OPC LOGO

 |Executive summary | Chapter 1 | Chapter 2 |Chapter 3 |Chapter 4 |Chapter 5 |Chapter 6 |Chapter 7 |Chapter 8 |Chapter 9 |Chapter 10 |Chapter 11 |Chapter 12 |Chapter 13|

Back to top

Back to top

EXECUTIVE SUMMARY

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

2. The Office welcomes this review of privacy by the Australian Law Reform Commission (ALRC). The Office believes that a holistic review of privacy regulation in Australia presents a unique opportunity to enhance the consistency of privacy regulation, and assess the effectiveness of privacy laws in light of evolving circumstances, such as technological development and community expectations.

3. The ALRC's review of privacy was commissioned following recommendations made in the Office's Private Sector Review and the Senate Legal and Constitutional References Committee Review that a wider review of privacy be undertaken.1 The Office welcomes the Government's commitment to inquire into the adequacy of privacy regulation to ensure that it best serves the needs of Australia in the future.

Back to top

4. This is an important period of review for privacy regulation. The Office notes that the ALRC's review is being undertaken concurrently with similar reviews in other jurisdictions. The NSW Law Reform Commission is undertaking a review of privacy which will consider issues such as the desirability of uniform privacy protection principles across Australia, and the desirability of introducing a tort of privacy in NSW.2 The Victorian Law Reform Commission is also undertaking an inquiry into surveillance in public places.3 The Office believes that it will be useful to engage with these and other jurisdictions, to encourage a coordinated response to improving privacy regulation in Australia.

5. In addition, the New Zealand Law Commission is currently undertaking a review of privacy laws.4 The Office believes that this may provide a timely opportunity for greater harmonisation of trans-Tasman privacy regulations.

6. In what the Privacy Commissioner has described as a 'once in a generation opportunity', the Office looks forward to further opportunities to contribute to the ALRC's review of privacy.

General comments

7. A great deal has changed since the Privacy Act was enacted in 1988.

8. There have been changes to the way Australians think about privacy, changes to the manner and speed in which personal information is handled, particularly as a result of technological developments, and there has also been the arrival of the internet as a mainstream source of public information and interaction.

9. In the Office's experience, one thing that hasn't changed is that Australians still deeply value their privacy as a necessary condition for living an independent, fulfilling and dignified life.

10. The current principles under the Privacy Act are based on the OECD data protection guidelines that were developed almost 30 years ago.5 At that time:

Back to top

11. These modern-day phenomena have changed the circumstances surrounding data protection. Nevertheless, the Office believes that the Privacy Act has served the community well since its enactment in 1988. The challenge now is to ensure that the legislation operates effectively for at least a similar period again, and continues to best serve the diverse needs of the Australian community.

12. This submission responds to the questions raised in IP31. In providing these responses, the Office has attempted to share nearly 20 years of experience in applying the Privacy Act, as well as its strong belief in the importance of privacy in a healthy, democratic society.

13. Privacy is important to our way of life, but what does it mean exactly? It has been said that for most of us, privacy is something we think about only when it is lacking.6 The difficulty of defining this term is well-documented in IP31 which explores the range of meanings commonly associated with the term. This submission, like the ALRC inquiry, is concerned primarily with information privacy (see IP31 paragraph 1.89). However, the Office observes that information privacy can intersect with other categories of privacy. For example, location detection technologies, which collect information about an individual's whereabouts, might be considered to cut across both information and physical privacy. While information privacy forms the focus of this inquiry, the Office submits that it will be important for the ALRC to consider cross-over between information privacy and other forms of privacy to ensure that the Privacy Act meets community expectations and continues to be relevant and provide adequate protection in the future.

Back to top

14. Privacy is important but of course, complete anonymity or isolation from the rest of society is neither possible nor desirable. There will always be interactions that require individuals to be 'knowable' to another person or organisation, just as individuals will often want to share their personal information with particular people and organisations. Privacy laws are not designed to obstruct those interactions. Rather, privacy laws are about making sure that individuals have control, to the extent possible, over when their personal information will be collected by others, and how their personal information is subsequently used.

15. In light of these considerations, this submission is concerned first and foremost with ensuring that the privacy of individuals is valued, protected and respected in Australian society, now and into the future.

16. The Office also recognises that privacy must be protected alongside other societal interests such as free speech, security and commercial efficiency. Indeed, the Office notes that when the private sector provisions were introduced into the Privacy Act, they were intended to be responsive to both business and consumer needs.7

17. It is important that the costs of complying with privacy regulations are proportionate to the social benefits they provide. In the Office's view, regulatory inconsistency can have a negative impact on businesses' ability to comply with such regulations, creating undue complexity and confusion as to which law to apply.

18. The continued existence of inconsistency in Australia's privacy framework is borne out by the findings of the Office's Private Sector Review. That Review concluded that the Privacy Act had not achieved its object of establishing a single comprehensive national scheme for the protection of personal information.8 The Office believes that increased regulatory consistency is crucial if agency and organisational compliance costs are to be minimised, and if individuals are to be empowered to exercise their privacy rights without confusion or difficulty.

