Submission to the Australian Law Reform Commission's
Review of Privacy - Issues Paper 31
February 2007
Back to top
CHAPTER 1 - INTRODUCTION TO THE INQUIRY
CHAPTER 2 - PRIVACY REGULATION IN AUSTRALIA
CHAPTER 3 - THE PRIVACY ACT 1988 (Cth)
CHAPTER 4 - EXAMINATION OF THE PRIVACY PRINCIPLES
- Introduction
- 4-1 Are the obligations imposed on organisations at
the time of collection of personal information adequate and appropriate?
For example, should an organisation also be required to make an
individual aware of (a) the types of people, bodies or agencies to whom
the organisation usually discloses information of that kind; (b) the
various avenues of complaint available; and (c) the source of the
information, where it has not been collected directly from the
individual?
- 4-2 Should NPP 1 be amended to clarify that there may
be circumstances in which it is reasonable for organisations to take no
steps to ensure that an individual is aware of specified matters relating
to the collection of personal information?
- 4-3 Are the obligations imposed on agencies at the
time of collection of personal information adequate and appropriate? In
particular, should agencies be subject to a general requirement that
where reasonable and practicable, they should collect information about
an individual only from the individual concerned? Should agencies also be
required to notify an individual of his or her rights of access to the
information, the consequences of not providing the information, the
various avenues of complaint available, and the source of the
information, where it has not been directly collected from the
individual?
- 4-4 Should any obligations attach to an agency or
organisation which receives unsolicited personal information that it
intends to include in a record or generally available publication? If so,
what obligations should be imposed?
- 4-5 Should the obligations imposed on an organisation
or agency at or soon after collection apply irrespective of the source of
personal information?
- 4-6 Is it desirable for the IPPs to deal separately
with the principles relating to the use and disclosure of personal
information or should use and disclosure be provided for in one
principle.
- 4-7 Are the circumstances in which agencies and
organisations are permitted to use and disclose personal information
under IPPs 10 and 11, and NPP 2, adequate and appropriate? In particular,
should agencies and organisations be permitted expressly to disclose
personal information: (a) to assist in the investigation of missing
persons; (b) where there is a reasonable belief that disclosure is
necessary to prevent a serious and/or imminent threat to an individual's
safety or welfare, or a serious threat to public health, public safety or
public welfare; and (c) in times of emergency? What mechanism should be
adopted to establish the existence of an emergency?
- 4-8 Are the criteria in NPP 2.1(a) for using personal
sensitive and non-sensitive information for a secondary purpose adequate
and appropriate? For example, is it necessary or desirable that there
also be a 'direct' relationship between the secondary and primary purpose
of collection before non-sensitive personal information can be used or
disclosed for a secondary purpose?
- 4-9 Is the scope of IPP 10(e) (which allows agencies
to use personal information for a purpose other than the primary purpose
of collection, if the purpose for which the information is used is
directly related to the purpose of collection) adequate and appropriate?
For example, should there be an additional requirement that the
individual concerned would reasonably expect an agency to use the
information for that other purpose?
- 4-10 In what circumstances should agencies or
organisations be required to record their use or disclosure of personal
information when it is used or disclosed for a purpose other than the
primary purpose?
- 4-11 Are there particular issues or concerns arising
from the practice of organisations seeking bundled consent to a number of
uses and disclosures of personal information? If so, how are these
concerns best addressed?
- 4-12 Is it appropriate that NPP 2 allows for personal
non-sensitive information to be used for the secondary purpose of direct
marketing? If so, are the criteria that an organisation needs to satisfy
in order to use personal information for direct marketing purposes
adequate and appropriate?
- 4-13 Should use and disclosure of personal
information be allowed for research that does not involve health
information-for example social science research? If so, in what
circumstances or upon what conditions might this be appropriate?
- 4-14 Is the scope of the data quality principle in
NPP 3 (which requires an organisation to take reasonable steps to make
sure that the personal information that it collects, uses or discloses is
accurate, complete and up-to-date) adequate and appropriate? For example,
should the principle expressly apply to information that an organisation
controls?
- 4-15 Is there a need to amend NPP 3 to clarify the
extent of an organisation's obligations under the data quality principle
or is this best dealt with by way of guidance issued by the Office of the
privacy Commissioner?
- 4-16 Should agencies also be subject to a stand-alone
data quality principle that extends to collection, use and disclosure of
personal information?
- 4-17 Is the scope of NPP 4 relating to the
obligations of an organisation to secure data adequate and appropriate?
For example, should NPP 4 be amended to impose an obligation on
organisations to take reasonable steps to ensure that personal
information they disclose to contractors is protected?
- 4-18 Are there any circumstances in which agencies
should be under an obligation to destroy or permanently de-identify
personal information when it is no longer needed?
- 4-19 Should the IPPs and the NPPs regulate the
deletion of personal information by organisations and agencies? In what
circumstances might this be appropriate? Should an individual have the
right to request that an agency or organisation destroy personal
information that it holds or controls concerning the individual? If so,
in what circumstances or upon what conditions should this be
permitted?
- 4-20 Is the scope of NPP 5 relating to openness
adequate and appropriate? For example, is it necessary or desirable for
organisations to be given greater legislative guidance about their
obligations under the principle? Does the more prescriptive approach to
the openness principle in IPP 5 provide a suitable model?
- 4-21 Is it appropriate that certain obligations under
the NPPs relating to openness are triggered only upon an individual's
request?
- 4-22 Is there a need to clarify the relationship
between the obligation of an organisation under NPP 1.3 (which imposes an
obligation on organisations to take reasonable steps to ensure that an
individual is aware of specified matter at or before the time of
collection) and NPP 5.1 (which imposes an obligation on organisations to
set out in a document clearly expressed policies on its management of
personal information)? If so, how is this best achieved?
- 4-23 Are the circumstances in which organisations can
deny an individual access to his or her personal information under NPP 6
of the Privacy Act adequate and appropriate? If the circumstances are
inadequate, should this be addressed by legislative amendment to the
principle or by guidance issued by the Office of the Privacy
Commissioner?
- 4-24 Should IPP 6 more clearly set out the
circumstances in which agencies can deny an individual access to his or
her personal information? If so, what circumstances should be
included?
