|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. The Office's position is that to achieve uniformity and consistency of application of privacy legislation, exemptions under the Privacy Act should be minimised. Where they exist, a clear public interest for the exemptions should also exist to support their continuation.
2. Where an exemption applies, the Office encourages exempt entities to engage in information handling practices that incorporate principles similar to those contained within the Privacy Act.
3. In the interests of enabling greater understanding of the Privacy Act in the community, the Office would support changes that brought about consistency in the criteria used to determine which agencies are exempt from the application of the Privacy Act.
4. The Office is of the view that to achieve uniformity and consistency of application of privacy legislation, exemptions under the Privacy Act should be minimised. Where they exist, there should be a clear public interest enunciated for any exemption to be maintained or created. Existing exemptions contained in the Privacy Act have developed over time and in some instances may require review to assess their continuing suitability.
5. The Office further submits that a review of exemptions to the Privacy Act should also address irregularity of exemption coverage; that is where a specific entity is exempted from coverage of the Privacy Act while other entities of a similar nature and function are not. An example of this might be the coverage of tribunals by the Privacy Act, some of which are covered by the Act and others of which are partially exempted. The Office believes consistent application of exemptions will foster greater clarity as to the intentions and coverage of exemptions.
6. Where exemptions exist for specific, named entities, the Office believes that it may add clarity to list these entities in a schedule to the Privacy Act. This would be consistent with how exemptions are treated in the Freedom of Information Act 1982 (the Freedom of Information Act).141 Such a list should distinguish between entities with a full exemption and those with partial exemptions.
7. Where exemptions exist for certain categories of entities, the Office believes that it would be worthwhile to group exemptions together in one part of the Privacy Act to enhance clarity.
8. The Office believes that exemptions applying to this group of defence and intelligence agencies (collectively known as the Australian intelligence community (AIC)) are appropriate. Other legislation and ministerial directions do impose some privacy-related requirements on AIC agencies (see in particular sections 8, 9 and 15 of the Intelligence Services Act 2001; and sections 8A and 18 of the Australian Security Intelligence Organisation Act 1979), and some of the IPPs are difficult to apply in the usual way to the work of these agencies.
9. However the Office maintains that, despite their exemption under the Privacy Act, AIC agencies should still be encouraged to implement good information handling practices. This would be best achieved under the guidance and oversight of the Inspector-General of Intelligence and Security (IGIS).
10. The IGIS already plays a role of this kind having assisted the Defence Imagery and Geospatial Organisation (DIGO), the Defence Intelligence Organisation (DIO) and the Office of National Assessments (ONA) to develop privacy rules or guidelines.142 The IGIS also monitors collection and reporting activities by the agencies143
11. The original OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data recognised exemptions in relation to 'national sovereignty, national security and public policy' but specified that these exemptions be as few as possible and be made known to the public.144
12. In Australia, exemptions for security agencies were anticipated in the first Law Reform Commission review of privacy of 1983. The terms of reference for that inquiry explicitly excluded the application of privacy to national security and defence, calling for exclusion of 'inquiries on matters falling within the Terms of Reference of the Royal Commission on Intelligence and Security or matters relating to national security or defence.'145
13. In the absence of privacy regulation, the Office observes that the strong secrecy provisions applying to the agencies concerned are appropriate to deter agency employees from unlawfully disseminating personal information. These secrecy provisions also encourage defence and intelligence agencies to store personal information securely.
14. With regard to other aspects of information handling, the Office notes that some of the IPPs are ill-suited to the activities of AIC agencies. For example, obligations under IPP 5, which require agencies to make available information about the types of personal information held and the purposes for which the information is used, could reveal agency methodologies. Similarly, IPP 6 access provisions may be difficult to apply in a national security context. IPP 6 is further complicated by its close interaction with the Freedom of Information Act which also exempts AIC agencies.
15. With regard to other aspects of information handling, the Office notes that it may be difficult for the Privacy Commissioner to investigate or audit the activities of AIC agencies without the appropriate powers, infrastructure or security clearances to conduct such investigations. It appears that the IGIS has been developed as a specialist monitoring and review body for these agencies given the different nature of their work.
16. The Office believes that all entities, whether covered by the Privacy Act or not, should implement a set of standards for the handling of personal information. These could be adapted from the privacy principles taking into account the particular national security requirements.
17. Practices that enhance overall data quality support better decision-making. The Office submits that information handling standards will benefit AIC agencies by:
18. The Office suggests that in addition to applying procedures from the Australian Government's Protective Security Manual, exempt agencies could apply the main aims of the privacy principles through local guidelines. For example the Attorney-General has included guidelines for the treatment of personal information by the Australian Security Intelligence Organisation within the Guidelines in relation to the performance by ASIO of its function of obtaining intelligence relevant to security.