Back to top

19. Accordingly, a central theme of this submission is identifying ways that regulatory consistency can be enhanced, for the benefit of consumers, businesses and the provision of government services. In particular, the Office believes that regulatory complexity will be reduced by the introduction of a single set of principles to the Privacy Act. This single set of principles would ideally replace the two separate sets of provisions that currently regulate the the Commonwealth public sector (the Information Privacy Principles, or IPPs) and the Australian private sector (the National Privacy Principles, or NPPs). These principles could also serve as a model for uniform privacy legislation, which could be implemented across Commonwealth, state and territory jurisdictions.

Structure of this submission

20. This submission follows the structure of IP31. As with IP31, there are 13 chapters which are outlined below. In those chapters, the Office responds to the questions raised by the ALRC in IP31.

Submission summary

Chapter 1: Introduction to the Inquiry

21. Chapter 1 places Australia's privacy regulatory regime in an international context and draws out the central ideas that inform Australia's regulatory approach.

22. This chapter also addresses two specific questions. The first relates to the suggestion that the Privacy Act be extended to cover certain groups such as indigenous or ethnic groups or commercial entities. In its response to this question, the Office submits that the Privacy Act should continue to apply specifically to individuals, which has been the international approach to regulating privacy.

23. The second question in this chapter examines the case for a tort of privacy. In general, the Office believes there are several positive arguments for the development of a tort of privacy, and would therefore encourage further examination of the issue by the ALRC.

Back to top

Chapter 2: Overview of Privacy Regulation in Australia

24. Chapter 2 introduces the Office's views on the importance of national consistency of privacy regulation. The Office believes that regulatory consistency will benefit both businesses and individuals by reducing compliance difficulties for organisations, and empowering individuals to understand and exercise their privacy rights without confusion as to their legal entitlements.

25. This chapter takes national regulatory consistency to be a key goal of privacy reform where there is no compelling need for differentiation. As such, the key message contained in Chapter 2 underpins many of the Office's responses to chapters that follow.

Chapter 3: The Privacy Act 1988 (Cth)

26. Chapter 3 suggests possible amendments to definitions in the Privacy Act. These suggestions align with the Office's belief that terms should be defined in a way that balances flexibility with regulatory stability. Approached in this way, the Office submits that definitions in the Privacy Act will reflect the intentions behind principle-based law.

27. As noted in IP31, much of the complexity within the Privacy Act stems from its development and amendment over several years. As such, many of the recommendations made in Chapter 3 are aimed at updating or clarifying relevant definitions, and better articulating the objects and scope of the Act.

28. In particular, Chapter 3 makes suggestions in relation to the definitions of personal information, sensitive information, financial information, record, identifier, collector, small business, generally available publication, agency, State or Territory authority and related bodies corporate. This chapter also suggests that certain privacy principles be extended to the personal information of deceased persons.

Chapter 4: Examination of the Privacy Principles

29. Chapter 4 builds on the idea that principle-based law remains the best way to regulate information handling.

30. This chapter explores the IPPs and NPPs in detail, and makes suggestions for their improvement based on the Office's experience in applying the Privacy Act.

Back to top

31. While the Office believes that the existing principles under the Privacy Act are operating well, the Office believes there would be benefit in introducing to the Privacy Act a single set of principles to replace the IPPs and NPPs. In the Office's view, a single set of privacy principles would encourage greater regulatory consistency and simplicity, while maintaining or improving existing protections. Chapter 4 suggests that a single set of principles could include provisions relating to: anonymity, notice and openness, collection, collection of sensitive information, use and disclosure, information quality, information security, access and correction, transborder data flows and identifiers.

Chapter 5: Exemptions from the Privacy Act 1988 (Cth)

32. In Chapter 5 the Office expresses its view that to achieve uniformity and consistent application of privacy legislation, exemptions under the Privacy Act should be minimised. Where exemptions do exist, a clear public interest should also exist to support their continuation.

33. In the interests of enabling greater community understanding of the Privacy Act, the Office would support the adoption of consistent criteria to determine which entities are exempt from the application of the Act.

34. In particular the Office suggests that:

Chapter 6: Powers of the Office of the Privacy Commissioner

35. Chapter 6 examines the powers of the Privacy Commissioner, and makes recommendations based on the Office's experience in monitoring and enforcing compliance with the Privacy Act.

Back to top

36. In general, the Office finds that the Privacy Act contains appropriate provisions to support the Office of the Privacy Commissioner's role as an effective complaint-handling body. However, the Office submits that the strong focus in the Privacy Act on resolving individual complaints should be balanced with improved provisions for dealing with systemic privacy issues. To this end, many of the suggestions made in this chapter relate to strengthening the Office's capacity to respond effectively to issues which may have broader impacts on privacy. This would better equip the Office to address the causes of interferences with privacy, not only the effects.

37. Particular suggestions in Chapter 6 include:

Chapter 7: Interaction, Fragmentation and Inconsistency in Privacy Regulation

38. Chapter 7 expands on some of the issues raised in Chapter 2, particularly regarding the interaction and inconsistency between the Privacy Act and other privacy-related regulations.

39. The Office notes in this chapter the importance of ensuring that privacy regulations are interoperable, consistent and comprehensive, with national consistency as the ultimate goal of such an interoperable privacy scheme.