- 4-25 Should the Privacy Act be amended to impose an
obligation on both agencies and organisations to notify third parties,
where practicable, that they have received inaccurate information and to
pass on any corrected information? Should an obligation to notify third
parties apply where agencies or organisations have refused to make a
correction?
- 4-26 Is there a need for a separate privacy principle
regulating the adoption, collection, use and disclosure of identifiers by
organisations? Should the principle regulating identifiers be redrafted
to deal more generally with the issue of data-matching?
- 4-27 Is the definition of identifier adequate and
appropriate? Are the exceptions to the use and disclosure of identifiers
referred to in NPP 7 adequate and appropriate? Should an individual be
permitted to consent to the use of his or her unique identifier? If so,
in what circumstances and by what means should this exception be given
effect?
- 4-28 Should the Privacy Act be amended to regulate
the assignment, adoption, collection, use and disclosure of identifiers
by agencies?
- 4-29 Should the anonymity principle be redrafted to
impose expressly an obligation on organisations to give an individual the
option of remaining anonymous when entering into transactions with those
organisations?
- 4-30 Is it appropriate or desirable for agencies to
be subject to an anonymity principle? In what circumstances, if any,
might this be appropriate?
- 4-31 Should the transfer of personal information
offshore by agencies also be regulated by privacy principles?
- 4-32 Should federal privacy principles allow agencies
and organisations to collect non-health related sensitive information for
purposes, including research and statistical purposes? If so, in what
circumstances should it be permitted?
- 4-33 Should federal privacy principles establish a
separate regime for the public and private sectors regulating sensitive
information aspects of the information cycle, including collection, use,
disclosure, access, retention and disposal? If so, what should that
regime include?
- 4-34 Should the Privacy Act provide a uniform set of
privacy principles that are to apply to both the public (currently
covered by the IPPs) and private (currently covered by the NPPs) sectors?
If so, what model should be used? Are there any particular principles or
exceptions to principles that should apply only to either the public or
private sector?
- 4-35 Apart from the principles contained in the IPPs
and NPPs, are there any other principles to which agencies and
organisations should be subject? For example, should the IPPs and NPPs
include expressly an 'accountability' principle, a 'prevention of harm'
principle, a 'consent' principle, or a requirement that agencies and
organisations notify persons whose personal information has been, or is
reasonably believed to have been, accessed without authorisation? If so,
what should be the content of these principles?
- 4-36 Should federal privacy principles be
prescriptive or should they provide high-level guidance only? Should they
aim for a minimum or maximum level of protection of personal information
or aim to adopt a best practice approach?
CHAPTER 5 - EXEMPTIONS FROM THE PRIVACY ACT 1988
- Introduction
- 5-1 Is it appropriate for certain entities to be
exempt, either completely or partially, from the operation of the
Privacy Act? If so, where should the exemptions be located?
- 5-2 Should the following defence and intelligence
agencies be exempt, either completely or partially, from the Privacy
Act:
- Defence Imagery and Geospatial Organisation;
- Defence Intelligence Organisation;
- Defence Signals Directorate;
- Australian Security Intelligence
Organisation;
- Australian Secret Intelligence Service;
and
- Office of National Assessments?
- If so, what is the policy justification for the
exemption? Are there any other defence and intelligence agencies that
should be exempt, either completely or partially, from the Privacy
Act?
- 5-3 Should the following agencies be exempt, either
completely or partially, from the Privacy Act:
- Australian Government ministers;
- federal courts;
- agencies specified in Schedule 1 to the Freedom
of Information Act 1982 (Cth)-namely, the Australian Industrial
Relations Commission, the Australian Fair Pay Commission, the Industrial
Registrar and Deputy Industrial Registrars;
- Australian Crime Commission;
- royal commissions;
- Integrity Commissioner;
- agencies specified in Schedule 2 Part I Division 1
of the Freedom of Information Act 1982 (Cth) other than the
intelligence agencies, the Australian Government Solicitor and the
Australian Industry Development Corporation; and
- agencies specified in Schedule 2 Part II Division
1 of the Freedom of Information Act 1982 (Cth)?
- If so, what is the policy justification for the
exemption? Are there any other agencies that should be exempt, either
completely or partially, from the Privacy Act?
- 5-4 Should state and territory authorities be exempt
from the privacy principles in the Privacy Act?
- 5-5 In addition to the energy distributors owned by
the New South Wales Government, which are the only state authorities
prescribed under the Privacy (Private Sector) Regulations 2001 (Cth), are
there any other state or territory authorities that should be covered by
the privacy principles in the Privacy Act? If so, to what extent should
they be covered?
- 5-6 Should the small business exemption remain? If
so: (a) what should be its extent; and (b) should an opt-in procedure
continue to be available
- 5-7 Should registered political parties be exempt
from the operation of the privacy principles in the Privacy Act?
- 5-8 Should political acts and practices be exempt
from the operation of the Privacy Act? If so, does the current exemption
under s 7C of the Privacy Act strike an appropriate balance between the
protection of personal information and the implied freedom of political
communication?
- 5-9 Should the employee records exemption remain? If
so: (a) what should be the scope of the exemption; and (b) should it be
located in the Privacy Act, workplace relations legislation or
elsewhere?
- 5-10 Should acts and practices of media organisations
in the course of journalism be exempt from the operation of the Privacy
Act? If so: (a) what should be the scope of the exemption; and (b) does s
7B(4) of the Privacy Act strike an appropriate balance between the free
flow of information to the public and the protection of personal
information?
- 5-11 Should the terms 'in the course of journalism',
'news', 'current affairs' and 'documentary' be defined in the Privacy
Act? If so, how should they be defined? Are there other terms that would
be more appropriate?
- 5-12 If the media exemption is retained, how should
journalistic acts and practices be regulated?
- 5-13 Do any issues arise concerning related bodies
corporate, changes in partnership and overseas acts required by foreign
law in Part III Division 1 of the Privacy Act? If so, how should they be
dealt with?
- 5-14 Are there any other entities or types of
activities that should be exempt from the operation of the Privacy Act?
If so, what are those entities or types of activities, and what should be
the scope of the exemption?