19. The Office suggests that IGIS continue to play a role in overseeing the development and implementation of local privacy guidelines that address:
20. Section 7 of the act is a very complex and difficult section to understand and apply. By way of illustrating this complexity, s 7 is premised around the concept that some federal government bodies are 'agencies' under the definition of s 6 but certain of their activities are excluded form the definition of 'act' and 'practices' in s 7(1). Section 7(1)(a) starts by excluding all the activities of certain agencies from coverage by the IPPs. Sections 7(1)(a) and (c) then bring some activities of some of these agencies back under the coverage of the IPPs.
21. Further, s 7A makes some activities of some agencies subject of the NPPs. Finally, s 7(2) ensures that some of the agencies are subject to the Commissioner's tax file number guidelines and credit reporting provisions in Part IIIA of the Act.
22. The Office believes that this complexity (see Appendix A) makes it difficult for many entities to understand what aspects of their activities are covered by the act and therefore recommends that it be redrafted.
23. Discussion of some of the specific exemptions is provided below.
24. As noted in IP31 (paragraphs 5.23 - 5.27), some of the Privacy Act exemptions are complex and difficult to apply. The partial exemption applying to Australian Government Ministers is one such exemption.
25. This complexity is made apparent by the formulation of the exemption. In the Privacy Act under s 6(1), a Minister is defined as an 'agency' and is therefore covered by the Act, however, his or her acts are excluded from coverage of the Privacy Act under s 7(1)(a)(iii). However, a Minister acting in his or her official capacity in relation to agencies within his or her portfolio are covered under ss 7(1)(d), (e), (ea), (eb), (ec), and (ed).
26. What this means is that Ministers are covered by the Privacy Act in relation to activities undertaken in connection with the agency they are responsible for, but generally their other activities are exempt.
27. The Office suggests that to help reduce this complexity, the definition of 'agency' which currently includes a Minister, should add words that describe the specific acts and practices of the Minister that are covered.
28. For further comments regarding political acts or practices please see the Office responses to questions 5-7 and 5-8 below.
29. As noted in IP31 at paragraph 5.49, courts are partially exempt from the Privacy Act. Exemptions apply to the judicial functions of the court while the court's administrative functions are covered by the IPPs.
30. The Office notes that some privacy concerns exist around the publication of court records, especially when publication is in an electronic format. While the Office considers that further attention should be given to the privacy implications of publishing court records, the Office believes that the Privacy Act is not the appropriate instrument for dealing with this issue.
31. The publication of court records is discussed further in Chapter 11 in the response to question 11-5.
32. The industrial tribunals operate under a similar partial exemption to that applying to federal courts.
33. Other tribunals that are not exempt such as the Administrative Appeals Tribunal (AAT) have been the subject of complaints by individuals to the Office. A number of the complaints have involved the AAT publishing its decisions. As with the exempt tribunals, the AAT has lawful authority to publish their findings.
34. The Office has no comment as to whether or not the current partial exemptions applying to industrial tribunals are appropriate. However, the Office would suggest that entities with like functions be treated consistently under the Privacy Act.
35. The Office believes that where exemptions apply it would be worthwhile introducing good privacy practices so that individuals understand how their personal information will be handled.
36. The ACC is fully exempt from the Privacy Act. The ACC's exemption from the Privacy Act originally applied to the National Crime Authority (NCA). As the Office understands it, the reasons behind this exemption appear to have been based on the NCA's coercive powers, unique to Commonwealth law enforcement, which allowed the collection of personal information of a speculative and untested nature.
37. When the NCA became the ACC in 2003, it absorbed the functions of the Australian Bureau of Criminal Intelligence (ABCI). The ABCI's role involved the collection and dissemination of intelligence from all Australian law enforcement agencies. Much of this is collected and stored on the ACC's Australian Criminal Intelligence Database and Australian Law Enforcement Intelligence Net database. Due to the ACC's exemption from the Privacy Act, none of the records held in these databases are covered by the Act, even though many are sourced from the Australian Federal Police (AFP), Customs, Australian Transaction Reports and Analysis Centre (AUSTRAC), the Australian Securities and Investments Commission (ASIC) and other agencies that are covered by the Privacy Act.
38. In view of the changed role of the ACC over the years, the Office believes that it may be timely to reassess the suitability of the current ACC exemption from the Privacy Act.