40. Consistency does not mean the elimination of multi-layered regulation. In many cases, additional protections that regulate particular sectors, or protect certain information, can enhance privacy (such as privacy codes and secrecy provisions). However, in the interests of all parties, it is critical to ensure these layers are not unnecessary, inconsistent, or poorly interactive.

41. In the Office's view, there are a number of ways that current privacy regulations can be harmonised across various sectors and jurisdictions. These solutions include:

Back to top

Chapter 8: Health Services and Research

42. In Chapter 8 the Office puts forward the view that Privacy Act's existing provisions have generally met individuals' expectations regarding the handling of their health information, and afforded appropriate regard to the needs of health service delivery and medical research.

43. However, the Office notes in this chapter that there is a strong need to clarify the application of the Privacy Act regarding private sector health service providers. Section 3 of the Privacy Act should be amended to make clear that the National Privacy Principles 'cover the field' for the regulation of private sector health service providers. This would address a key source of uncertainty and potential fragmentation in health privacy regulation in Australia.

44. The Office also notes that the proposed National Health Privacy Code (NHPC) has not been adopted by the relevant jurisdictions since the Office's Private Sector Review was released. In light of changed circumstances, the Office considers that the objectives of national consistency and higher privacy protection for health information can be best achieved through certain amendments to the NPPs, or the adoption of a single set of principles as discussed in Chapter 4.

45. While comfortable that the existing principles work well, the Office makes a number of recommendations in Chapter 8 regarding areas of health privacy regulation where the law could be enhanced. These include in regard to access, including the role of intermediaries, as well as information handling obligations where a health service closes, or where an individual wishes their records to be transferred. The Office has also suggested that, among other things, the principle regulating the collection of health information without consent and where 'necessary to provide a health service' could be usefully amended.

Back to top

46. In regard to health and medical research, the Office submits that the existing regulatory framework affords individuals with an appropriate degree of assurance that their personal health information will not be misused, particularly where it is handled without their consent. The Office draws attention to provisions where regulatory complexity could be reduced, particularly by harmonising the enabling provisions for the section 95 and 95A mechanisms.

Chapter 9: Children, Young People and Adults with a Decision Making Disability

47. The privacy of vulnerable members of the community is of considerable interest and concern to the Office and the Australian public. Chapter 9 addresses the privacy of children and individuals with a decision-making disability. Each presents comparable but different challenges for privacy regulation, which must balance community, representative and individual expectations across a range of circumstances.

48. The Privacy Act is based around providing rights to individuals and does not distinguish individuals by age. Children are therefore provided with equal rights to adults, with the flexibility to determine, on a case by case basis, who should be responsible for exercising those rights. Other mechanisms supplement the Privacy Act's protections, such as legislation specific to child protection, and particular sectoral procedures. The Office believes the Privacy Act is generally functioning effectively in relation to children and young people, although in some areas, protections may be improved by amendments to the small business exemption. The Office welcomes consideration of further mechanisms beyond the Privacy Act which may be necessary to safeguard child privacy, for example, in the areas of online protections and photographs.

49. In relation to individuals with a decision-making disability, the Office believes that certain problems can be addressed without legislative amendment. This includes providing additional guidance on when personal information can currently be disclosed to representatives under the Privacy Act. The Office also believes consideration could be given to whether the disclosure of non-health information should be permitted under NPP 2.4. Other areas for consideration include the ability of representatives to seek access on an individual's behalf, how best to protect individuals' privacy from their own representatives, and whether the Privacy Act operates effectively in cases of sudden or unexpected incapacity.

Back to top

Chapter 10: Telecommunications Privacy

50. Personal information handled in the telecommunications sector is regulated by a number of legislative instruments and regulatory bodies. These interrelationships need not be problematic in themselves, and indeed, they can enhance privacy protections in the sector where they operate consistently. Nevertheless, there are aspects of privacy regulation in the telecommunications sector which can benefit from review and improvement. The Office's response to Chapter 10 draws particular attention to the following issues:

Chapter 11: Developing Technology

51. In Chapter 11, the Office expresses its view that the most effective strategy for the protection of privacy in the context of continuously developing technologies will be multi-faceted involving:

52. The Office believes that a technologically-neutral principles-based approach, along with provision for the Privacy Commissioner to make specific binding codes where a clearly defined privacy risk emerges, is the best way to deal with the impact of rapidly developing technology on information handling.

53. Some of the suggestions made by the Office in Chapter 11 include that:

Chapter 12: Unique Multi-Purpose Identifiers

Back to top

54. Chapter 12 explores the regulatory regime surrounding the use of unique multi-purpose identifiers. The Office accepts that sometimes the use of unique identifiers is essential; for example, in order to correctly identify individuals for the purposes of providing health care. However, the Office notes that, when unique identifiers are used for multiple purposes and across different agencies and organisations, risk of privacy invasion is increased. This is because, if used in the wrong way, unique multi-purpose identifiers can enable greater data-matching, sharing and linking and create conditions conducive to function creep.

55. The Office believes that the Privacy Act should continue to play an important role in ensuring that unique multi-purpose identifiers are handled in ways that do not unreasonably intrude on the privacy of individuals. Subject to a few suggested amendments the Office believes that provisions in the Privacy Act dealing with unique multi-purpose identifiers remain appropriate.