CHAPTER 6 - POWERS OF THE OFFICE OF THE PRIVACY
COMMISSIONER
- Introduction
- 6-1 Is the legislative structure pertaining to the
Office of the Privacy Commissioner established under the Privacy Act
appropriately meeting the needs of the community?
- 6-2 Are the constraints imposed in the Privacy Act on
the exercise by the Privacy Commissioner of powers conferred by the Act
appropriate?
- 6-3 Does the Privacy Advisory Committee perform a
useful role and have appropriate powers and functions? Are the fields of
expertise represented on the Advisory Committee appropriate? Does the
Advisory Committee, and the fields of expertise of Advisory Committee
members, need to be set out in the Privacy Act?
- 6-4 Is the scope of immunities conferred on: (a) the
Privacy Commissioner and his or her delegates; (b) an adjudicator
appointed under a privacy code and his or her delegates; and (c) other
persons, appropriate?
- 6-5 Are the Privacy Commissioner's powers to oversee
the Privacy Act appropriate and effectively exercised? For example, are
the Commissioner's powers: (a) to furnish advice; (b) to research and
monitor developments in data processing and computer technology; (c) to
promote understanding of the IPPs and of the objects of the IPPs and the
NPPs; (d) to undertake education programs to promote individual privacy
protection; (e) relating to tax file numbers; (f) arising under other
Acts, appropriate and effectively exercised?
- 6-6 Should the Privacy Act require a privacy
impact assessment to be prepared for: (a) all proposed Commonwealth
legislation; (b) other proposed projects or developments of agencies; or
(c) other proposed projects or developments of organisations?
- 6-7 If privacy impact assessments are required: (a)
who should be involved in preparing the assessments; (b) who should be
entitled to view the results of the assessments; (c) who should bear the
costs of the assessments; and (d) what role should the Privacy
Commissioner play in overseeing any requirements placed on agencies or
organisations in this regard?
- 6-8 Is the Personal Information Digest published in a
useful manner? If not, how might it be improved? Is the record itself
useful?
- 6-9 What powers should the Privacy Commissioner have
to audit agencies and organisations?
- 6-10 Should organisations and agencies be required to
self-audit periodically to ensure and to demonstrate compliance with the
Privacy Act?
- 6-11 Should all the Privacy Commissioner's functions
be consolidated in the Privacy Act?
- 6-12 Are the procedures under the Privacy Act
appropriate for making and pursuing a complaint, including a
representative complaint, appropriate? Are the Privacy Commissioner's
powers to make preliminary inquiries and investigate complaints
appropriate and effective?
- Making a Representative Complaint
- S 40(1A) - mandatory requirement that the complainant
first complain to the respondent unless inappropriate
- 6-13 Is the obligation of the Privacy Commissioner to
investigate a complaint about an act or practice that may interfere with
the privacy of an individual appropriate, and is it administered
effectively?
- 6-14 Is the power of the Privacy Commissioner to
investigate an act or practice that may interfere with the privacy of an
individual appropriate, and is it used effectively?
- 6-15 Are the Privacy Commissioner's powers relating
to the conduct of investigations appropriate and effectively exercised?
For example, are the Commissioner's powers regarding: (a) appearances
before the Commissioner; (b) conferences; (c) obtaining information and
documents; (d) examining witnesses; (e) entering premises to gather
information; (f) discussion of complaints with a Minister or other
designated person; and (g) reports, appropriate and effectively
exercised?
- 6-16 Are the Privacy Commissioner's powers under the
Privacy Act to make determinations appropriate and administered
effectively?
- 6-17 Are the Privacy Act provisions for
enforcing determinations adequate and administered effectively?
- 6-18 Are the Privacy Commissioner's powers under the
Privacy Act to make public interest determinations, including
temporary public interest determinations, appropriate and administered
effectively?
- 6-19 Are the Privacy Act provisions for obtaining
injunctions adequate and effective?
- 6-20 Are the Privacy Act provisions for approving
privacy codes appropriate and effective? Are privacy codes an appropriate
method of regulating and complying with the Act? Why have privacy codes
been so little used? Should the Privacy Commissioner have the power, on
his or her initiative, to develop and impose a binding code on
organisations or agencies?
- 6-21 Is the current compliance model used in the
Privacy Act appropriate and effective to achieve the Act's purposes? If
not, is that because of its content, its administration, or some other
reason?
- 6-22 Does the range of remedies available to enforce
rights and obligations created by the Privacy Act require expansion? For
example, should the available remedies include any or all of the
following for particular breaches of the Act:
- (a) administrative penalties
- (c) remedies in the nature of damages
- (d) infringement notices
- (e) civil penalties
- (f) criminal sanctions
CHAPTER 7 - INTERACTION, FRAGMENTATION AND INCONSISTENCY IN
PRIVACY REGULATION
- Introduction
- 7-1 Does the multi-layered regulation of personal
information create any difficulties?
- Introductory comments on Question 7-1
- For example, does the multi-layered regulation of
personal information:
- (a) cause an unjustified compliance burden;
- (b) create problems for organisations that operate in
more than one Australian state or territory;
- (c) complicate the implementation of programs and
services at a national level;
- (d) raise any issues in relation to the existence of
multiple privacy regulators in particular industry sectors and across the
states and territories; or
- (e) act as a barrier to the sharing of information
between public sector agencies and private sector organisations?
- 7-2 Do any issues arise for organisations that
provide contracted services involving personal information to Australian
Government, state or territory agencies? For example:
- (a) are privacy provisions in Australian Government,
state or territory agency contracts contributing to inconsistency and
fragmentation in privacy regulation;
- (b) are the Privacy Act provisions relating
to Commonwealth contractors appropriate and effective;
- (c) do issues arise for Commonwealth contractors that
are subject to the NPPs and the IPPs;
- (d) do any issues arise for organisations that
provide contracted services involving personal information to both
Australian Government and state or territory agencies;
- (e) is there a concern that organisations acting
under a state or territory contract may not be required to adhere to the
same privacy standards that are applicable to private sector
organisations under the Privacy Act? If so, how should that
concern be addressed?