39. The Office notes that the ACC has commented that although exempted from application of the Privacy Act, 'the ACC seeks to ensure that the spirit of the legislation is met and that the collection, use, storage and dissemination of information is subject to appropriate controls and safeguards.'146 The Office also notes that the ACC handles information in line with the Commonwealth Protective Security Manual.147
40. A review of the ACC exemption could assess whether a full exemption continues to be suitable or whether full or partial coverage by the Privacy Act is desirable. One option could be for the administrative operations of the ACC to be covered by the Privacy Act.
41. The Office notes that other agencies that perform a law enforcement function, such as the AFP, AUSTRAC, ASIC and the ATO, are covered by the Privacy Act. The Office has issued guidance explaining how the Privacy Act provides for law enforcement needs. 148
42. The Office notes the privacy concerns raised in IP31 at paragraph 5.75 regarding the operations of royal commissions. Although the Privacy Act may not be the appropriate instrument to deal with those concerns, the Office believes that attention should be given to developing information handling standards for royal commissions that promote respect for privacy. The Office suggests that the matter be referred to the Attorney-General.
43. The Office believes that it would be desirable if the Australian Commission for Law Enforcement Integrity (ACLEI) developed information handling guidelines to assist in ensuring that the personal information it handles is adequately protected.
44. The Integrity Commissioner (Acting) has indicated he would be amenable for his Office to develop such guidelines with assistance as necessary from the Office of the Privacy Commissioner.
45. As with the ACC, another option could be for the administrative operations of the ACLEI to be covered by the Privacy Act. The Office welcomes further consideration of the issue by the ALRC.
46. In considering questions 5-4 and 5-5, the Office makes distinctions between various types of state and territory authorities and instrumentalities. These can be broadly categorised as:
47. The Office submits that, wherever possible, exemptions to the Privacy Act should be kept to a minimum and only established where there are clear policy reasons for doing so. Such an approach will promote Parliament's intention that the Privacy Act establish a single comprehensive framework for privacy regulation in Australia.
48. The Office recognises that the acts and practices of state and territory bodies that are responsible for policy development and implementation, and for the making of laws, should generally be subject to the oversight of the respective Parliament, and thus ultimately accountable to the electorate of that jurisdiction. This includes Ministers and departments of state in those jurisdictions and bodies, as well as bodies established for a public purpose by or under a law of that state or territory. This is broadly consistent with the definition of state or territory authority in s 6C(3)(a), (b), and (d) through to (g).
49. In the Office's view, it would be desirable for all states and territories to implement privacy regulation that covered their own agencies and is consistent with the Privacy Act. In this regard, the principles prescribed in the Privacy Act could usefully serve as model legislation for those jurisdictions without equivalent law.
50. However, the Office suggests that the ALRC further consider whether the current arrangements remain appropriate for state and territory incorporated bodies appointed for a public purpose by or under law. While incorporated companies are excluded from the definition of state or territory authority (s 6C(3)(c)(i)), incorporated bodies 'established for a public purpose' by or under a state or territory law are included in the definition (s 6C(3)(c)). The Office draws particular attention to where such statutory corporations function as government businesses. For example, government businesses may include various electricity generators, distributors and transmitters, corporations related to the supply of water and some transport corporations.149
51. Under s 6F, state and territory authorities that serve a predominately commercial purpose can opt-in to coverage of the Privacy Act, subject to a request from the relevant jurisdiction. In absence of such a request, statutory corporations will generally be exempt.
52. It is significant that not all states and territories have enacted privacy legislation. Those that have may not have allowed for coverage by the legislation of statutory corporations. In some cases, these statutory corporations may collect substantial amounts of personal information and it may accord with community expectations for the handling of such information to be afforded privacy protections.
53. The Office understands that state statutory corporations are not covered by privacy legislation in NSW or Victoria.
54. For example, in NSW, the Privacy and Personal Information Protection Act 1998 does not apply to state government statutory corporations (or 'government business enterprises' (GBEs)). In the 1998 debates for this Bill, the then Attorney-General the Hon Jeff Shaw stated that:
Whilst the Government remains committed to its pre-election undertaking to develop effective data protection laws which apply to both the private and the public sectors, it has been decided that this should be done in a uniform manner on a national basis. 150
55. The Office agrees that privacy regulation should be pursued in a nationally uniform manner. The NSW Attorney also explained that:
The exemption for State-owned corporations was originally provided in the bill on the basis that to do otherwise would put State-owned corporations at a competitive disadvantage with the private sector. The Government has taken the view that State-owned corporations should be covered by privacy legislation only when the private sector is similarly covered. 151
Significantly, he went on to state that:
When the Act evolves to include coverage of the private sector, State-owned corporations will be similarly covered by the information and privacy principles of the legislation.152
56. Since 1998, the Commonwealth Parliament has enacted privacy legislation for the private sector, though the NSW legislation has not been similarly amended. As a consequence, the regulation of personal information held by state statutory corporations and other private sector organisations is inconsistent. It can also be argued that state and territory statutory corporations may be at a competitive advantage over other private sector organisations in that they are exempt from privacy regulation. It is noteworthy that, in the case of NSW, there appears a recognition that there may be merit in applying privacy regulation to statutory corporations.
