|Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|
1. This chapter examines the powers of the Privacy Commissioner and makes recommendations based on the Office's experience in managing compliance with the Privacy Act.
2. In general, the Office finds that the Privacy Act contains appropriate provisions to support the Office's role as a complaint handling body. However, the Office submits that the strong focus in the Privacy Act on individual complaints should be balanced with provisions for dealing with systemic privacy issues. To this end, many of the suggestions made in this chapter relate to strengthening the capacity of the Office to respond effectively to systemic issues. This will allow the Office to be better equipped to manage not only the effects of interferences with privacy but also the causes.
3. The Office considers that the structure of the Office of the Privacy Commissioner as established under the Privacy Act is appropriate. In particular, the Office supports the continuation of the Office of the Privacy Commissioner as a statutory body with a Commissioner appointed for a specified term, noting that this is consistent with international standards regarding privacy regulation.174
4. As recommended in the Private Sector Review,175 the Office proposes that the name of the Office of the Privacy Commissioner be changed to the Australian Privacy Commission to distinguish the Office from similar state authorities and to assist with developing a more recognisable name for the Office. This is further dealt with in Chapter 3 in the response to question 3.2.
5. S 99 in the Privacy Act provides the Commissioner with the power to delegate all the powers provided to the Commissioner under the Act to his or her staff or to the staff of the Commonwealth Ombudsman with the exception of the Commissioner's complaint determination powers under s 52 and those relating to the issuing of Tax File Number Guidelines under s 17.
6. It is acknowledged that s 52 provides the Commissioner with significant powers to finalise complaints by determining that a breach of the Privacy Act has or has not occurred and declaring remedies where appropriate. The limitation of the exercise of this power to the Commissioner, as an appointed and therefore independent officer, is reflective of this significance.
7. Following a recommendation made in the Private Sector Review176, the Commissioner has committed to undertake more determinations under s 52 of the Privacy Act in the future177. In this context it would be preferable, and may become necessary, for more than one person to be able to exercise this function (a process which generally involves hearing oral submissions178). If only the Commissioner can perform this task, the number of determinations that can be undertaken will be limited by the availability of the Commissioner. If the Commissioner is unavailable, for example due to illness, any scheduled determination processes will have to be postponed until he or she is available.
8. For these reasons, the Office recommends that the Privacy Act provide for determinations under s 52 to be undertaken by other senior staff within the Office (for example the Deputy Commissioner or Assistant Commissioner) on the condition that the staff member making the determination is of appropriate seniority and is sufficiently independent of the investigation undertaken into the complaint. This could be achieved through the introduction of a qualified delegation power in respect of the Commissioner's s 52 powers. Alternatively, the Privacy Act could be amended to specify an additional position or positions within the Office that would be permitted to exercise the determination power under s 52.
9. While the Office has not identified a similar problem in terms of the Tax File Number Guidelines, it has correspondingly not identified a strong reason why this power should not also be delegable. Further, as these Guidelines are disallowable instruments this would provide additional scrutiny of any decision taken to exercise this power by a delegated officer.
10. The Office supports the premise that privacy is a right that must be balanced with other community interests. As such, the Office supports the continued inclusion of a clear statement in the Privacy Act acknowledging this context, as is currently provided at s 29.
11. The Office supports the continuation of the criminal liability provisions at s 96 which state that the Commissioner and his or her staff are subject to fine and/or imprisonment if they are found to have misused or inappropriately disclosed personal information acquired through their employment at the Office of the Privacy Commissioner. These are similar to secrecy or non-disclosure provisions included in other legislation governing agencies where staff members handle personal information179 and it would seem inappropriate for the Commissioner and his or her staff to be subject to lesser obligations in this regard.
12. The Office supports the continuation of the Privacy Advisory Committee (PAC) in its current role as an independent advisory body. The Office considers that the PAC provides valuable input into the Office's policy development and the general strategic direction setting of the Office as well as providing a range of valuable links to key sectors within the Australian community. The Commissioner considers that the current powers and functions of the Committee are appropriate and notes that the committee has been productively involved in a number of recent projects including the Office's Private Sector Review and an internal review of the Office's complaint handling processes.
13. However, the Office considers that the membership categories of the PAC as specified in s 82(7) of the Privacy Act should be reviewed and updated to reflect current business, community and government environments.
14. Specifically, the Office strongly supports the introduction of an explicit requirement that a health sector representative be included on the PAC given the community concern regarding privacy in this industry area.180
15. The Office also considers that the terminology used to describe the current industry categories represented on the PAC may be outdated and could be revised to better reflect current data handling practices. For example, it may be appropriate to amend s 82(7)(c) to specify that at least one person on the Committee should have extensive experience in the field of 'information technology' rather than 'electronic data processing'.
16. Additionally, it is noted that s 82(7)(a) specifies that at least one member 'shall be a person who has had at least 5 years' experience at a high level in industry, commerce, public administration or the service of a government or an authority of a government'. The Office believes that this provision should be amended to separately require the inclusion of a member with high level experience in industry or commerce and a member with experience in public administration or government, rather than combining these categories.
17. The Office supports the continuation of the immunity from civil action provided at s 64 for the Privacy Commissioner (or code adjudicator) and his or her delegates. This is consistent with other similar legislation.181
18. The Office also supports the continuation of the immunity from civil action provided to complainants under s 67 as this is fundamental to providing individuals with an opportunity to freely raise a complaint without concern that they may be liable for defamation or other civil action.
19. The Office considers that it is appropriate for the Commissioner to be provided with a sufficient range of powers to effectively promote and protect privacy in Australia This includes provision for the handling of privacy complaints and systemic compliance issues as well as the advisory, consultative and educative roles in which the Commissioner concurrently engages. In this regard, the Office considers that the Commissioner's powers to oversee the Privacy Act referred to in Question 6-5 are appropriate and should be retained.
20. However, the Office notes that language in some sections may require updating. In particular, s 27(1)(c) sets out the Commissioner's function 'to undertake research into, and monitor developments in, data processing and computer technology.' The Office submits that the wording 'computer technology' is outdated and may inadvertantly restrict the intention of this clause which the Office believes is to provide for research into technologies with a possible privacy impact, whether or not they are computer-based.