- 7-3 How should personal information held on
residential tenancy databases be regulated? For example, should it be
regulated under the Privacy Act, by a binding code, or in some
other way?
- 7-4 Does the inconsistent use of terms and
definitions under federal legislation that regulates the handling of
personal information create any difficulties? If so, what are some
examples of the difficulties created?
- 7-5 Do any difficulties arise as a result of the
interaction between the Privacy Act and provisions in other
federal legislation that require or authorise acts or practices that
would otherwise be regulated by the IPPs or the NPPs? If so, how should
the interaction between the Privacy Act and these provisions be
clarified?
- 7-6 Does the interaction between the Privacy
Act and other federal legislation that regulates the handling of
personal information require clarification? In particular:
- (a) does the overlap of the Privacy Act and
Freedom of Information Act 1982 (Cth) provisions relating to
access and amendment of records give rise to any difficulties;
- (b) should the Privacy Act provide for a
process of consultation prior to granting access to information that
includes personal information about a third party rather than rely on the
process outlined in the Freedom of Information Act 1982
(Cth);
- (c) should the Privacy Act and the Freedom of
Information Act 1982 (Cth) be administered by the same body;
- (d) should the Privacy Act apply to certain
classes of records in the open access period for the purposes of the
Archives Act 1983 (Cth).
- (e) should the exemption under the Archives Act
1983 (Cth) relating to 'information relating to the personal affairs
of any person' be amended to provide an exemption in relation to
'personal information' as defined in the Privacy Act.
- (f) should the Privacy Act, the Freedom
of Information Act 1982 (Cth) and the Archives Act 1983
(Cth) be consolidated in one Act;
- (g) should federal legislation relating to the
handling of tax file numbers and data-matching be consolidated in one
Act? If so, should they be consolidated in the Privacy
Act?;
- (h) should data-matching programs that fall outside
the Data-matching Program (Assistance and Tax) Act 1990 (Cth) be
more formally regulated?;
- (i) is personal information collected pursuant to the
Census and Statistics Act 1905 (Cth) adequately
protected?;
- (j) is it appropriate that the disclosure of a
shareholder's personal details in a register of members, register of
debenture holders or a register of option holders under the
Corporations Act is a disclosure of personal information that is
permitted for the purposes of NPP 2;
- (k) does the Commonwealth Electoral Act 1918
(Cth) provide adequate protection of personal information included on the
electoral roll;
- (l) does the Anti-Money Laundering and
Counter-Terrorism Financing Bill 2006 (Cth) adequately protect personal
information?
- 7-7 Do the various secrecy provisions under federal
legislation that prohibit individuals employed by the Commonwealth from
disclosing information contribute to inconsistency and fragmentation in
personal information privacy regulation? In particular, should the
Privacy Act, rather than secrecy provisions in specific statute,
regulate the disclosure of personal information by Australian Government
agencies?
- 7-8 Are the provisions in Part VIII of the
Privacy Act necessary? If so, are the provisions adequate and
should they be contained in the Privacy Act or
elsewhere?
- 7-9 Do privacy rules, privacy codes and privacy
guidelines developed under federal, state and territory legislation, or
by organisations and industry groups, contribute to fragmentation and
inconsistency in the regulation of personal information?
CHAPTER 8 - HEALTH SERVICES AND RESEARCH
- Introduction
- 8-1 Does the regulation of health information require
a different and separate set of privacy principles to those used to
regulate other sensitive personal information?
- 8-2 Should s 3 of the Privacy Act be amended to state
that the Act is intended to regulate the handling of health information
in the private sector to the exclusion of state and territory
legislation?
- 8-3 Is the draft National Health Privacy Code an
effective way to achieve a nationally consistent and appropriate regime
for the regulation of health information? If so, what is the most
effective model for implementing the draft National Health Privacy Code?
If not, what other model should be adopted to achieve a nationally
consistent and appropriate regime for the regulation of health
information?
- 8-4 If the draft National Health Privacy Code is not
implemented nationally, should the Australian Government adopt the Code
as a schedule to the Privacy Act?
- 8-5 Do electronic health information systems require
specific privacy controls over and above those provided in the Privacy
Act or the draft National Health Privacy Code?
- 8-6 The National Health Act 1953 (Cth) requires the
Privacy Commissioner to issue guidelines in relation to the handling of
personal information collected in connection with claims under the
Medicare Benefits Program and the Pharmaceutical Benefits Program. Is
this an appropriate and effective role for the Privacy Commissioner?
- 8-7 Are the definitions of: (a) 'health information';
and (b) 'health service' in the draft National Health Privacy Code
appropriate and effective? Should the Privacy Act be amended to adopt
these definitions?
- 8-8 Should the Privacy Act be amended to ensure that
all agencies and organisations that collect, hold or use health
information are required to comply with the Act?
- 8-9 Is guidance by the Office of the Privacy
Commissioner to clarify that organisations can disclose health
information for the management, funding and monitoring of a health
service an appropriate and effective response to concerns in this area?
If not, what is an appropriate and effective response?
- 8-10 Is there evidence that the regulation of
personal health information impedes the provision of appropriate health
services to individuals? If so, what changes are necessary to facilitate
the provision of appropriate health services?
- 8-11 Does the Privacy Act provide an appropriate and
effective regime for handling health information in those circumstances
where an individual has limited capacity to give consent? Does the draft
National Health Privacy Code provide a more appropriate and effective
framework for handling health information in these circumstances?
- 8-12 Are there any other issues relating to consent
to deal with health information in the health services context that the
ALRC should consider?
- 8-13 Should the Privacy Act be amended to allow
health service providers to collect information about third parties
without their consent in line with Public Interest Determinations 9 and
9A? Does NHPP 1 of the draft National Health Privacy Code provide a more
appropriate and effective framework for collection of such information
than the current provisions of the Privacy Act?
Back to top
- 8-14 Should the Privacy Act be amended to allow
insurance companies to collect health information about third parties
without their consent in similar circumstances to those set out in Public
Interest Determinations 9 and 9A?
- 8-15 Should NPP 10 of the Privacy Act be amended to
clarify when health information may be collected without consent? Does
NHPP 1 of the draft National Health Privacy Code provide a more
appropriate and effective framework for collection of health information
without consent?