57. The Office understands from the Explanatory Memorandum to the Privacy Amendment Bill 2000 that the policy intention underlying the exemption of state and territory statutory corporations in the Privacy Act is to:
... to recognise that Commonwealth regulation of a State or Territory instrumentality (for example a Corporations Law company, society or association) that performs core government functions is inappropriate, if such regulation would curtail the capacity of the State or Territory to function as a government.
58. The Office recognises that Commonwealth privacy regulation should not curtail the capacity of states or territories to function. However, the Office submits that this policy objective could be achieved without necessarily imposing a blanket exemption from the Privacy Act for statutory corporations.
59. Applying privacy regulation to state and territory statutory corporations is likely to be consistent with the principle of competitive neutrality, as articulated Clause 3 of the Competition Principles Agreement of the National Competition Policy.153
60. The Office submits that all incorporated bodies should be covered by privacy regulation consistent with the Privacy Act, unless there are compelling public interests to the contrary. Accordingly, it is suggested that the Privacy Act should apply to state and territory statutory corporations except where equivalent privacy legislation has been made in the relevant jurisdiction.
61. To facilitate those instances where there may be a strong public interest in state and territory incorporated bodies not being covered by privacy regulations (such as where it may curtail the ability of government to function), a regulation making mechanism (such as that already prescribed in section 6C(4)) should be available to exclude state and territory incorporated bodies from coverage by the Privacy Act.
62. This approach may negate the need for s 6F, which currently provides a mechanism for state and territory instrumentalities to be included as organisations.
63. The Office notes the issue of bodies established by administrative arrangements, including on a cooperative basis between jurisdictions. The application of privacy regulation to such entities will often be uncertain, as they may not fall within the definition of organisation or agency (the latter is relevant where the Commonwealth may be a party), though equally they may not fall within the definition of state and territory agencies for the purpose of privacy regulation in other jurisdictions.
64. The Office also notes the question of privacy regulation and higher education providers, including universities. Most universities are established under state or territory legislation and will therefore generally be exempt from the Privacy Act. If there is no privacy legislation in the jurisdiction in which they are established, then they may not be regulated in how they handle personal information. In many cases, universities will handle substantial amounts of personal information.
65. At the same time, private universities and universities established under ACT legislation will be covered by the Privacy Act, as will other private sector higher education providers. This creates an regulatory inconsistency in privacy regulation between bodies that substantially provide the same function.
66. The Office would welcome further consideration of these issues by the ALRC.
67. As noted in the Office's Private Sector Review, there are two main reasons for the small business exemption. First, many small businesses do not have significant holdings of personal information. They may have customer records used for their own business purposes; however, they do not sell or otherwise deal with customer information in a way that poses a high risk to the privacy interests of those customers.
68. Secondly, it is necessary to balance privacy protection against the need to avoid unnecessary cost on small business.154 Research undertaken by the Regulation Taskforce found that compliance matters can consume up to 25% of the time of large companies and that the impact is even greater for small businesses which generally do not have the in-house capacity to deal with and keep abreast of large amounts of regulation.155
69. The terms of reference for the Office's Private Sector Review156 sought to find out whether, among other things, the private sector provisions had created a nationally consistent scheme for the regulation of privacy that recognised individual interests and managed other competing interests such as business efficiency and the free flow of information.
70. The current small business exemption may not promote national consistency and may lead to additional burdens for small businesses and individuals because of the uncertainty it creates about whether personal information is regulated by the Privacy Act. For example, for a small business a single failure to gain consent would revoke the status of the business as exempt under ss 6D (7) and 6D(8) and mean that the NPPs apply to their activities. For individuals there may be an expectation that their personal information will be regulated by the NPPs and there may not be sufficient awareness that consent given to a small business could mean this protection is not provided.
71. In addition some small businesses are covered by the Privacy Act due to the industry sectors they are in or for certain activities they perform. For example in enacting the NPPs, Parliament recognised the special sensitivity that many individuals have toward how their personal health information is handled by providing that all private sector health service providers, regardless of turnover, would fall within jurisdiction of the Privacy Act. The Office notes that other small business that may handle personal health information, but which do not provide a health service, will generally not be covered.