21. The Senate Legal and Constitutional Committee, in its inquiry into the Privacy, Act recommended that:
the Privacy Act be amended to include a statutory privacy impact assessment process to be conducted in relation to new projects or developments which may have a significant impact on the collection, use or matching of personal information.182
22. The Office supports this recommendation. In particular, the Office supports the introduction of a statutory requirement that public sector agencies undertake a Privacy Impact Assessment (PIA) for new projects and/or legislation that significantly impact on the collection or handling of personal information.
23. The Office suggests that if a mandatory scheme is adopted it include a set of criteria to establish when a PIA is required. For example, the Government of Canada has instituted a mandatory PIA scheme for government agencies183. Its Privacy Impact Assessment Policy specifies the following types of project as being subject to this requirement:
Departments and agencies must conduct Privacy Impact Assessments for proposals for all new programs and services that raise privacy issues. For programs and services implemented prior to this policy, institutions must undertake assessments if they are substantially re-designing them or their delivery channels or transforming them for electronic service delivery in a manner that affects the collection, use or disclosure of personal information.184
24. If such a requirement were included in the Privacy Act, the Office considers that it would be inappropriate for failure to comply with this requirement to be considered an interference with an individual's privacy and to be handled as an individual privacy complaint.
25. A more appropriate regulatory mechanism may be to provide the Privacy Commissioner with the authority to report the agency's failure to comply with this requirement to the relevant Minister. Part IV, Division 3 of the Privacy Act currently provides the Commissioner with this option in relation a range of the Commissioner's functions where an agency has been non-compliant. Additionally, or as an alternative, the Commissioner could report on PIA compliance issues in the Office's annual report. Similar reporting mechanisms are outlined in the monitoring framework for the Canadian Privacy Impact Assessment Policy.185
26. Many private sector organisations also undertake projects that would benefit from undergoing a PIA process. However, the Office does not believe a mandatory requirement should be imposed on organisations to undertake PIAs. The Office believes that the greater consumer choice in the private sector enables individuals to choose to interact with businesses with good privacy practices. As such, the Office submits that the free market nature of the private sector does not support a mandatory PIA requirement. However, the Office considers that private sector organisations should be encouraged to undertake PIAs for large scale high privacy risk projects. To this end, the Office believes that it could be valuable for resources such as PIA guidelines tailored to the private sector to be developed by the Office in consultation with the sector.
27. The Office considers that there is a stronger argument for a statutory requirement for PIAs to be undertaken in relation to public sector projects and legislation. Specifically, the Office notes that public sector agencies are often provided with specific legislative powers to require the production of or permit the use and disclosure of personal information. Further, services provided by government agencies are commonly essential in nature (such as the payment of benefits) and are undertaken in a monopoly environment, preventing individuals from being able to choose providers on the basis of their information handling practices.
28. If there was a decision taken to make PIAs mandatory in the private sector, the Office recommends that a clear set of criteria be developed to identify when a PIA is required, thereby ensuring that the compliance burden on organisations is proportionate to the privacy risks.
29. A PIA is an assessment tool that describes the personal information flows in a project, and analyses the possible privacy impacts that those flows, and the project as a whole, may have on the privacy of individuals. The purpose of doing a PIA is to identify and recommend options for managing, minimising or eradicating privacy impacts. Given that the agency or organisation's compliance with the Privacy Act is the responsibility of that agency or organisation, the Office considers that the conduct of any PIA should be the responsibility of the particular agency or organisation.
30. It may be appropriate for a PIA to be conducted within the agency or organisation or by an external private provider. However, the Office does not consider that the conduct of PIAs should be the responsibility of the Privacy Commissioner.
31. The benefits of publishing PIAs are outlined in the Commissioner's Privacy Impact Assessment Guide which states:
wherever possible, publishing the contents and findings of a PIA can add value to a PIA. Publishing helps to demonstrate to stakeholders and the community that the project has been critically analysed with privacy in mind. Publishing also represents good practice by contributing to the transparency of the project.186
32. Whilst the Office encourages the publication of PIAs, the Office acknowledges that PIAs are essentially internal working documents designed to assist agencies and organisations to make good privacy decisions when developing information handling systems or practices. It is important that the PIA process is critical and unfettered by concerns regarding poor publicity for example. As such, the Office appreciates that there may be circumstances where agencies or organisations may not wish to publish their PIA in full, such as where the PIA contains commercial in confidence information or where publication may raise security issues or where the project is in its early stages and there will most likely be subsequent PIAs conducted as the project develops.
33. However, the Office considers that if a statutory requirement for PIAs to be conducted is introduced, a corresponding accountability mechanism should also be included in the Privacy Act. This could be achieved in a number of ways. For example, agencies could be required to include a report of PIAs undertaken in their annual report and/or the Commissioner's functions could be extended to include a monitoring role in respect of PIAs undertaken (for example by requiring that the Commissioner be provided with an opportunity to comment on PIAs produced under any mandatory requirement). Additionally, and as outlined in response to the previous question, it may be appropriate to include an authority for the Commissioner to report agency non-compliance with any statutory PIA requirement to the relevant Minister and/or in the Office's annual report.
34. Currently, Personal Information Digest (PID) entries are reported to the Privacy Commissioner and then made available via the Privacy Commissioner's website. Whilst technologically appropriate at the time of the passage of the Act, the Office believes now that it may be more appropriate and efficient for agencies to include this information on their own websites - or to report the updating of their PID entry in their annual report. In this situation, the role of the Commissioner might be to monitor the compliance of agencies with this obligation. Agencies found by the Commissioner to have failed to display or update their PID entry might then be reported to the Minister. This could be provided for under s 32 of the Privacy Act.
35. The Office also believes that the form of the PID may need to be reviewed. In particular, if agencies were required to develop a comprehensive privacy policy, which is the suggestion the Office makes in its proposal for a single set of principles (see Chapter 4, question 4-35), then it is questionable whether it would still be relevant for agencies to create a PID entry.
36. The Commissioner considers that privacy audits are a key method for determining the extent of compliance with the Privacy Act and are an important educative tool.
37. The Office noted in its Private Sector Review that:
Having a private sector audit power may increase community confidence in the efficacy of the Privacy Act and give the Office an additional power to identify systemic issues and to monitor responses.187
38. However the Office also commented that:
if the Office were to have the power to audit the private sector, this would have resource implications. It currently carries out limited audits in those areas in which it has the power. In addition, it could be argued that this is a role that a number of private sector consultancy firms carry out, and should not be one taken on by the Office.188
39. The Office concluded in the Private Sector Review that it may be more appropriate for it to encourage organisations to undertake privacy audits themselves rather than including this as a function of the Commissioner.