- 8-16 Are there any other issues relating to the
collection of health information that the ALRC should consider?
- 8-17 Is guidance by the Office of the Privacy
Commissioner an appropriate and effective response to concerns that the
phrases in NPP 2, 'primary purpose of collection' and 'directly related
to the primary purpose', might impede the appropriate management of an
individual's health? If not, what is an appropriate and effective
response?
- 8-18 Does NHPP 2 of the draft National Health Privacy
Code provide a more appropriate and effective framework for the use and
disclosure of health information than the current provisions of the
Privacy Act?
- 8-19 Are there any other issues relating to the use
and disclosure of health information that the ALRC should
consider?
- 8-20 Is the exception in NPP 6.1(b) in relation to
providing access to health information (that is, that access may be
denied if it would pose a serious threat to the life or health of any
person) appropriate and effective? Should the exception be extended to
allow a health service provider to deny access to health information if
providing access to the information would pose a threat to the
therapeutic relationship between the health service provider and the
health consumer?
- 8-21 Do NHPP 6 and Part 5 of the draft National
Health Privacy Code provide a more appropriate and effective framework
for access to health information than the current provisions of the
Privacy Act?
- 8-22 Should the Privacy Act be amended to deal
expressly with the situation in which a health service provider ceases to
operate? Does NHPP 10 of the draft National Health Privacy Code provide
an appropriate and effective framework to deal with this situation?
- 8-23 Are there any other issues the ALRC should
consider in relation to access to health information?
- 8-24 Does NHPP 11 of the draft National Health
Privacy Code provide a more appropriate and effective framework to deal
with the transfer of health information from one health service provider
to another than the current provisions of the Privacy Act?
- 8-25 Is the current public interest test in the
Privacy Act and Section 95 and Section 95A Guidelines (that the public
interest in promoting research substantially outweighs the public
interest in maintaining the level of protection of health information
provided by the Act) appropriate and effective? If not, what is an
appropriate and effective test?
- 8-26 Should the term 'research' be defined for the
purposes of the Privacy Act? If so, how should the term be defined?
- 8-27 Should the Privacy Act be amended to include
definitions of 'identifiable', 're-identifiable' and 'non-identifiable'
personal information?
- 8-28 Should the Privacy Act draw a distinction
between 'identifiable' and 're-identifiable' health information in the
context of health and medical research?
- 8-30 Does NPP 2 provide an appropriate and effective
framework for the use, without consent, of health information in health
and medical research?
- 8-31 Are Human Research Ethics Committees the most
appropriate bodies to make decisions about the collection, use and
disclosure, without consent, of health information in the context of
health and medical research?
- 8-32 Are the requirements imposed on Human Research
Ethics Committees by the Section 95 and Section 95A Guidelines issued
under the Privacy Act appropriate and effective?
- 8-33 Does the Privacy Act provide an appropriate and
effective regime for: (a) the establishment of health data registers; and
(b) the inclusion and linkage of health information in data registers?
CHAPTER 9 - CHILDREN, YOUNG PEOPLE AND ADULTS WITH A DECISION-MAKING DISABILITY
CHAPTER 10 - TELECOMMUNICATIONS PRIVACY
CHAPTER 11 - DEVELOPING TECHNOLOGY
- Introduction
- 11-1 What new technologies, or new uses of existing
technologies, will, in the future, impact significantly on privacy? How
can such technologies be accommodated in a regulatory framework?
- 11-2 Should the Privacy Act be extended to
cover:
- (a) any acts or practices of individuals relating to
their personal, family or household affairs
- (b) exempt agencies or organisations that use certain
types of technology or collect certain types of personal information?
- 11-3 Is there a need to amend the Privacy Act in
light of technological developments? If so, what amendments are
required?
- (a) should there be any additional limits on the
collection of personal information
- (b) should agencies or organisations be required to
obtain consent before using certain technologies to collect personal
information? If so, should it be possible to refuse consent without any
adverse consequences
- (c) should biometric information be included in the
definition of 'sensitive information'
- (d) should agencies or organisations be required to
advise individuals of any misuse, loss or unauthorised access,
modification or disclosure of personal information?
- 11-4 Should the Privacy Act be technologically
neutral?
- 11-5 What issues are raised by the publication, in
electronic form, of publicly available records such as public records,
court records and media reports? Does the Privacy Act need to be amended
in response to these issues?
CHAPTER 12 - UNIQUE MULTI-PURPOSE IDENTIFIERS
CHAPTER 13 - TRANSBORDER DATA PROTECTION
EXECUTIVE SUMMARY
Office of the Privacy Commissioner
1. The Office of the Privacy Commissioner (the Office) is an independent
statutory body whose purpose is to promote and protect privacy in Australia.
The Office, established under the Privacy Act 1988 (Cth) ('the
Privacy Act'), has responsibilities for the protection of individuals'
personal information that is handled by Australian and ACT government
agencies, and personal information held by all large private sector
organisations, health service providers and some small businesses. The Office
also has responsibilities under the Privacy Act in relation to credit
worthiness information held by credit reporting agencies and credit
providers, and personal tax file numbers used by individuals and
organisations.
Background
2. The Office welcomes this review of privacy by the Australian Law Reform
Commission (ALRC). The Office believes that a holistic review of privacy
regulation in Australia presents a unique opportunity to enhance the
consistency of privacy regulation, and assess the effectiveness of privacy
laws in light of evolving circumstances, such as technological development
and community expectations.
3. The ALRC's review of privacy was commissioned following recommendations
made in the Office's Private Sector Review and the Senate Legal and
Constitutional References Committee Review that a wider review of privacy be
undertaken.1 The
Office welcomes the Government's commitment to inquire into the adequacy of
privacy regulation to ensure that it best serves the needs of Australia in
the future.
4. This is an important period of review for privacy regulation. The
Office notes that the ALRC's review is being undertaken concurrently with
similar reviews in other jurisdictions. The NSW Law Reform Commission is
undertaking a review of privacy which will consider issues such as the
desirability of uniform privacy protection principles across Australia, and
the desirability of introducing a tort of privacy in NSW.2 The Victorian Law Reform Commission
is also undertaking an inquiry into surveillance in public places.3 The Office believes
that it will be useful to engage with these and other jurisdictions, to
encourage a coordinated response to improving privacy regulation in
Australia.