72. More recently, the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Act 2006 brings personal information collected by small business 'reporting entities'157 under the jurisdiction of the Privacy Act. Significantly, under this legislation, personal information held by small businesses will only be covered where it has been collected for the purposes of anti-money laundering and counter-terrorism financing regulation. Accordingly, relevant small business will need to be able to distinguish between personal information that is regulated, and that which is not. The Office considers that many small business reporting entities may find that compliance is simplified by treating all personal information as though it is covered by the Privacy Act.
73. As discussed in Chapter 3 of this submission, the Office believes that the definition of small business should be changed to be based on number of employees rather than annual turnover. In the Office's Private Sector Review, the Office recommended that the definition be expressed in terms of the Australian Bureau of Statistics definition of small business which is a business with 20 or fewer employees.
74. The Government believes that redefining the exemption will capture some small operators that are exempt and would increase their costs, add to 'red tape' and be inconsistent with workplace reform.
75. The Office accepts these concerns, but believes that changing the definition to 20 employees or less may make the definition easier for organisations and individuals to understand.
76. There are a number of small business sectors that deal with significant amounts of personal information, such as telecommunications service providers that either achieve exemption from the NPPs because they meet the definition under s 6D(1) or because they hold an individual's consent ss 6D(7) and 6D(8). The Office suggests that small businesses in these sectors should be prescribed under the Act.
77. Similarly, In Chapter 11 in the response to question 11-2(b), the Office suggests that it may be useful for small businesses that collect and use biometric information to be covered by the Privacy Act in light of the sensitivity of that personal information.
78. Telecommunications service providers, including internet service providers and Public Number Directory Producers handle large amounts of personal information. For example, public number directory producers are authorised under the Telecommunications Act to access the Integrated Public Number Database which holds all listed and unlisted telephone numbers in Australia.
79. The Office notes that public number directory producers that have an annual turnover of $3 million or less may not be covered by the Privacy Act; subsections 6D(4) (c) and (d) provide that a business is not eligible for the small business exemption if it trades in personal information. However, subsections 6D(7) and (8) exempts a small business is the trading in personal information is conducted with the consent of the individuals whose information is traded, or if another law requires or authorises the trading of the information.
80. The Australian Government has recently introduced legislation (the Telecommunications Amendment (IPND) Act 2006) that regulates the production of public number directories. However this law does not require public number directory producers to opt into coverage under the NPPs.
81. In the Office's Private Sector Review, the Office recommended that
The Australian Government should consider using the power to prescribe under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.158
The Office reiterates this recommendation.
82. As noted in the Office's Private Sector Review and in IP31 at paragraph 5.153, small businesses that operate tenancy databases will be covered by the Privacy Act because they trade in personal information. However, if the small business operating the database obtains the consent of the individual to collect or disclose his or her personal information, then the Privacy Act will not apply.
83. The Office also notes that a number of estate agents who conduct database reporting on residential tenants would be small businesses and therefore may be exempt from the Privacy Act, particularly if the estate agent obtains the consent of the individual to collect or disclose his or her personal information.
84. The 2005 Report on Residential Tenancy Databases (the Report) produced by the Working Party on Residential Tenancy Databases and submitted to the Ministerial Council on Consumer Affairs and Standing Committee of Attorney-General's made a number of recommendations to reform the current fragmented regulation of residential tenancy databases in Australia including whether to regulate those estate agents that use them.159 The Report recommended that estate agents, landlords or listing agents should be regulated under State and Territory legislation:
The Working Party recommends that the States and Territories develop agreed uniform model legislation on the use by landlords, agents and listing parties of RTDs and addressing the relevant issues set out in section 4.3 below [emphasis added].160
85. The Report of the Working Party also recommended:
that the use of RTDs be regulated through uniform regulatory action by all States and Territories addressing the use by landlords, agents, or any other listing persons of RTDs; the Commonwealth take supporting regulatory action to provide certainty in relation to the application of the Commonwealth Privacy Act to RTDs; and to consider recommendation 16 of the Privacy Commissioner's review for a binding code under the Privacy Act that applies to RTDs.
86. The Office agrees with recommendations made by the Working Party. Further, the Office submits that if the States and Territories do not pass uniform legislation to regulate estate agents, landlords or listing agents that use RTDs, that the small business exemption should be altered to subject these entities to the NPPs in the Privacy Act.
87. In Chapter 7 the Office has also suggested that RTDs may be an appropriate field for a binding code under the Privacy Act (see the Office's response to question 7-3).
88. The Office's Private Sector Review considered a number of options to reform the current exemption including:
89. Recommendations in the Office's Private Sector Review suggested that the Attorney-General consider using his power to prescribe under section 6(E) of the Privacy Act, the tenancy databases and telecommunications sectors including Internet Service Providers and Public Number Directory Producers as businesses to be covered by the Act (See recommendations 9 and 15).162
90. The Government has noted Recommendation 15 that residential tenancy databases should be covered by the Privacy Act. The Government's response stated that the Attorney-General's Department will consider Recommendation 9 in the Privacy Commissioner's Report that regulations be made under s.6E of the Privacy Act to ensure that all small businesses in the telecommunications sector are not exempt.