Chapter 13: Transborder Data Protection

56. Advances in information technology have allowed information to be sent across the world with speed and efficiency. With the advent of inexpensive high-speed internet connections and the growth of the global economy, Australian agencies and organisations are increasingly operating across national borders.

57. The Privacy Act regulates the transfer of personal information outside Australia via NPP 9. NPP 9 provides important protections to individuals by preventing organisations from disclosing personal information to someone in a foreign country unless: the person in the foreign country is subject to an information privacy scheme comparable to the NPPs; or the individual has consented to the disclosure; or certain other circumstances apply.

58. In general, the Office believes that NPP 9 contains appropriate provisions to regulate transborder data flows and is generally operating well. However, in this chapter the Office suggests that NPP 9 could be enhanced to simplify the prescribed preconditions for sending personal information overseas. The Office also recommends that the Privacy Act should make clear that the transfer of personal information outside Australia to a related body corporate will be subject to NPP 9.

59. Chapter 13 also discusses the issue of EU adequacy. The Office has found that, while Australian business does not appear to have been adversely affected by lack of EU 'adequacy', the Government should continue to work with the EU on the adequacy of the Privacy Act.10

SUMMARY OF OFFICE POSITIONS

CHAPTER 1

Question 1-1

Office position:

  1. The Office does not support amendments to the Privacy Act to provide direct protections to certain groups or commercial entities.
  2. The Office suggests that the Privacy Act be amended to clarify the extent to which sole trader information is protected under the Act.

Back to top

Question 1-2

Office position:

  1. The Office suggests further consideration be given to options for the development of a cause of action for breach of privacy.

CHAPTER 2

Question 2-1

Office position:

  1. The Office recommends that the Privacy Act be amended to contain a single set of privacy principles to regulate information handling in the private sector and the Australian Government public sector. (See also Office position at Chapter 4 - Introduction)
  2. The Office recommends a uniform set of privacy principles should be developed in consultation with the states and territories and enacted by each jurisdiction. This could be achieved through a cooperative scheme between the Australian Government and the states.
  3. The Office suggests another approach to address inconsistent state and territory legislation regulating a particular activity is to provide the Privacy Commissioner with a power to develop binding codes within the Privacy Act. (See also Office position at Question 6-20).

CHAPTER 3

Question 3-1

Office position:

  1. The Office supports a redrafting of the Privacy Act to facilitate a greater degree of understanding and ease of navigation for the reader.
  2. The Office submits that the most effective solution to reduce complexity with the Privacy Act would be to develop a single set of privacy principles which covers both Australian Government agencies and the private sector. (See also Office position at Chapter 4 - Introduction).
  3. The Office suggests that in the event that the proposal for a single set of principles is not taken up, consideration should be given to re-ordering the Privacy Act to place the IPPs and NPPs in adjoining sections.
  4. The Office suggests that the Privacy Act be amended to better group, logically order and clearly title information regarding exemptions to the Act. (See also Office position at Question 5-1).

Question 3-2

Office position:

  1. The Office recommends that the name of the Privacy Act continue to contain the broader term of 'privacy' in order to reflect the wider scope of the Commissioner's functions.
  2. The Office recommends that the Privacy Act be retitled the 'Australian Privacy Act', to differentiate the Privacy Act from other jurisdictions that have similar legislation.

Back to top

Question 3-3

Office position:

  1. The Office of the Privacy Commissioner supports the inclusion in the Privacy Act of an objects clause that clearly defines the purposes of the Privacy Act and the role of the Office.

Question 3-4

Office position:

  1. The Office recommends that the current definition of 'personal information' be retained in the Privacy Act in recognition of its existing flexibility in the face of technological advances and other changes.
  2. The Office reiterates its recommendation from the Private Sector Review that it will issue further guidance material consistent with the current law, on what is personal information, which takes into account the fact that in the current environment it is more difficult to assume that any information about people cannot be connected.
  3. The Office recommends that the definition of sensitive information should be amended to include biometric information.
  4. The Office suggests that consideration should be given to affording financial information the status of sensitive information.
  5. The Office suggests that the definition of record be reviewed with the aim of developing a broad, overarching definition that would provide for technological change.
  6. The Office recommends that the definition of record be clarified to cover records which hold biometric information.
  7. The Office believes that the definition of record should only describe the medium of the information rather than the information itself. For this reason, the Office recommends the removal of 'of a person' from subsection (c) of the definition of a record.
  8. The Office suggests that in the interests of facilitating smooth interaction, consistent definitions for 'record' and 'document' across the Privacy Act, the Freedom of Information Act and the Archives Act should be developed.
  9. The Office recommends that the definition of identifier be clarified to be more explicit as to its meaning. (See also Office position at Question 12-3)
  10. The Office suggests that the definition of collector in the Privacy Act be amended so that where services are provided by other entities on behalf of an agency, those services must relate to the agency's functions for the Commonwealth contracting provisions to apply.
  11. The Office reiterates its recommendation 51 made in the Private Sector Review that the definition of small business be expressed in terms of the ABS definition, currently 20 employees or fewer, rather than the annual turnover. (See also Office position at Question 5-6).
  12. The Office suggests that the definition of generally available publication in the Privacy Act be amended to clarify that it covers a generally available publication even where payment of a fee is necessary to access the information.
  13. That Office suggests that the definition of 'agency' in the Privacy Act be amended to clarify ambiguous areas of coverage. In particular, the definition should clarify coverage of some public authorities created as collaborations between Commonwealth and the states and territories by the Council of Australian Government (COAG) and other Ministerial Councils. (See also Office position at Question 5-3).
  14. The Office suggests that the term related bodies corporate be defined within the Privacy Act as having the same meaning as in the Corporations Act 2001 (Cth).