40. The Office remains of the view that, in general, private sector organisations should be encouraged to undertake self-auditing in relation to privacy.
41. It is notable, however, that the Commissioner does currently have the power to audit private sector organisations in relation to their handling of Tax File Numbers and credit reporting information. These audit powers acknowledge the particular sensitivities associated with these types of information or information handling practices.
42. However, the Commissioner's current audit functions under the Privacy Act do not provide the flexibility to identify other areas or practices that may require particular scrutiny through privacy audits undertaken by the Office.
43. In the interests of making the Commissioner's powers under the Privacy Act responsive to changing risks to information handling practices over time, the Office proposes that a qualified audit power for private sector compliance with the NPPs be introduced. In consideration of the contrary arguments provided above, the Office considers that it may be appropriate to limit the audit power to allow for audits to be undertaken where particular risks or practices of concern have been identified such as significant systemic breaches.
44. The Privacy Commissioner of Canada has a private sector audit power which is qualified in this manner:
The Act gives the Privacy Commissioner of Canada the authority to audit an organization's personal information management practices when she has reasonable grounds to believe the organization is not fulfilling its obligations under Part 1 of the Act or is not respecting the recommendations of Schedule 1.189
45. The Office supports an amendment of the Privacy Act to provide the Privacy Commissioner with the power to audit private sector organisation for compliance with the NPPs where the Commissioner has reasonable grounds to believe that the organisation is engaging in practices that:
46. A reasonable belief could be established in the first instance by community concern regarding the emergence of a new technology in the private sector, such as the use of biometrics. A reasonable belief in the second instance could be established through further complaints or observance of continuing non-compliant practice following an investigation into a complaint or an own motion investigation.
47. In making this recommendation, the Office notes that the Commissioner's audit activities, whilst part of a compliance framework, primarily serve an educative function. Under the Commissioner's current credit reporting and TFN audit powers there are no sanctions for poor privacy practices identified in an audit and it is not proposed that sanctions be introduced in respect of the proposed NPP audit power. The Office anticipates that it is likely that an NPP audit power as described would be infrequently used. However, where appropriate, it would allow the Office to expand on its current own motion investigation activities to formally interrogate the general information handling practices of an organisation and work with the organisation to address any privacy risks or ongoing privacy issues identified.
48. The Office encourages organisations and agencies that handle personal information to self-audit as a means of ensuring compliance with the Privacy Act and protecting the personal information that they hold. Consistent with this, the Office acknowledged in the Privacy Sector Review that there may be a greater role for the Office in assisting private sector organisations to undertake self audits with Recommendation 39 of Private Sector Review stating that:
The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.190
49. However, the Office is of the opinion that introducing a mandatory self-audit requirement may not be the most appropriate way to facilitate better privacy compliance.
50. Under the privacy principles in the Privacy Act, organisations and agencies are already required to take reasonable steps to ensure the protection of the personal information that they hold. In many cases, where an organisation or agency holds significant amounts of personal information or the information they hold is particularly sensitive, the adoption of a self-audit policy may be a reasonable step to take to ensure the protection of the information held. However, this may not be a reasonable step for smaller businesses or other businesses that are not significant data-handlers. A mandatory requirement in this regard may impose a disproportionate compliance burden on such organisations.
51. Further to this, whilst the task of self-auditing would fall on the organisations and agencies that would be subject to any such requirement, the resource implication of any monitoring function concurrently undertaken by the Privacy Commissioner should also be considered. Given the number of organisations and agencies that are subject to the Privacy Act, any monitoring function would be likely to be considerably resource intensive. The Office submits that if it were required to ensure that a particular standard of self-auditing was undertaken, the resource burden of the Office's monitoring function would be even more significant.
52. For these reasons, the Office considers that it would be more appropriate and efficient for a targeted private sector audit function to be introduced in the Privacy Act rather than a mandatory requirement that organisations and agencies self-audit periodically.
53. The Office has previously argued that the Privacy Act should be restructured to take a more logical format to assist the ease of use for the reader (see response to question 3-1 in Chapter 3). Consistent with this general approach, the Office supports the consolidation of the Privacy Commissioner's functions into one section of the Privacy Act. This includes where the Commissioner's functions are sourced in other legislation; for example, as is currently the case at s 27(1)(p) and (pa) which refer to the Commissioner's functions to produce guidelines under the Data-matching Program (Assistance and Tax) Act 1990 and the National Health Act 1953 respectively.
54. Sections 38, 38A, 38B and 38C relate to the handling of representative complaints under the Privacy Act. Currently a representative complaint can be lodged without the consent of class members (s 38(3)). Further, there is no requirement that the party making the representative complaint has standing to make such a complaint.
55. S 38A provides that the Commissioner may cease to handle a matter as a representative complaint in a range of circumstances, including where, in the interests of justice, it would be 'inappropriate' to do so. It is arguable that the Commissioner could cease to handle a complaint as a representative complaint under this provision where the party making the complaint had insufficient standing. However, the Office considers that it may be appropriate for the Commissioner to be provided with a specific discretion to refuse to handle a matter as a representative complaint in these circumstances.
56. The Office also notes that s 39 in the Privacy Act provides that where a person is a class member for a representative complaint they are not entitled to lodge a complaint in respect of the same subject matter. In combination with s 38(3), this means that an individual's capacity to make an individual complaint can be removed without their knowledge or agreement.
57. S 38B(2) in the Privacy Act provides that a class member may 'withdraw from a representative complaint at any time before the Commissioner begins to hold an inquiry into the complaint.' However, it is unclear what 'an inquiry into the complaint' means in this context given that terminology of 'investigation' and 'determination' is used in the Privacy Act (the only reference to inquiries being s 42, which provides for preliminary inquiries to be made in respect of a complaint). As such, it is unclear at what stage an individual may withdraw from a representative complaint.
58. The Office recommends that this provision be amended to clarify when an individual may withdraw from a representative complaint. Further, the Office suggests that individuals should be provided with the option of opting out of a representative complaint at any time if the individual did not consent to be a class member. S 46PC in the Human Rights and Equal Opportunity Commission Act 1986 may provide an appropriate model clause. Under this provision:
A class member may, by notice in writing to the Commission, withdraw from a representative complaint at any time before the President terminates the complaint under section 46PH.