91. Regarding the Office's recommendation that the consent provisions (ss 6D(7) and 6D(8)) be removed, the Government has responded that it believes that the Act currently provides a mechanism for dealing with situations in which the consent provisions should not operate.
92. The Office submits that ss 6D(7) and 6D(8) should be made clearer. As noted in the Office's Private Sector Review, there is a considerable lack of certainty for small businesses that trade in personal information because it is not clear whether only a single failure to gain consent would change the status of the organisation.
93. Since December 2001, 158 small businesses have opted-in under s 6EA of the Privacy Act to be treated as if they are an organisation and therefore be covered by the Privacy Act.163
94. The Office believes that the opt-in provision in s 6EA of the Privacy Act should be retained for the following reasons:
Secondly, the opt-in provision allows an exempt organisation to apply for a privacy code. Under s 18BA a privacy code applicant must be an organisation. For example, recently the Biometric Institute decided to opt in under s 6EA so that the Privacy Commissioner could consider its application for a privacy code under Part IIIAA of the Privacy Act. The Biometrics Institute Privacy Code was subsequently approved by the Commissioner and took effect on 1 September 2006.164
Certain codes not connected to the Privacy Act may also require organisations to opt-in to coverage under the Privacy Act as a condition of signing up to the code. An example of this is the Credit Union Code of Conduct which requires credit unions that are small businesses to opt-in to the Privacy Act under s 6EA.165
95. During the parliamentary inquiry processes on the Private Sector Amendment Bill, 2000, the Office said at that time that political organisations should follow the same practices and principles that are required in the wider community.166
96. However, the Office notes that, in practice, it receives very few complaints or inquiries about the political exemption and therefore the Privacy Act may currently provide an appropriate balance.167
97. The Office submits that, if the political exemption is retained, one option could be to extend the small business opt-in provision in s 6EA to any organisations which are exempt from the operation of the Privacy Act. This would enable political parties to voluntarily opt-in to coverage by the Privacy Act if they wished.
98. Another option could be partial coverage of political parties by the NPPs. The Office believes that privacy protection may be enhanced if political parties were required to comply with a few key principles including openness and access and correction principles and had some limits placed on their disclosure of personal information.
99. The NPPs give people the right to see information held on them by a business, but due to the political exemption, individuals are not able to access information held on them by a political party which in most cases are a business. If the information held by a business is wrong, NPP 6 allows a person to have it corrected. By contrast, an individual is unable to have information held by a political party that is wrong corrected, even if the party holds sensitive information such as health information or information about political affiliation or alleged criminal misconduct.
100. The Office believes consideration could be given to whether individuals could have access to the personal information political parties, political representatives, contactors, sub-contracts and volunteers hold about them and the right to correct that information if it is inaccurate.
101. The Office is of the opinion that consideration could be given to whether political parties should be required to have a privacy statement that sets out how they handle and protect the personal information they collect, as required by NPP 5. Privacy statements would enhance the transparency of political party information handling and allow individuals to understand how the political party may use their information. The Office notes that some parties already have such policies in place.
102. The Office believes that privacy protection may also be enhanced by the introduction of a new provision which prevented a political party or political representative from selling or disclosing personal information the political party or political representative has collected in the course of its duties.
103. This would be in line with provisions in the Electoral Act 1918 (Cth) (the Electoral Act) which limit disclosure of information held on electoral rolls. For example, the Electoral Act provides that those persons who may get information from the electoral roll (including political parties) may only use it for prescribed purposes and may not disclose the information for commercial purposes.
104. As previously stated the Office's general position on exemptions is that to achieve uniformity and consistent application of privacy legislation that exemptions under the Privacy Act should be minimised and that a clear public interest exist to support continuation.
105. The employee records exemption raises interesting public policy issues, particularly how to ensure the appropriate balance between compliance costs, and privacy protection. Matters to consider are outlined below.
106. The Office notes that the existence of the employee records exemption may contribute to the regulatory inconsistency. Submissions made to the Office's Private Sector Review that raised the employee records exemption did so in the context of examining how the Privacy Act is achieving national consistency. A concern arising out of these submissions was that the States were legislating to deal with workplace privacy creating a patchwork of laws in this field.168
107. The Office recommended that the Australian Government consider setting in place mechanisms to address inconsistencies that have come about, or will come about, as a result of exemptions in the Privacy Act, for example, in the area of workplace surveillance.169 In its response to the Office's Private Sector Review, the Government noted this recommendation but advised that the Standing Committee of Attorneys-General already provided such a mechanism and is currently considering the issue of workplace privacy.