5. In addition, the New Zealand Law Commission is currently undertaking a
review of privacy laws.4 The Office believes that this may provide a timely
opportunity for greater harmonisation of trans-Tasman privacy regulations.
6. In what the Privacy Commissioner has described as a 'once in a
generation opportunity', the Office looks forward to further opportunities to
contribute to the ALRC's review of privacy.
General comments
7. A great deal has changed since the Privacy Act was enacted in 1988.
8. There have been changes to the way Australians think about privacy,
changes to the manner and speed in which personal information is handled,
particularly as a result of technological developments, and there has also
been the arrival of the internet as a mainstream source of public information
and interaction.
9. In the Office's experience, one thing that hasn't changed is that
Australians still deeply value their privacy as a necessary condition for
living an independent, fulfilling and dignified life.
10. The current principles under the Privacy Act are based on the OECD
data protection guidelines that were developed almost 30 years ago.5 At that time:
- personal computers were scarce, and the internet did not exist
- there was little of biometric technology beyond ink fingerprints
- international counter-terrorism initiatives were not the focus they are
today
- surveillance systems like closed circuit television and global
positioning systems were not as widespread and
- mobile phones and camera phones were a distant prospect
11. These modern-day phenomena have changed the circumstances surrounding
data protection. Nevertheless, the Office believes that the Privacy Act has
served the community well since its enactment in 1988. The challenge now is
to ensure that the legislation operates effectively for at least a similar
period again, and continues to best serve the diverse needs of the Australian
community.
12. This submission responds to the questions raised in IP31. In providing
these responses, the Office has attempted to share nearly 20 years of
experience in applying the Privacy Act, as well as its strong belief in the
importance of privacy in a healthy, democratic society.
13. Privacy is important to our way of life, but what does it mean
exactly? It has been said that for most of us, privacy is something we think
about only when it is lacking.6 The difficulty of defining this term is
well-documented in IP31 which explores the range of meanings commonly
associated with the term. This submission, like the ALRC inquiry, is
concerned primarily with information privacy (see IP31 paragraph 1.89).
However, the Office observes that information privacy can intersect with
other categories of privacy. For example, location detection technologies,
which collect information about an individual's whereabouts, might be
considered to cut across both information and physical privacy. While
information privacy forms the focus of this inquiry, the Office submits that
it will be important for the ALRC to consider cross-over between information
privacy and other forms of privacy to ensure that the Privacy Act meets
community expectations and continues to be relevant and provide adequate
protection in the future.
14. Privacy is important but of course, complete anonymity or isolation
from the rest of society is neither possible nor desirable. There will always
be interactions that require individuals to be 'knowable' to another person
or organisation, just as individuals will often want to share their personal
information with particular people and organisations. Privacy laws are not
designed to obstruct those interactions. Rather, privacy laws are about
making sure that individuals have control, to the extent possible, over when
their personal information will be collected by others, and how their
personal information is subsequently used.
15. In light of these considerations, this submission is concerned first
and foremost with ensuring that the privacy of individuals is valued,
protected and respected in Australian society, now and into the future.
16. The Office also recognises that privacy must be protected alongside
other societal interests such as free speech, security and commercial
efficiency. Indeed, the Office notes that when the private sector provisions
were introduced into the Privacy Act, they were intended to be responsive to
both business and consumer needs.7
17. It is important that the costs of complying with privacy regulations
are proportionate to the social benefits they provide. In the Office's view,
regulatory inconsistency can have a negative impact on businesses' ability to
comply with such regulations, creating undue complexity and confusion as to
which law to apply.
18. The continued existence of inconsistency in Australia's privacy
framework is borne out by the findings of the Office's Private Sector Review.
That Review concluded that the Privacy Act had not achieved its object of
establishing a single comprehensive national scheme for the protection of
personal information.8 The Office believes that increased regulatory
consistency is crucial if agency and organisational compliance costs are to
be minimised, and if individuals are to be empowered to exercise their
privacy rights without confusion or difficulty.
19. Accordingly, a central theme of this submission is identifying ways
that regulatory consistency can be enhanced, for the benefit of consumers,
businesses and the provision of government services. In particular, the
Office believes that regulatory complexity will be reduced by the
introduction of a single set of principles to the Privacy Act. This single
set of principles would ideally replace the two separate sets of provisions
that currently regulate the the Commonwealth public sector (the Information
Privacy Principles, or IPPs) and the Australian private sector (the National
Privacy Principles, or NPPs). These principles could also serve as a model
for uniform privacy legislation, which could be implemented across
Commonwealth, state and territory jurisdictions.
Structure of this submission
20. This submission follows the structure of IP31. As with IP31, there are
13 chapters which are outlined below. In those chapters, the Office responds
to the questions raised by the ALRC in IP31.
Submission summary
Chapter 1: Introduction to the Inquiry
21. Chapter 1 places Australia's privacy regulatory regime in an
international context and draws out the central ideas that inform Australia's
regulatory approach.
22. This chapter also addresses two specific questions. The first relates
to the suggestion that the Privacy Act be extended to cover certain groups
such as indigenous or ethnic groups or commercial entities. In its response
to this question, the Office submits that the Privacy Act should continue to
apply specifically to individuals, which has been the international approach
to regulating privacy.
23. The second question in this chapter examines the case for a tort of
privacy. In general, the Office believes there are several positive arguments
for the development of a tort of privacy, and would therefore encourage
further examination of the issue by the ALRC.
Chapter 2: Overview of Privacy Regulation in Australia
24. Chapter 2 introduces the Office's views on the importance of national
consistency of privacy regulation. The Office believes that regulatory
consistency will benefit both businesses and individuals by reducing
compliance difficulties for organisations, and empowering individuals to
understand and exercise their privacy rights without confusion as to their
legal entitlements.
25. This chapter takes national regulatory consistency to be a key goal of
privacy reform where there is no compelling need for differentiation. As
such, the key message contained in Chapter 2 underpins many of the Office's
responses to chapters that follow.