Question 3-5

Office position:

  1. The Office recommends that the Privacy Act be amended to extend some privacy protections to the health information of people after their death:
    • Health information of deceased persons should be covered by NPPs 1 (collection), as appropriate, 2 (use and disclosure) and 4 (security) or their equivalents if a single set of principles were to be developed.
    • In recognition that living individuals may have legitimate grounds for seeking access to the health records of deceased individuals, the NPPs should include a mechanism for providing such access.
    • Consideration should be given to adding a provision under NPP 2.4 to provide organisations with a discretion to disclose health information about deceased people to 'a responsible person' (based on the terms of NPP 2.5) in the same way in which health information about an individual who lacks capacity may currently be disclosed.

Back to top

CHAPTER 4

Chapter 4 - Introduction

Office position:

  1. The Office recommends the development of a single set of principles for both Australian government agencies and private sector organisations relating to:
    • Anonymity
    • Notice and openness
    • Collection
    • Collection of sensitive information
    • Use and disclosure
    • Quality
    • Security
    • Access and correction
    • Transborder data flows
    • Identifiers

Question 4-1

Office position:

  1. The Office recommends that provisions for the notice and collection should be addressed separately in the Privacy Act, specifically by separate principles.
  2. The Office reiterates recommendation 74 from the Private Sector Review that consideration be given to amending NPP 1.3(d) to make clear that an organisation collecting personal information from an individual must take reasonable steps to notify them of likely disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.
  3. The Office recommends that notice obligations regarding the likely disclosures of an individual's personal information should also advise of any fourth party that personal information may be disclosed to.
  4. The Office reiterates recommendation 19 from the Private Sector Review that consideration be given to amending NPP 5.1 to provide for short form privacy notices. This could also clarify the obligations on organisations to provide notice, and to clarify the links between NPP 1.3 and NPP 5.1.
  5. The Office reiterates recommendation 41 from the Private Sector Review that consideration be given to amending NPP 1.3 to require organisations to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the Privacy Commissioner or (where relevant) the code adjudicator. This would also apply to agencies under on set of principles.
  6. The Office reiterates recommendation 76 from the Private Sector Review that consideration be given to amending NPP 1.5 to remove the term 'someone', and to make clear that an organisation has an obligation to take reasonable steps to provide notice to an individual when collecting their personal information indirectly, from any source. This would also apply to agencies under one set of principles.

Back to top

Question 4-2

Office position:

  1. The Office reiterates recommendation 75 from the Private Sector Review that consideration be given to amending NPP 1.3 and NPP 1.5 to make clear that there are situations in which the reasonable steps an organisation might take to provide notice to an individual may equate to no steps.
  2. The Office recommends that a 'reasonable person test' be included to determine what steps should be taken to make individuals aware of matters relating to the collection of their personal information. This would relate to agencies and organisations.

Question 4-3

Office position:

  1. The Office believes that agencies should be required to comply with the same collection provisions as private sector organisations and where reasonable and practicable they should collect information about an individual only from the individual concerned.
  2. The Office believes that a single principle for notice and openness could include that agencies and organisations be required to notify an individual of their rights to access their personal information, the consequences of not providing their information, the various avenues of complaint available, and the source of the information where it has not been directly collected from the individual.

Question 4-4

Office position:

  1. The Office recommends that the collection principle include that an agency or organisation should be required to check the accuracy of information received from an unsolicited source if it intends to include that information in a record.

Question 4-6

Office position:

  1. The Office considers that use and disclosure should be addressed in one principle as in the NPPs.

Back to top

Question 4-7

Office position:

  1. The Office submits that the existing exceptions under NPP 2, as well as IPPs 10 and 11 provide an appropriate range of mechanisms for allowing individuals' personal information to be disclosed in times of emergency or when there is a serious and imminent threat to the life or health of an individual. The Office does not support additional exceptions permitting uses or disclosures without the consent of the individual.
  2. The Office believes that the disclosure provisions should be extended to allow disclosures of personal information to a 'responsible person' in times of national emergency and the definition of 'responsible person' should be extended beyond that already provided for in NPP 2.5 to include a person nominated by the family to act on behalf of the family.

Question 4-8

Office position:

  1. The Office believes there should be a direct relationship between the primary and secondary use of personal information and that the secondary use should be one which an individual would reasonably expect. This is included in the use and disclosure principle proposed at Question 4-35.

Question 4-12

Office position:

  1. The Office reiterates recommendation 23 from the Private Sector Review that consideration be given to amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.
  2. The Office reiterates recommendation 24 from the Private Sector Review that consideration be given to amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information.