108. In Chapter 4 the Office suggests that the IPPs and NPPs be replaced by a single set of privacy principles to further enhance regulatory consistency. While private sector employee records are exempt from the operation of the Privacy Act, the Office notes that the employee records of Australian and ACT government agencies are covered by the IPPs. Therefore, if the suggestion for a single set of principles were to be taken up, then removal of the employee records exemption would improve the consistent application of the principles to both the public and private sectors.
109. The Office understands that many large businesses170 already apply the privacy principles to their handling of employee records. For those businesses any removal of the exemption may not create an added compliance cost. Conversely for those businesses that do not currently apply the NPPs to their employee records there would be costs to implement and maintain a compliance regime.
110. The Office also notes that it receives enquiries about the privacy of employee records. In the last financial year (2005-06), of the 2000 enquiries received by the Office relating to issues falling outside the jurisdiction of the Privacy Act, 860 related to employee records.171
111. Coverage of employee records under the Privacy Act could have a number of benefits including:
112. Furthermore, the Office observes that employers sometimes hold sensitive information about their employees such as health or disabilities information. Generally, the Office believes that sensitive information as defined in s 6 of the Privacy Act should be fully covered by the Act.
113. Given the desirability of national consistency of privacy regulation, the Office believes that further consideration should be given to removal of the employee records exemption in s 7B(3) of the Privacy Act.
114. In conducting the Review of the Private Sector Provisions of the Privacy Act, the Office noted that wording of the media exemption: is broad and undefined, is unspecific in relation to the level of standards to which a media organisation must commit itself and has no requirement that there be a means of enforcing such standards. Another concern raised was that the terms 'in the course of journalism' and 'media organisation' are yet to be the subject of judicial consideration.
115. It was also noted, however, that the Office has received few enquiries or complaints involving media organisations or journalistic activities and suggested that the current exemption may therefore strike an appropriate balance between privacy and the desirable free flow of information.
116. In the Review of the Private Sector Provisions of the Privacy Act, the Office recommended that the Australian Government should consider amending the Privacy Act so that:
117. The Office also recommended (recommendation 59) that it will, in conjunction with ACMA, provide greater guidance to media organisations as to appropriate levels of privacy protection, especially in relation to health issues and make organisations aware that the media exemption is not a blanket exemption.
118. The Government has since formally responded to the Privacy Commissioner's Report. The Government does not agree that that the Privacy Act should be amended as suggested in the recommendation and takes the view that the appropriate course of action is that outlined in Recommendation 59.173
119. The Office has received complaints from time to time from individuals that their information has been used for direct marketing by a related body corporate without their knowledge or consent. The Office submits that improved notice of disclosure by the relevant body corporate under NPP 1.3 should ameliorate this concern.
120. Where there is a change of partnership in the sense that at least one partner from the old partnership is part of the new partnership, as a matter of best practice the Office submits that new partnership should write to their customers and advise them of the change. In this way the individual concerned has a measure of choice over whether they wish to continue to transact with the new partnership and in this way have some control over their personal information that the partnership has collected.
121. A note should be included under section 13D reminding organisations of their obligations in relation to transborder data flows of personal information under NPP 9. Transborder data flows and NPP 9 are further discussed in Chapter 13.
122. The Office is not aware of a compelling case for any other entities or types of activities, including that of valuers, should be exempt from the operation of the Privacy Act. The Office takes the view that to achieve uniformity and consistency of application of privacy legislation, exemptions under the Privacy Act should be minimised. Where they exist, there should be a clear public interest enunciated for any exemption to be maintained or created.
141 Freedom of Information 1982, Schedule 2.
142 For the privacy rules / guidelines of the DIGO, DIO and ONA, see IGIS, Annex 5, 6 and 7, 2005-06 available at http://www.igis.gov.au/annual.cfm.
143 e.g. pp 29-31, 39-40, 44-45 in the 2005/06 IGIS Annual Report
144 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 1980, s 4.
145 Law Reform Commission, Report No. 22, Privacy, v 1, Background, 1983, p xxxvii
146 Australian Crime Commission, Submission to the Inquiry by the Parliamentary Joint Committee of Public Accounts and Audit on Management and Integrity of Electronic Information in the Commonwealth, 2003, p 5.