59. The Office strongly supports the retention of a general requirement that individuals complain to the body with whom they have the grievance in the first instance before making a complaint to the Privacy Commissioner. The Office considers that where a complaint can be resolved between the complainant and respondent without the involvement of the Privacy Commissioner, this is likely to be the most efficient means of resolving the complaint. Further, the Office suggests that the requirement that the complaint is first made to the respondent provides respondents with an opportunity to take greater control and ownership of their handling of complaints and provides an incentive for respondents to actively deal with the matters before the are raised with the Privacy Commissioner.
60. This requirement is consistent with the practices of similar regulators such as the Commonwealth Ombudsman as well as private sector complaint handling bodies such as the Telecommunications Industry Ombudsman.191
61. It should be noted that the Privacy Act does give the Privacy Commissioner the discretion to investigate complaints without requiring that the individual first make the complaint to the organisation, in cases where the Commissioner considers that it would not be appropriate to do so.192
62. S 42 of the Privacy Act gives the Privacy Commissioner the power to make inquiries with the respondent in order to ascertain whether a complaint is within jurisdiction or whether the Commissioner should exercise her discretion not to investigate the complaint.
63. The Office does not generally use this stage of the complaint process to attempt to formally conciliate complaints. However, if it appears that the matter could be resolved by a straight forward action that the respondent may not have considered or if the respondent may not be aware its obligations under the Privacy Act, for example to provide access to personal information, the Office may make suggestions in this regard. This action could be considered to be a form of early conciliation. However, notably, the Commissioner's specific powers relating to conciliation only apply after the commencement of a formal investigation; s 27(1)(a) providing the Commissioner with the power to:
Investigate an act or practice of an agency that may breach an Information Privacy Principle and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation.
64. Similar powers are provided at s 27(1)(ab) in relation to private sector complaints.
65. The Office is interested in promoting early conciliation, where appropriate, as an expedient means of resolving complaints to the satisfaction of both parties. Given this, the Office recommends that the Privacy Commissioner's specific conciliation functions under s 27 be amended to provide for the option of conciliating complaints at any stage in the complaint handling process, including before the commencement of a formal investigation.
66. S 42 provides the Commissioner with the power to make preliminary inquiries of the respondent to a complaint. However, in some cases, it may also be relevant to contact third parties at the preliminary inquiries stage. For example, where the Office receives a complaint about a disputed credit default, it is usually relevant to the assessment of the case for the Office to seek a copy of the individual's credit information file. In this case, if the complaint has been made against the credit provider, the Privacy Act does not give the Commissioner specific powers at the preliminary inquiries stage to seek this information from the credit reporting agency (which is a third party).
67. Whilst the Commissioner has a general power to 'do anything incidental or conducive to the performance of any of the Commissioner's other functions'193, the Office considers that it would be appropriate for the Commissioner to have a specific power to contact third parties in these circumstances. This will also provide greater clarification for third party organisations disclosing personal information to the Commissioner in this situation.
68. Section 69 puts two restrictions on personal information that can be furnished or produced in relation to a privacy complaint to the Commissioner under s 36 of the Act.
69. Firstly it prevents people from giving the Commissioner information generated for the purposes of taxation or statistics law unless it relates to an individual who has made a complaint to the Commissioner. While the provision does override the Commissioner's powers to require the production of information in the context of a complaint investigation, the Office supports this part of the section being retained. It recognises the sensitive nature of the information held by the Australian Taxation Office and the Australian Bureau of Statistics and to date the section has not prevented or hampered privacy complaint investigations.
70. Secondly, the section sets out very broad restrictions on the provision of information about an individual other than the complainant to the Privacy Commissioner. Such information can only be provided with the individual's consent. This part of the section also overrides the Commissioner's power to require information to assist an investigation.
71. If applied rigorously this provision would make the complaint handling process very onerous both for organisations and agencies who are respondents to complaints under s 36 of the Act. For example, a description of an incident leading to a privacy complaint may be less meaningful or less convincing without naming third parties including employees. The lack of such information may make it difficult for the Commissioner to investigate. The process of obtaining consent may be difficult or costly.
72. Apart from the difficulties mentioned, the rationale for this provision is unclear and appears to depart from the framework that would ordinarily be applied to a regulatory body.
73. The Office suggests that s 69 be reframed to more clearly target the circumstances when third party consent would be required to furnish or produce information to the Commissioner.
74. The obligation on the Privacy Commissioner to investigate all complaints that may be an interference with the privacy of an individual (subject to the application of the decline powers under s 41) necessarily directs the Office's resources and attention towards the resolution of individual issues. While this is clearly a primary function of the Commissioner, the fact that all organisations have finite resources means that with high levels of complaints other functions or activities (such as auditing and pursuing systemic issues) may have to be reduced to allow for complaints to be handled in an efficient way.
75. A number of submissions to the Office's Private Sector Review raised concern regarding the Commissioner's limited ability to address broader systemic issues as a result of the Privacy Act's strong focus upon individual complaints. The Office noted in the Privacy Sector Review that this focus on individual complaints was in part because complaint investigation is a non-discretionary function under the Privacy Act.194
76. The Office considers that it is appropriate for it to retain its complaint handling functions and its role in resolving individual privacy issues. However, the Office also considers that it would be beneficial for a better balance to be achieved between handling individual matters and focusing on preventing privacy issues from arising, and dealing with systemic compliance concerns.
77. The Office considers that to provide an appropriate balance between these competing priorities and in the interests of best serving the public interest overall, the Commissioner should be granted the power to decline to investigate complaints where there appears to be little public interest (for example, where there is minimal apparent harm, or the matter has been considered before and the organisation has changed practice). This recommendation was also made in the Office's Privacy Sector Review.195
78. The Office notes that a number of other complaint handlers have a discretionary decline power of this nature. For example, NSW Privacy and the Human Rights and Equal Opportunity Commission are both able, under their respective legislation, to decline to investigate matters where the complaint is trivial.196 Further, the Commonwealth Ombudsman has the discretion to decline to investigate or further investigate a matter where:
an investigation, or further investigation, of the action is not warranted having regard to all the circumstances.197
79. The Office recommends that the Privacy Commissioner is granted a similar discretionary power but suggests that the inclusion of a public interest test may be appropriate. Such a power could be balanced by a requirement for the Privacy Commissioner to advise the 'respondent' organisation that a complaint has been lodged and that while it is not being investigated in this instance, any further complaints of a similar nature may be.