Question 4-13

Office position:

  1. The Office submits that the existing exceptions under NPP 2, as well as IPPs 10 and 11 provide an appropriate range of mechanisms for allowing individuals' personal information to be used for non-health research and does not support an additional exception permitting uses or disclosures without the consent of the individual.

Back to top

Question 4-14

Office position:

  1. The Office believes that NPP 3 should oblige organisations to keep personal information accurate and complete for the stated purpose of collection but should not import an obligation onto organisation to constantly contact individuals to ensure information is accurate.

Question 4-16

Office position:

  1. The Office believes that agencies should be subject to the same quality principle that applies to organisations.

Question 4-17

Office position:

  1. The Office reiterates recommendation 54 from the Private Sector Review that consideration be given to amending NPP 4 to impose an obligation on an organisation to ensure personal information it discloses to a contractor is protected.
  2. The Office suggests that further consideration be given to the handling of personal information in instances where contracting between private sector organisations occurs. The Office believes there may be benefit in developing provisions similar to those which exist under s 12 and s 95B. These provisions together ensure that a lead agency has obligations in relation to personal information over which it wishes to retain control regardless of where it is held, and both parties continue to have obligations when handling the information.

Back to top

Question 4-18

Office position:

  1. The Office believes that agencies should be obliged by the Privacy Act to destroy or permanently de-identify personal information when it is no longer needed and where they are under no legal obligation to retain the information.
  2. The Office believes that agencies and organisations should have an appropriate disposal regime in place to ensure that personal information is destroyed or de-identified in a secure manner.

Question 4-19

Office position:

  1. The Office supports the obligation prescribed in the current NPP 4.2 that, where information is no longer needed for the purpose for which it was collected, agencies and organisations should be under an obligation to take reasonable steps to destroy or permanently de-identify personal information.

Question 4-20

Office position:

  1. The Office believes that the provisions of NPP 5.1 could be amended to provide more guidance on the content of notice documents.
  2. The Office reiterates recommendation 19 from the Private Sector Review that consideration be given to amending NPP 5.1 to provide for short form privacy notices. This could also clarify the obligations on organisations to provide notice, and to clarify the links between NPP 1.3 and NPP 5.1. (See also Office position at Question 4-1)
  3. The Office believes that agencies and organisations should be required to, upon a request from an individual, inform the individual as to whether they have collected or hold personal information about that individual and to advise the individual what 'type' or 'sort' of personal information it is.

Question 4-21

Office position:

  1. The Office believes that the provision of the specific 'sort' of information held about an individual should continue to be triggered by that individual's request under an openness principle.

Back to top

Question 4-23

Office position:

  1. The Office proposes that guidance should be developed in relation to NPP 6.1(b) to explain that a serious threat to a therapeutic relationship could be a serious threat to a person's health. (See also Office position at Question 8-20).
  2. The Office suggests that NPP 6.3 could be amended to provide the individual the right to use an intermediary if access is denied under an exception contained in NPP 6.1.
  3. The Office suggests that NPP 6.4 could be amended to provide for guidance on the timeframe and form in which access to a record of their personal information is provided to an individual.
  4. The Office suggests that NPP 6.5 could be amended so that an individual could raise reasonable grounds for the organisation to believe that information held about them is in need of correction, rather than having to establish that information is not accurate and up-to-date.

Question 4-24

Office position:

  1. The Office supports the notion that agencies should be required to clearly set out the circumstances in which they can deny an individual access to a record containing their personal information as required of organisations by NPP 6.

Question 4-25

Office position:

  1. The Office supports the introduction of an obligation on agencies and organisations that where correction has occurred, the organisation or agency should, where reasonable and/or practicable, notify any third-party which has been supplied with the incorrect information.

Back to top

Question 4-29

Office position:

  1. The Office believes that the anonymity principle should be redrafted to require organisations and agencies to provide the individual, where possible, with the option of interacting with them anonymously.

Question 4-31

Office position:

  1. The Office believes that Australian government agencies should not disclose personal information to overseas bodies which are not subject to privacy regulation without legislative, contractual or other administrative arrangements in place to prevent unauthorised uses or disclosures by the recipient.

Question 4-33

Office position:

  1. The Office believes that sensitive information should be afforded consistent protections, regardless of the stage of the process in which, or by whom, it is handled.

Question 4-35

Office position:

  1. The Office recommends the development of a single set of principles for both Australian government agencies and private sector organisations relating to:
    • Anonymity
    • Notice and openness
    • Collection
    • Collection of sensitive information
    • Use and disclosure
    • Quality
    • Security
    • Access and correction
    • Transborder data flows
    • Identifiers

Question 4-36

Office position:

  1. The Office also believes that the privacy principles should continue to be applied as the minimum level of protection for an individual's personal information.

Back to top

Chapter 5

Question 5-1

Office position:

  1. The Office believes that to achieve uniformity and consistency of application of privacy legislation, exemptions under the Privacy Act should be minimised. Where exemptions exist, there should be a clear public interest enunciated for them to be maintained or created.
  2. The Office submits that a review of exemptions to the Privacy Act should address irregularity of exemption coverage; that is where a specific entity is exempted from coverage of the Privacy Act while other entities of a similar nature and function are not.
  3. The Office suggests that where exemptions exist for specific, named entities, these entities be listed in a schedule to the Privacy Act.
  4. The Office suggests that where exemptions exist for certain categories of entities, they be grouped together in one part of the Privacy Act.