147 Australian Crime Commission, p 5.
148 Office of the Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 1-3, October 1994, p 28.
149 For examples of government businesses in some jurisdictions, see NSW Treasury Performance of Government Businesses 2003-04 available at http://www.treasury.nsw.gov.au/pubs/trp2005/trp05-1.pdf, WA Department of Treasury and Finance Implementing National Competition Policy In Western Australia http://www.dtf.wa.gov.au/cms/uploadedFiles/ncp_progress_2004.pdf and Queensland Government owned corporations at http://www.qld.gov.au/departments/more_qld_government_websites.html#other.
150 The Hon J Shaw, Hansard extract, NSW Legislative Council, 17 September 1998 (article 44).http://www.parliament.nsw.gov.au/prod/parlment/hansart.nsf/8bd91bc90780f150ca256e630010302c/ca256d11000bd3aa4a2566950006cb86!OpenDocument.
151 The Hon J Shaw Hansard extract, NSW Legislative Council, 25 November 1998 (article 46).http://www.parliament.nsw.gov.au/prod/parlment/hansart.nsf/8bd91bc90780f150ca256e630010302c/ca256d11000bd3aa4a2566e10083685e!OpenDocument.
152 The Hon J Shaw Hansard extract, NSW Legislative Council, 25 November 1998 (article 46).http://www.parliament.nsw.gov.au/prod/parlment/hansart.nsf/8bd91bc90780f150ca256e630010302c/ca256d11000bd3aa4a2566e10083685e!OpenDocument.
153 see, Government Business: Competitive Neutrality, available at http://www.ncc.gov.au/sector.asp?sectorID=16
154 Office's Private Sector Review, p 179.
155 Regulation Taskforce, Rethinking regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer, January 2006, p ii.
156 Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, (Office's Private Sector Review) 2005 http://www.privacy.gov.au/act/review/revreport.doc.
157 This is a defined term under the Anti-Money Laundering and Counter-Terrorism Financing Act (Cth) 2006 and applies to businesses that undertake certain prescribed activities.
158 Office's Private Sector Review, Recommendation 9.
159 The amendments to the report are current as at 39 March 2006.
160 Working Party on Residential Tenancy Databases Report on Residential Tenancy Databases 2005, Paragraph 4.2.1.
161 Office's Private Sector Review, Recommendation 53.
162 Office's Private Sector Review, Recommendation 52.
163 As at 5 February 2007, see http://www.privacy.gov.au/business/register/index.html#3.
164 See http://www.privacy.gov.au/business/codes/biometricscode.pdf. http://www.frli.gov.au/comlaw/Legislation/LegislativeInstrument1.nsf/framelodgmentattachments/66DC29E2533DFD9FCA2571B80005D37A.
165 Part 12.2 of the Credit Union Code of Conduct states: 'A Credit Union will comply with the National Privacy Principles in the Privacy Act (Cth) from 21 December 2001 and, for that purpose, a Credit Union which may otherwise be entitled, as a "small business operator" to an exemption from the definition of "organisation", within the meaning of those terms under the Privacy Act 1988, will apply, pursuant to s6EA of that Act, to be treated as an organisation for the purpose of that Act from that date.'
166 See OPC Submission to the Senate Legal and Constitutional Legislation Committee Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000, September 2000, located at http://www.privacy.gov.au/publications/subbill.do and to the House of Representatives Standing Committee on Legal and Constitutional Affairs Inquiry Into the Privacy Amendment (Private Sector) Bill 2000, May 2000, located at http://www.privacy.gov.au/publications/hor.doc.
167 Only 0.3 percent of all enquiries made to the Office in the last financial year concerned the political exemption (66 enquiries related to the political exemption out of 21,466). Generally enquirers to the Office are advised of the political exemption and therefore choose not to proceed to lodging a complaint. For this reason, the number of complaints made concerning the political exemption is very small (2 complaints were declined in the last financial year based on the political exemption out of 1183 privacy complaints).
168 Office's Private Sector Review, p 285.
169 Office's Private Sector Review, Recommendation 4.
170 Coles Myer Submission to the Private Sector Review, Submission 60, available at http://www.privacy.gov.au/act/review/reviewsub.html Australian Banker's Association Submission to Private Sector Review, Submission 70, available as above.
171 Generally, when people make inquiries to the Office about privacy of employee records the Office informs them of the employee records exemption which may lead some enquirers to not proceed to making a complaint with the Office. This may influence the number of complaints the Office receives about the employee records exemption. In the 2005-06 financial year, the Office closed approximately 22 complaints due to this exemption out of a total of 1131 complaints closed.
172 Office's Private Sector Review Recommendation 58.
173 Government Response to the Privacy Commissioner's Report, p. 11, located at http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11Government+response+to+the+Privacy+Commissioners+Report.doc/$file/11Government+response+to+the+Privacy+Commissioners+Report.doc.