities consist of or include the collection, preparation for dissemination or dissemination of news, current affairs, information or documentaries.

The media exemption is outlined in section 7(B)(4) of the Privacy Act:

(4) An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:

(a) by the organisation in the course of journalism; and

(b) at a time when the organisation is publicly committed to observe standards that:

(i) deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and

(ii) have been published in writing by the organisation or a person or body representing a class of media organisations.

Although, it is not strictly part of the media exemption, it is worth noting that journalists are also exempt from revealing their confidential sources. Section 66(1A) states:

Broadcast Media

Under the Broadcasting Services Act 1992 ) , the industry group representing licensees in each section of the broadcasting industry is responsible for developing a code of practice applicable to that section. Privacy provisions are included in these codes of practice 171. The Australian Broadcasting Authority (ABA) (19) submits:

‘while the privacy provisions vary somewhat across the various broadcasting codes, all reflec