80. The Office recognises that there are a number of industry dispute resolution bodies in the private sector that currently handle disputes relating to privacy. In particular, the Telecommunications Industry Ombudsman (TIO) and the Banking and Financial Services Ombudsman (BFSO) both name privacy complaints as matters which (in some cases) they will consider.198
81. Currently, if the Office becomes aware that a privacy complaint is being handled by the BFSO or TIO, it will generally decline to concurrently investigate the matter. In such cases, the Commissioner or his or her delegate exercises the power to decline the complaint under s 41(2)(b) of the Privacy Act, on the basis that the respondent is engaged in a dispute resolution process that has yet to be finalised and, as such, has not had a adequate opportunity to deal with the matter.
82. The Office considers that it may be appropriate to introduce a specific decline power relating to the above circumstances, thereby both acknowledging and formalising the role of industry complaint handlers in resolving privacy issues.
83. The decline power at s 41(1)(e) could be used as a model clause for this purpose, noting that a complaint may only be declined under s 41(1)(e) if the complaint is already the subject of an application under another law (or in this case, before a dispute resolution body) and the matter 'has been, or is being, dealt with adequately under that law' (or again in this case, by the dispute resolution body).
84. The Office also considers that it may be appropriate for the application of such a decline power to be limited to matters that are before a 'recognised' industry dispute resolution body. Correspondingly, the Commissioner could be provided with an additional function to recognise such bodies for the purpose of this provision. A flow on effect may be to formalise the relationships between the Office and industry complaint handlers, thereby facilitating better communication and exchange of information in respect of the interpretation and application of the Privacy Act.
85. One way of implementing greater formalised arrangements with industry complaint handlers could be to create memoranda of understanding, which could allow the referral of complaints where appropriate.
86. In addition to this, the ALRC could consider a power which allows the Privacy Commissioner to simultaneously decline a complaint that would be more suitably handled by a recognised industry body, and to formally refer that complaint to the appropriate body with a request for investigation. This power may be applicable, for example, where the primary reason for the complaint relates to service provision in the industry, rather than privacy elements. The Office understands that powers currently exist under other legislation, which permits certain agencies to refer complaints and relevant information to other agencies and authorities.199
87. Without a parallel power of referral such as that proposed above, it may not be appropriate for the decline power under s 41(1)(f) to be similarly applied to complaints that could be handled by an industry dispute resolution body.200 In all relevant cases, if the complainant does not wish to pursue the matter through an industry body, the complainant should be able to bring the complaint to the Privacy Commissioner.
88. These options are also discussed in response to question 7-1(d) (on multiple regulators) and in Chapter 10 in response to question 10-3 (on telecommunications regulation).
89. Currently, where a complainant withdraws their complaint, the Commissioner will cease any investigation or inquiries into that complaint based on the request of the complainant. In some cases, the Commissioner will assume that a complaint has been withdrawn where the complainant has repeatedly failed to respond to correspondence, or the Office has otherwise lost contact with the complaint.
90. To clarify the Commissioner's powers in this regard, the Office considers that it would be preferable for the Commissioner to have a specific power to cease consideration of a complaint if the complainant has ceased to pursue the matter or has withdrawn the complaint.
91. Reference is made in IP31 to the compulsion, in certain circumstances, on the Privacy Commissioner to cease investigating a complaint. Specifically, if (after commencing an investigation) the Commissioner forms the opinion that a credit reporting or tax file number offence may have been committed the Commissioner is compelled under s 49 of the Act to cease investigating the matter and to refer the matter to the Australian Federal Police (AFP) or the Director of Public Prosecutions (DPP).
92. The DPP has advised the Office that they will not consider a matter unless they receive a statement of evidence from the AFP. As such, the referral option to the DPP may in itself be questionable at that stage of the process.
93. The AFP, as with all agencies, must prioritise its activities in line with its resources. In the Office's experience, few matters referred to the AFP under s 49 as possible offences are subsequently prioritised for investigation by the AFP. The Commissioner's investigation is suspended while the AFP makes this decision which can delay resolving the complaint and, in certain circumstances, could be disadvantageous to the complainant.
94. The Office supports the retention of the offence provisions in the Privacy Act. However, it would seem appropriate for the offence provisions to set a higher test than the test for an interference with privacy under the Privacy Act. This is currently the case for most of the offences referred to in the Privacy Act
95. For example, s 18R(1) in the Privacy Act provides that:
A credit reporting agency or credit provider must not give to any other person or body... a credit report that contains false or misleading information.
96. S 18R(2) then states that a credit reporting agency or credit provider that intentionally breaches this provision, is guilty of an offence. If it is clear that a breach of s 18R(1) was unintentional, the Privacy Commissioner may not be required to refer a complaint on this issue to the AFP.
97. The exception to this is the tax file number offence under s 8WB in the Taxation Administration Act which provides that it is an offence for a party to disclose another individual's TFN. The result of this offence provisions is that all complaints where the Commissioner forms the view in an investigation that a TFN may have been inappropriately disclosed must be referred to the AFP with the investigation ceased in the meantime, even if it is clear that the disclosure caused limited or no harm and had resulted from a one off administrative error.
98. In consideration of this example, the Office suggests that the offence provisions under the Privacy Act be amended to ensure that they relate to sufficiently serious misconduct and that the test for an offence is higher than the test for a breach of the Privacy Act in all cases (for example, by the inclusion a concept of intent into the offence provision).
99. The Office supports the continued inclusion of the Commissioner's investigation powers currently provided in s 43-47 of the Privacy Act. These powers broadly relate to more extreme situations where agencies or organisations are non-compliant in the investigation process. Given this, the fact that some of these powers have been rarely used does not necessarily suggest that they are inappropriate to retain.
100. However, the Office considers that a number of the provisions outlining the Commissioner's powers in relation to investigations could be clarified. For example, s 46 and s 47 outline the conduct of and the Commissioner's powers in relation to a 'compulsory conference'. The Office has taken a compulsory conference to mean a compulsory conciliation conference. However, this is unclear from the provisions as they are currently drafted.
101. Notably, the compulsory conference provisions at s 46 and s 47 do not apply to NPP complaints. The Commissioner otherwise has the same functions in relation to the handling of NPP complaints as other complaints against government agencies or against organisations in relation to credit reporting or TFN complaints. As such, the Office considers that the Commissioner's powers to conduct investigations (including his or her powers to conduct compulsory conferences) should be consistent regardless of the complaint subject. Correspondingly, the Office supports the extension of the application of s 46 and s 47 to NPP complaints.