Chapter 3: The Privacy Act 1988 (Cth)
26. Chapter 3 suggests possible amendments to definitions in the Privacy
Act. These suggestions align with the Office's belief that terms should be
defined in a way that balances flexibility with regulatory stability.
Approached in this way, the Office submits that definitions in the Privacy
Act will reflect the intentions behind principle-based law.
27. As noted in IP31, much of the complexity within the Privacy Act stems
from its development and amendment over several years. As such, many of the
recommendations made in Chapter 3 are aimed at updating or clarifying
relevant definitions, and better articulating the objects and scope of the
Act.
28. In particular, Chapter 3 makes suggestions in relation to the
definitions of personal information, sensitive information,
financial information, record, identifier,
collector, small business, generally available
publication, agency, State or Territory authority and
related bodies corporate. This chapter also suggests that certain
privacy principles be extended to the personal information of deceased
persons.
Chapter 4: Examination of the Privacy Principles
29. Chapter 4 builds on the idea that principle-based law remains the best
way to regulate information handling.
30. This chapter explores the IPPs and NPPs in detail, and makes
suggestions for their improvement based on the Office's experience in
applying the Privacy Act.
31. While the Office believes that the existing principles under the
Privacy Act are operating well, the Office believes there would be benefit in
introducing to the Privacy Act a single set of principles to replace the IPPs
and NPPs. In the Office's view, a single set of privacy principles would
encourage greater regulatory consistency and simplicity, while maintaining or
improving existing protections. Chapter 4 suggests that a single set of
principles could include provisions relating to: anonymity, notice and
openness, collection, collection of sensitive information, use and
disclosure, information quality, information security, access and correction,
transborder data flows and identifiers.
Chapter 5: Exemptions from the Privacy Act 1988
(Cth)
32. In Chapter 5 the Office expresses its view that to achieve uniformity
and consistent application of privacy legislation, exemptions under the
Privacy Act should be minimised. Where exemptions do exist, a clear public
interest should also exist to support their continuation.
33. In the interests of enabling greater community understanding of the
Privacy Act, the Office would support the adoption of consistent criteria to
determine which entities are exempt from the application of the Act.
34. In particular the Office suggests that:
- small business telecommunications service providers should be brought
under the jurisdiction of the Privacy Act
- gaps in coverage of residential tenancy database operators by privacy
regulation should be addressed
- consideration be given removing the employee records exemption in the
interests of national consistency
- the Privacy Act should apply to state and territory statutory
corporations, except where equivalent privacy legislation has been
enacted in the relevant jurisdiction
- the small business 'opt-in' provision be made available to any
organisations which are exempt from the operation of the Privacy Act9 (for example,
to give political parties and other entities the opportunity to
voluntarily opt-in to coverage by the Privacy Act).
Chapter 6: Powers of the Office of the Privacy
Commissioner
35. Chapter 6 examines the powers of the Privacy Commissioner, and makes
recommendations based on the Office's experience in monitoring and enforcing
compliance with the Privacy Act.
36. In general, the Office finds that the Privacy Act contains appropriate
provisions to support the Office of the Privacy Commissioner's role as an
effective complaint-handling body. However, the Office submits that the
strong focus in the Privacy Act on resolving individual complaints should be
balanced with improved provisions for dealing with systemic privacy issues.
To this end, many of the suggestions made in this chapter relate to
strengthening the Office's capacity to respond effectively to issues which
may have broader impacts on privacy. This would better equip the Office to
address the causes of interferences with privacy, not only the effects.
37. Particular suggestions in Chapter 6 include:
- that the relationship between the Office and other dispute resolution
bodies be clarified
- that the Privacy Commissioner be given more ways of dealing with
systemic issues, such as enforceable remedies following an own motion
investigation, and a targeted private sector audit power
- that the Privacy Commissioner be empowered to make binding codes
- that public sector agencies be required to undertake Privacy Impact
Assessments for new projects or legislation that significantly impact on
the collection or handling of personal information.
Chapter 7: Interaction, Fragmentation and Inconsistency in
Privacy Regulation
38. Chapter 7 expands on some of the issues raised in Chapter 2,
particularly regarding the interaction and inconsistency between the Privacy
Act and other privacy-related regulations.
39. The Office notes in this chapter the importance of ensuring that
privacy regulations are interoperable, consistent and comprehensive, with
national consistency as the ultimate goal of such an interoperable privacy
scheme.
40. Consistency does not mean the elimination of multi-layered regulation.
In many cases, additional protections that regulate particular sectors, or
protect certain information, can enhance privacy (such as privacy codes and
secrecy provisions). However, in the interests of all parties, it is critical
to ensure these layers are not unnecessary, inconsistent, or poorly
interactive.
41. In the Office's view, there are a number of ways that current privacy
regulations can be harmonised across various sectors and jurisdictions. These
solutions include:
- providing greater guidance on the operation of existing laws, and how
they relate to other regulations
- clarifying the jurisdiction of the Privacy Act (for example, in
relation to coverage of the private sector)
- ensuring that privacy protections in state and territory jurisdictions
are consistent with and equivalent to the Privacy Act
- making clearer reference in legislation which intends to rely on NPP
and IPP exceptions to authorise particular information-handling practices
(such as a use or disclosure)
- improving the consistency of provisions under federal legislation that
relate to personal information-handling, such as the Privacy Act, the
Freedom of Information Act 1982 and the National Archives Act 1983
- enhancing administrative functions or powers to enable regulators,
including the Office, to cooperate more effectively, and
- adopting a single set of privacy principles to replace the IPPs and
NPPs, which could also be uniformly adopted across federal, state and
territory jurisdictions.
Chapter 8: Health Services and Research
42. In Chapter 8 the Office puts forward the view that Privacy Act's
existing provisions have generally met individuals' expectations regarding
the handling of their health information, and afforded appropriate regard to
the needs of health service delivery and medical research.
43. However, the Office notes in this chapter that there is a strong need
to clarify the application of the Privacy Act regarding private sector health
service providers. Section 3 of the Privacy Act should be amended to make
clear that the National Privacy Principles 'cover the field' for the
regulation of private sector health service providers. This would address a
key source of uncertainty and potential fragmentation in health privacy
regulation in Australia.