Question 5-2

Office position:

  1. The Office believes that the exemptions applying to the Australian intelligence community (AIC) are appropriate.
  2. The Office suggests that all entities, whether covered by the Privacy Act or not, should implement a set of standards for the handling of personal information.

Question 5-3

Office position:

  1. The Office recommends that s 7 of the Act, which deals with the acts and practices of agencies and organisations, be redrafted to provide greater clarity in regard to its application.
  2. The Office suggests that the definition of 'agency' which currently includes a Minister, should describe the specific acts and practices of the Minister that are covered.
  3. The Office suggests that entities with similar functions be treated consistently under the Privacy Act.
  4. The Office suggests that consideration should be given to reviewing the Australian Crime Commission (ACC) exemption to assess whether a full exemption continues to be suitable or whether full or partial coverage by the Privacy Act is desirable.
  5. The Office believes that attention should be given to developing information handling standards for royal commissions. The Office suggests that the matter be referred to the Attorney-General.
  6. The Office believes that it would be desirable if the Australian Commission for Law Enforcement Integrity (ACLEI) developed information handling guidelines to assist in ensuring that the personal information it handles is adequately protected. This could be achieved with assistance from the Office of the Privacy Commissioner.
  7. The Office suggests that consideration be given to whether it would be appropriate for the administrative operations of the ACLEI to be covered by the Privacy Act.

Back to top

Question 5-4 and 5-5

Office position:

  1. The Office recommends that the Australian Government work with all states and territories to implement privacy regulation that is consistent with the Privacy Act or adopt the Privacy Act as model legislation. (See also Office position at Question 2-1)
  2. The Office suggests that consideration be given to whether the current arrangements that provide differing levels of privacy regulation for state and territory incorporated bodies, statutory entities and higher education facilities remain appropriate.
  3. The Office suggests that the Privacy Act should apply to all incorporated bodies including state and territory statutory corporations except where equivalent privacy legislation has been made in the relevant jurisdiction.
  4. The Office suggests that where it is considered necessary that state and territory incorporated bodies should be exempted from coverage of the Privacy Act because of public interest grounds, that consideration be given to applying a provision such as that currently existing in s 6C(4) to give effect to the exemption.

Questions 5-6

Office position:

  1. The Office reiterates recommendation 51 made in the Private Sector Review that the definition of small business be expressed in terms of the Australian Bureau of Statistics (ABS) definition, currently 20 employees or fewer, rather than the annual turnover. (See also Office position at Question 3-4)
  2. The Office reiterates recommendation 9 from the Private Sector Review that consideration be given to making regulations under s 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector including Internet Service Providers (ISPs) and Public Number Directory Producers (PNDPs). (See also Office position at Question 11-2)
  3. The Office suggests that if the states and territories do not pass uniform legislation to regulate estate agents, landlord and listing agents who use Residential Tenancy Databases (RTDs), that these businesses should be prescribed as organisations under the Act. (See also Office position at Question 7-3)
  4. The Office recommends that the consent provisions under ss 6D(7) and 6D(8) should be clarified so that businesses are clear about when the Privacy Act will apply to their activities
  5. The Office suggests that the opt-in provision (s 6EA) should be retained as it provides a mechanism for businesses to enhance their business reputation, and in some cases is a requirement if the organisation wants to apply for a Code or Public Interest Determination (PID). (See also Office position at Question 5-7).

Back to top

Questions 5-7 & 5-8

Office position:

  1. The Office recommends that the small business opt-in provision in s 6EA be extended to any organisations which are exempt from the operation of the Privacy Act such as political parties. This would allow exempt organisations to voluntarily opt-in to coverage by the Privacy Act.
  2. The Office suggests that consideration be given to requiring political parties to comply with a few key privacy principles, in particular the openness and access and correction principles along with some limits placed on their ability to disclose personal information.

Question 5-9

Office position:

  1. The Office believes that given the desirability of national consistency of privacy regulation, further consideration should be given to removal of the employee records exemption in s 7B(3) of the Privacy Act.

Question 5-10 to 5-12

Office position:

  1. The Office reiterates recommendation 59 from the Private Sector Review that it will, in conjunction with ACMA, provide greater guidance to media organisations as to appropriate levels of privacy protection, especially in relation to health issues, and make organisations aware that the media exemption is not a blanket exemption.

Back to top

Question 5-13

Office position:

  1. The Office submits that improved notice of disclosure by the relevant body corporate under NPP 1.3 should ameliorate concerns that personal information being used for direct marketing by a related body corporate without the individual's knowledge or consent. (See also Office position at Question 4-1)
  2. The Office suggests that a note be included under s 13D reminding organisations about their obligations in relation to transborder data flows of personal information under NPP9.