102. In its Private Sector Review, the Office recommended in relation to the Commissioner's determination powers that:
The Australian Government should consider amending the Privacy Act to:
- expand the remedies available following a determination under section 52 to include giving the Privacy Commissioner power to require a respondent to take steps to prevent future harm arising from systemic issues
- provide for enforceable remedies following own motion investigations where the Commissioner finds a breach of the NPPs 201
103. The Office provided a number of examples of where the Commissioner's current determination powers had proven insufficient to effectively handle some systemic issues that have arisen since the introduction of the private sector provisions in the Privacy Act. The Office refers the ALRC to Chapter 5 of the Office's Private Sector Review for further discussion on this matter.
104. The Office is of the view that the Commissioner's determination powers should be amended to provide a broader range of enforcement remedies for systemic issues. However, the Office notes that if the Privacy Act is amended to 'provide for enforceable remedies following own motion investigations' this in itself may provide for the expansion of 'remedies available following a determination under s 52 to include giving the Privacy Commissioner power to require a respondent to take steps to prevent further harm arising from systemic issues.
105. Further discussion of enforceable remedies is provided in response to question 6-22.
106. The Office considers that it may be appropriate for the Privacy Act to be amended to include additional enforcement powers in relation to determinations made by the Privacy Commissioner. This is discussed in more detail in response to question 6-22 below.
107. The Office noted in its Private Sector Review, that the lack of merits review for the Office's key decisions in particular circumstances appears to be out of step with other government based authorities.202 Specifically, merits review by the Administrative Appeals Tribunal is currently only available in relation to declarations regarding compensation made in respect of determinations against agencies. No merits review is available for determinations made in relation to complaints against organisations or in relation to other remedies specified in determinations against agencies.
108. The Office supports the extension of the appeal rights under the Privacy Act in the interests of providing a fair and transparent complaint handling process that is sufficiently open to scrutiny. Specifically, the Office recommends that all determinations made by the Commissioner should be reviewable by the AAT, including determinations made against private sector organisations. Further, this review power should extend to all decisions made using the determination power, and should not be limited to decisions regarding compensation or remedy.
109. The Office supports the continuation of the Commissioner's powers in respect of public interest determinations and temporary public interest determinations. The Office accepts that an individual's right to privacy can, in some circumstances, conflict with other social and political rights as well as the interests of the community as a whole.
110. In consideration of this and the Commissioner's obligation under s 29 to 'have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way', the Office acknowledges that there will be circumstances where the operation of the high level privacy principles in the Privacy Act may be inconsistent with the public interest. In the experience of the Office, the Commissioner's power to make public interest determinations and temporary public interest determinations has provided the Office with the necessary flexibility to respond to such situations.
111. Part VI in the Privacy Act outlines the Commissioner's power to make Public Interest Determinations (PIDs) and Temporary Public Interest Determinations (TPIDs) and the process by which an application for such should be lodged and processed.
112. Only an agency or an organisation (or the National Health and Medical Research Council on behalf of an agency) may make an application (s 73). However, beyond this, the Commissioner is not provided with any discretion to decline to consider an application for a PID or TPID. As such, once an application is made, the Commissioner must undertake a lengthy and involved process to consider and assess the application, including the publication of the application, the drafting of a determination and the conduct of a conference about the draft determination. As such, there is a risk that an application could be made frivolously or vexatiously or where there is clearly no merit and the Commissioner would then be bound to undertake full consideration of the matter.
113. The Office suggests that this risk could be addressed by the introduction of a requirement that the applicant must consult with the Office before making an application and/or the inclusion of a discretion not to consider an application if the application is clearly of no merit.
114. It is important to note however that decision made by the Commissioner in this context are subject to Administrative Decisions Judicial Review (ADJR).
115. It is noted in IP31 that the injunction power in the Privacy Act is different and unusual by comparison with general law on injunctions.
116. The Office notes that s 98 of the Privacy Act provides that an injunction may be granted 'on the application of the Commissioner or any other person' (emphasis added). As such, there is no requirement of standing for a party to seek an injunction under the Act. The Office has some concerns regarding this departure from general law on injunctions in that it could allow a party with no interest in the privacy of the individuals in question to seek an injunction that may, as a consequence, impact on how an agency or organisation interacts with that individual. That is, an injunction could be sought by a party for a purpose other than the protection of individuals' privacy.
117. Consequently, the Office recommends that s 98 be amended to include a test of standing.
118. As noted in the Office's Private Sector Review, whilst Private Sector Codes were intended to be a key feature of the privacy regime established by the private sector provisions, to date, there have been very few applications for code approval. Only four codes have been approved by the Privacy Commissioner (one has since been revoked), with two more currently under consideration.
119. Under the code provisions, a code may establish a separate complaint handling procedure including the appointment of a code adjudicator. Only one code approved by the Privacy Commissioner has so far provided for its own complaint handling process and code adjudicator; the General Insurance Information Privacy Code. Interestingly, the code was revoked in April 2006 following review as a result of 'the high cost, small number of privacy complaints, and relatively low industry take-up of the Code.'203
120. Given the lack of take up in codes and the revocation of the only code that established its own complaint handling process, it is reasonable to conclude that the code making provisions have not been highly successful in their current form.
121. The submissions to the Privacy Sector Review that addressed the Commissioner's code approval functions focussed on the complexity and length of the application process and did not specifically suggest that code provisions should be repealed.204 In consideration of the concerns raised the Office made a recommendation to review the Code Development Guidelines dealing with the processes relating to code approval with a view to simplifying them.205
122. However, the Office also acknowledges that it is likely that the code approval process will continue to be lengthy and potentially complicated given that a necessary component of the process is the assessment of whether or not the provisions within the code provide an equal or greater level of protection to the NPPs. Certainly, it has been the Office's experience to date that the code approval process is resource intensive for both the Office and the applicant.
123. It is difficult to measure the privacy benefit of the codes that have been introduced. Notably, it is not clear that there have been any significant efficiency benefits for the Office given that the Privacy Commissioner remains the complaint handling body and code adjudicator for each of the three codes currently in operation. Conversely the Office notes that the private sector complaint handling bodies that currently handle privacy complaints, such as the TIO and the BFSO, do so independently of the privacy code framework.