44. The Office also notes that the proposed National Health Privacy Code
(NHPC) has not been adopted by the relevant jurisdictions since the Office's
Private Sector Review was released. In light of changed circumstances, the
Office considers that the objectives of national consistency and higher
privacy protection for health information can be best achieved through
certain amendments to the NPPs, or the adoption of a single set of principles
as discussed in Chapter 4.
45. While comfortable that the existing principles work well, the Office
makes a number of recommendations in Chapter 8 regarding areas of health
privacy regulation where the law could be enhanced. These include in regard
to access, including the role of intermediaries, as well as information
handling obligations where a health service closes, or where an individual
wishes their records to be transferred. The Office has also suggested that,
among other things, the principle regulating the collection of health
information without consent and where 'necessary to provide a health service'
could be usefully amended.
46. In regard to health and medical research, the Office submits that the
existing regulatory framework affords individuals with an appropriate degree
of assurance that their personal health information will not be misused,
particularly where it is handled without their consent. The Office draws
attention to provisions where regulatory complexity could be reduced,
particularly by harmonising the enabling provisions for the section 95 and
95A mechanisms.
Chapter 9: Children, Young People and Adults with a
Decision Making Disability
47. The privacy of vulnerable members of the community is of considerable
interest and concern to the Office and the Australian public. Chapter 9
addresses the privacy of children and individuals with a decision-making
disability. Each presents comparable but different challenges for privacy
regulation, which must balance community, representative and individual
expectations across a range of circumstances.
48. The Privacy Act is based around providing rights to individuals and
does not distinguish individuals by age. Children are therefore provided with
equal rights to adults, with the flexibility to determine, on a case by case
basis, who should be responsible for exercising those rights. Other
mechanisms supplement the Privacy Act's protections, such as legislation
specific to child protection, and particular sectoral procedures. The Office
believes the Privacy Act is generally functioning effectively in relation to
children and young people, although in some areas, protections may be
improved by amendments to the small business exemption. The Office welcomes
consideration of further mechanisms beyond the Privacy Act which may be
necessary to safeguard child privacy, for example, in the areas of online
protections and photographs.
49. In relation to individuals with a decision-making disability, the
Office believes that certain problems can be addressed without legislative
amendment. This includes providing additional guidance on when personal
information can currently be disclosed to representatives under the Privacy
Act. The Office also believes consideration could be given to whether the
disclosure of non-health information should be permitted under NPP 2.4. Other
areas for consideration include the ability of representatives to seek access
on an individual's behalf, how best to protect individuals' privacy from
their own representatives, and whether the Privacy Act operates effectively
in cases of sudden or unexpected incapacity.
Chapter 10: Telecommunications Privacy
50. Personal information handled in the telecommunications sector is
regulated by a number of legislative instruments and regulatory bodies. These
interrelationships need not be problematic in themselves, and indeed, they
can enhance privacy protections in the sector where they operate
consistently. Nevertheless, there are aspects of privacy regulation in the
telecommunications sector which can benefit from review and improvement. The
Office's response to Chapter 10 draws particular attention to the following
issues:
- the number and extent of exceptions under Part 13 of the
Telecommunications Act, which allow disclosure of personal information in
various circumstances, and in some cases may provide a lower level of
protections than the Privacy Act
- the lack of consistent coverage of small business operators in the
sector, that may not be bound by the Privacy Act or equivalent
protections
- the lack of clarity and consistency between disclosures authorised
under the Privacy Act and the Telecommunications Act
- the limits on the Privacy Commissioner's involvement with the approval
of telecommunications industry codes
- various issues with a range of legislation, some only recently enacted,
which governs the telecommunications sector (including in relation to
telecommunications interception)
- ways to streamline the regulatory interaction between the Office and
the Telecommunications Industry Ombudsman.
Chapter 11: Developing Technology
51. In Chapter 11, the Office expresses its view that the most effective
strategy for the protection of privacy in the context of continuously
developing technologies will be multi-faceted involving:
- principle-based legislation coupled with binding codes
- end-user empowerment through education
- technology solutions
- international agreements between jurisdictions.
52. The Office believes that a technologically-neutral principles-based
approach, along with provision for the Privacy Commissioner to make specific
binding codes where a clearly defined privacy risk emerges, is the best way
to deal with the impact of rapidly developing technology on information
handling.
53. Some of the suggestions made by the Office in Chapter 11 include
that:
- biometric information be classed as sensitive information under the
Privacy Act and small businesses that handle biometric information be
brought under the jurisdiction of the Privacy Act
- the public sector data matching guidelines be made binding and
consideration be given to introducing data-matching regulation to the
private sector
- consideration be given to introducing a requirement to the Privacy Act
which mandates in certain circumstances the reporting by organisations of
security breaches to personal information
- the Privacy Act continue to be technologically neutral with provision
for the Privacy Commissioner to make binding codes where a specific
privacy issue arises
Chapter 12: Unique Multi-Purpose Identifiers
54. Chapter 12 explores the regulatory regime surrounding the use of
unique multi-purpose identifiers. The Office accepts that sometimes the use
of unique identifiers is essential; for example, in order to correctly
identify individuals for the purposes of providing health care. However, the
Office notes that, when unique identifiers are used for multiple purposes and
across different agencies and organisations, risk of privacy invasion is
increased. This is because, if used in the wrong way, unique multi-purpose
identifiers can enable greater data-matching, sharing and linking and create
conditions conducive to function creep.
55. The Office believes that the Privacy Act should continue to play an
important role in ensuring that unique multi-purpose identifiers are handled
in ways that do not unreasonably intrude on the privacy of individuals.
Subject to a few suggested amendments the Office believes that provisions in
the Privacy Act dealing with unique multi-purpose identifiers remain
appropriate.
Chapter 13: Transborder Data Protection
56. Advances in information technology have allowed information to be sent
across the world with speed and efficiency. With the advent of inexpensive
high-speed internet connections and the growth of the global economy,
Australian agencies and organisations are increasingly operating across
national borders.
57. The Privacy Act regulates the transfer of personal information outside
Australia via NPP 9. NPP 9 provides important protections to individuals