124. Finally, the Office suggests that there is some tension between the concept of national consistency and the introduction of industry or organisation specific privacy codes that replace the NPPs. Whilst, the limited uptake in codes has meant that this has not arisen as a significant national consistency issue, if more codes are developed in the future, it is likely that this will create a more complex privacy regulation environment. The Office strongly supports the development of greater national consistency in privacy regulation which was also a key theme that arose in submissions to the Office's Private Sector Review. If more codes are introduced there is a risk that this will increase the complexity of privacy regulation for individuals and organisations and agencies. Correspondingly, if the Commissioner continues to be nominated as the code adjudicator there is a risk that the Office's compliance role will become increasing complex and cumbersome, with complaint handling staff required to apply different sets of principles for different complaints.
125. Given these concerns, the Office suggests that there is strong argument to amend the code provisions in the interests of efficiency and national consistency. The Office proposes that this could be achieved in a number of ways. For example, it may be appropriate for the Commissioner to be provided with the discretion to decline to consider a proposal for a code where there is little or no public interest in the code development. A public interest test in this regard could weigh up the need for the code against the impact on national consistency in privacy regulation and the costs involved.
126. It may also be appropriate for codes (whether initiated by industry or the Commissioner) to operate in addition to the privacy principles rather than replacing the privacy principles (in a similar manner to the credit reporting code of conduct). In this manner, the privacy principles would continue to apply as the base standard for privacy protection across the community supporting the concept of national consistency. The code could then provide specific and binding guidelines as to how the NPPs should be applied in a particular sector (for example, a Real Estate Industry code could specify the types of information that could be considered as 'necessary' to collect in a tenancy application process under NPP 1.1).
127. Importantly, the Office does not support the removal of the equivalence requirement in relation to codes. The Office considers that the Public Interest Determination mechanism is a more appropriate process to assess applications for the requirements of the NPPs to be waived in certain exception circumstances in the public interest.
128. In Recommendation 7 in the Private Sector Review, the Office proposed that:
The Australian Government should consider amending the Privacy Act to provide for a power to make binding codes.
129. The Office refers the ALRC to the arguments forwarded in support of this position in Chapters 2 and 5 of its Private Sector Review.
130. The Office recommends that the Privacy Commissioner be provided with the power to make binding codes as a component of a more robust compliance regime that is responsive to arising privacy issues. In summary, the Office considers that providing the Commissioner with a code making power would:
131. The Office proposes that the code making powers in the Trade Practices Act 1974 and the Telecommunications Act could serve as example models that could be adapted for the privacy context. Importantly, the Office wishes to emphasise that any power to issue binding guidelines or codes should necessitate significant consultation with affected stakeholders. Further, as an accountability measure, it is suggested that codes initiated by the Commissioner be disallowable instruments.
132. The Office is of the opinion that the Privacy Commissioner should retain the complaint handling role but this should be better complimented by stronger powers to handle systemic issues and issues arising from industry practice. Addressing systemic issues is discussed further in the response to question 6-13.
133. Broadly the model proposed by the Office includes the introduction of:
134. The Office considers that it may also be appropriate for further enforcement remedies to be introduced into this model. Additional options for enforcement are addressed in response to question 6-22.
135. It is unclear that administrative penalties as described in IP31 would usefully address the compliance issues that arise under the Privacy Act.
136. In particular, the Office considers that a non-discretionary fine would not be suitable in a complaints framework, where establishment of a breach of privacy will often depend on assessing two versions of a particular event and/or establishing whether or not an exception to a general rule applies in the particular circumstances.
137. As noted in response to question 6-21, the Office supports the introduction of coercive orders as an enforceable remedy following an own motion investigation206.
138. In this case, the Office considers that the enforceable compliance notice model, examples of which include s 82 of the Information Act 2002 (NT) and s 44(1) of the Information Privacy Act 2000 (Vic), is likely to be more appropriate in the context of the Privacy Act than the introduction an ACCC style framework of enforceable undertakings.
139. In the ACCC model, enforceable undertakings operate as an alternative to litigation. In this context, an enforceable undertaking is likely to be considered a preferable outcome for the respondent in most cases. As the Privacy Commissioner cannot prosecute organisations for breaches of the Privacy Act, the same incentive for organisations to commit to appropriate enforceable undertakings is not present.
140. Importantly, the Office has to date successfully negotiated appropriate outcomes to many own motion investigations. The Office considers that instead of an 'enforceable undertaking proceeding to litigation model', an appropriate model for privacy compliance would be 'negotiated outcome proceeding to compliance order'.
141. As noted in Chapter 1, the Office sees merit in considering options for the development of a tort of privacy. A tort of privacy may provide individuals with avenue for seeking remedies in the nature of damages. The development of a tort of privacy is discussed further in Chapter 1 in the response to question 11-2..
142. Beyond this, the Office is of the view that a conciliation model should remain the primary complaint handling model under the Privacy Act, including where the individual is seeking compensation. This is particularly significant given the costs involved with pursuing a matter through the courts and, by comparison, the low levels of compensation that are general involved in the resolution of privacy complaints.
143. The Office also notes that whilst the Privacy Act does not provide for the Federal Court to direct an organisation to comply with a determination made by the Privacy Commissioner, individuals can still pursue compensation through the Federal Court in accordance with section 55A where an organisation has not complied with a determination.
144. Infringement notices are described in IP31 at paragraph 6.196 as being: 'typically used for low level offences and where a high volume of uncontested contraventions is likely, such as traffic and parking violations'.
145. The conditions expressed in this example, are not common to most privacy compliance issues. In particular, it does not appear that this enforcement remedy would be appropriate to apply in relation to individual complaints which are frequently contested. Further, the ALRC suggests at paragraph 6.197 that infringement schemes are only constitutionally valid where they:
do not involve a regulator assessing a penalty after a hearing of any description, but merely applying the law that determines the breach, together with a statement of the amount that the notice invites the alleged offender to pay.
146. Given that the Privacy Act presents a set of high level principles that permit actions depending on the circumstances, and often, on the basis of reasonableness, it is unlikely that there would be many circumstances in which an infringement notice could be lawfully issued prior to an investigation having been undertaken. Further, the Office considers that infringement notices would not be necessary if other remedies such as orders were available.
147. A number of submissions to the Office's Private Sector Review, expressed the view that there should be some level of civil penalty resulting from a contravention of the Privacy Act and that the absence of such penalties reduces the incentive for businesses to comply with the Privacy Act.207
148. However, the Office considers that there are few circumstances where the introduction of civil penalties would be appropriate.
149. The Office supports an enforcement pyramid model approach to compliance, as described in IP31 at paragraphs 6.178 and 6.179. The Office proposes that in the privacy compliance context, this pyramid should include as its first step a conciliation focus to the handling of complaints and the resolving of systemic issues. Following from this, the Office supports the continued use of determinations in respect of individual complaints and similarly of enforceable remedies (such as coercive orders) in relation to OMIs where a resolution cannot otherwise be negotiated.
150. If civil penalties were to be considered, the Office is of the opinion that they should be consistent with this enforcement framework.
151. In line with this model, civil penalties could potentially be considered as a sanction for a failure to comply with a compliance notice arising from an OMI (if compliance notices were introduced). Alternately, if, a mandatory reporting requirement is introduced for significant data security breaches (as proposed in Chapter 11 at question 11-3(d)) failure to report may also be a contravention for which a civil penalty could be considered. Further consideration would need to be given to any possible scale and range of penalties in these or other circumstances.
152. The Office considers that a cautious approach should be taken to the inclusion of further criminal sanctions in the Privacy Act given that the Commissioner does not have the authority to investigate criminal matters. As privacy is unlikely to be a high policing priority, a significant increase in criminal sanctions may impede rather than facilitate better privacy protection and privacy complaint outcomes.
153. As previously advised, the Office considers that any offence provisions in the Privacy Act should relate to sufficiently serious misconduct with the test for an offence substantially higher than the test for a breach of the Privacy Act. Further, even where the misconduct is serious in nature (such as conduct which is a 'reckless, intentionally dishonest or flagrant contravention' of the Privacy Act) careful consideration should be given to whether the introduction of criminal sanctions is likely to be the most effective, efficient and appropriate means of deterring such conduct in the circumstances.
174 See for example: Criteria and Rules for Credentials Committee and the Accreditation Principles adopted on 25 September 2001 during the 23rd International Conference of Data Protection Commissioners held in Paris, 24-26 September 2001 and as amended on 9 September 2002 during the 24th International Conference of Data Protection and Privacy Commissioners held in Cardiff 9-11 September 2002.
175 Office of the Privacy Commissioner, Getting in on the Act: the Review of the Privacy Act 1988 (Office's Private Sector Review) 2005, Recommendation 6.
176 Office's Private Sector Review, Recommendation 37
177 See Office of the Privacy Commissioner, 'Commissioner's use of s 52 determination power' Privacy Matters, Spring issue, 2006.
178 Privacy Act 1988 Under s 43(5) the Commissioner must provide parties to a complaint with an opportunity to make oral submissions prior to making a determination under s 52.
179 See for example Ombudsman Act 1976 (Cth), s35 and s 35A and Migration Act 1958 (Cth), s 377.
180 Community attitudes research undertaken by the Office in 2004 indicated that health information was considered particularly sensitive by individuals. Individuals ranked health service providers as the most trustworthy in relation to their use and protection of personal information. See Office of the Privacy Commissioner Community attitudes towards privacy 2004, p 19 and 24 and Chapter 8.
181 See for example Ombudsman Act 1976, s 33.
182, Legal and Constitutional Committee, The Real Big Brother: Inquiry into the Privacy Act 1988, June 2005.,Recommendation 5, available at: http://www.aph.gov.au/senate/committee/legcon_ctte/privacy/report/index.htm.
183 Whilst this is a mandatory policy requirement for government agencies in Canada, it is not a legal requirement under Canadian privacy legislation, though the Privacy Commissioner of Canada has called for PIAs to be required under law as part of a broader Privacy Act reform. See: Office of the Privacy Commissioner of Canada, Fact Sheet: Privacy Impact Assessments, available at: www.privcom.gc.ca/fs-fi/02_05_d_33_e.asp
184 Treasury Board of Canada Secretariat,Privacy Impact Assessment Policy, available at: www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.asp
185 Ibid.
186 Office of the Privacy Commissioner, Privacy Impact Assessment Guide, 2006 p9 available at http://www.privacy.gov.au/publications/PIA06.doc.
187 Office's Private Sector Review, p157.
188 Office's Private Sector Review, p 157
189 Office of the Privacy Commissioner of Canada, Your Privacy Responsibilities: A Guide for Businesses and Organizations to the Personal Information Protection and Electronic Documents Act available at: www.privcom.gc.ca/information/guide_e.asp
190 Office's Private Sector Review, Recommendation 39.
191 See Ombudsman Act 1976, s 6(1A). The Telecommunications Industry Ombudsman (TIO) website states: 'The TIO is "an office of last resort". This means that in the interests of fairness the service provider must be given a reasonable opportunity to settle a complaint with a customer before the TIO will become involved.' See http://www.tio.com.au/about_tio.htm.
192 Privacy Act 1988 (Cth), s 40(1A).
193 Privacy Act 1988 (Cth), s 27(1)(s)
194 Office's Private Sector Review, p150.
195 Office's Private Sector Review, Recommendation 46.
196 See for example, Privacy and Personal Information Protection Act 1998 (NSW), s 46(3)(b); and Human Rights and Equal Opportunity Commission Act 1986 (Cth), s 46PH(1)(c),
197 Ombudsman Act 1976(Cth), s 6(1)(b)(iii)
198 See www.tio.com.au/policies/jurisdiction.htm; and Paragraph 3.1(b) of the Banking and Financial Services Ombudsman Limited Terms of Reference available at www.bfso.org.au/ABIOWeb/abiowebsite.nsf
199 See, for example, Privacy and Personal Information Protection Act 1998 (NSW), s 47 ('Referring privacy related complaints to other authorities'); Health Records and Information Privacy Act 2002 (NSW), ss 65-7; Information Privacy Act 2000 (Vic), s 34A; Health Records Act 2001 (Vic), s 51; Ombudsman Act 1973 (Vic), ss 15A and 20B.
200 Privacy Act 1988 (Cth) Section 41(1)(f) states that the Commissioner may decline to investigate a complaint, or investigate further, if he or she is satisfied that 'another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the act or practice that is the subject of the complaint'.
201 Office's Private Sector Review, Recommendation 44
202 Office's Private Sector Review, pp 138-139.
203 Explanatory Statement available at: www.privacy.gov.au/business/codes/index.html
204 Office's Private Sector Review, p169.
205 Office's Private Sector Review, Recommendation 47.
206 An 'own motion' investigation is an investigation undertaken under s (40)2 of the Privacy Act into an act or practice without a complaint having been made.
207 Office's Private Sector Review, pp132-133