CHAPTER 6

Question 6-1

Office position:

  1. The Office supports the continuation of the Office of the Privacy Commissioner as a statutory body with a Commissioner appointed for a specified term.
  2. The Office reiterates recommendation 6 from its Private Sector Review by proposing that the name of the Office of the Privacy Commissioner be changed to the Australian Privacy Commission to distinguish the Office from similar state authorities.
  3. The Office suggests that s 52 of the Privacy Act be amended to provide for determinations to be undertaken by certain other senior staff within the Office subject to specified conditions.

Question 6-2

Office position:

  1. The Office supports the continued inclusion of a statement in the Privacy Act which acknowledges that privacy is a right that must be balanced with other community interests.
  2. The Office supports the continuation of the criminal liability provisions in s 96 of the Privacy Act regarding misuse or inappropriately disclosed personal information acquired through employment at the Office of the Privacy Commissioner.

Back to top

Question 6-3

Office position:

  1. The Office supports the continuation of the Privacy Advisory Committee (PAC) in its current role as an independent advisory body.
  2. The Office suggests that the PAC membership categories outlined in s 82(7) of the Privacy Act should be reviewed and updated to reflect current business, community and government environments by:
    • introducing an explicit requirement that a health sector representative be included;
    • updating terminology used to describe the current industry categories; and
    • requiring the inclusion of a member with high level experience in industry or commerce in addition to a member with experience in public administration or government.

Question 6-4

Office position:

  1. The Office supports the continuation of immunity from civil action for the Privacy Commissioner (or code adjudicator) and his or her delegates provided for in s 64 of the Privacy Act.
  2. The Office supports the continuation of immunity from civil action for complainants provided for in s 67 of the Privacy Act.

Question 6-5

Office position:

  1. The Office recommends that the Privacy Commissioner's powers to oversee the Privacy Act are appropriate and should be retained.
  2. The Office suggests amending s 27(1)(c) in the Privacy Act to replace the wording 'computer technology' with wording that would encompass all technologies with a possible privacy impact.

Question 6-6

Office position:

  1. The Office supports the introduction of a statutory requirement on public sector agencies to undertake a Privacy Impact Assessment (PIA) for new projects and/or legislation that significantly impact on the collection or handling of personal information. This should include:
    • a set of criteria to establish when a PIA is required;
    • an appropriate regulatory mechanism to ensure compliance.
  2. The Office does not believe a mandatory requirement should be imposed on private sector organisations to undertake a PIA. However, organisations should be encouraged to undertake a PIA for large scale, high privacy risk projects.
  3. The Office should develop PIA guidelines tailored for the needs of the private sector through consultation.

Back to top

Question 6-7

Office position:

  1. The Office holds the view that the conduct of any PIA should be the responsibility of the particular agency or organisation.
  2. The Office believes that if a statutory requirement to conduct a PIA is introduced, a corresponding accountability mechanism (for example, inclusion in the Annual Report) should also be included in the Privacy Act.

Question 6-8

Office position:

  1. The Office suggests that consideration be given to amending the current Personal Information Digest (PID) requirements in the Privacy Act. The Office suggests, rather than reporting to the Privacy Commissioner, agencies should:
    • include this information on their own websites; or
    • report the updating of their PID entry in their annual report; or
    • provide this information in their privacy policy.
  2. The Office suggests the form of the PID may need to be reviewed.

Question 6-9

Office position:

  1. Private sector organisations should undertake self-auditing in relation to privacy.
  2. The Office recommends the introduction of a qualified audit power expanding on its own motion investigation functions to allow the Office to audit private sector organisations for compliance with the NPPs where the Privacy Commissioner has reasonable grounds to believe that the organisation is engaging in practices that:
    • pose new and significant risks to the personal information they hold; or
    • contravene the privacy principles in the Act or a commitment made in resolution to a complaint or own motion investigation.

Question 6-11

Office position:

  1. The Office supports the consolidation of the Privacy Commissioner's functions into one section of the Privacy Act. This includes where the Commissioner's functions are sourced in other legislation.

Back to top

Question 6-12

Office position:

  1. The Office recommends that provisions under s 38B(2) of the Privacy Act be amended to: clarify when an individual may withdraw from a representative complaint, or include the option of opting out of a representative complaint at any time if the individual did not consent to be a class member.
  2. The Office recommends the retention of a general requirement that individuals complain to the body with whom they have the grievance in the first instance, before making a complaint to the Privacy Commissioner.
  3. The Office recommends that the Privacy Commissioner's specific conciliation functions under s 27 of the Privacy Act be amended to provide for the option of conciliating complaints at any stage in the complaint handling process, including before the commencement of a formal investigation.
  4. The Office suggests that the Privacy Commissioner be given a specific power to contact third parties for the purpose of undertaking preliminary inquiries into a complaint.
  5. The Office is of the opinion that the restrictions placed on the Privacy Commissioner to obtain personal information under s 69 of the Privacy Act should be addressed in the following ways:
    • The Office supports the retention of the provisions relating to the restrictions on information generated for the purposes of taxation or statistics law unless it relates to an individual who has made a complaint to the Commissioner;
    • The Office suggests that s 69 be amended or clarified to ensure that any limits on the provision of personal information to the Commissioner in the context of an investigation of a privacy complaint do not constrain the Commissioner's ability to investigate.

Question 6-13

Office position:

  1. The Office recommends the Privacy Commissioner be granted a discretionary power to decline to investigate complaints where there appears to be little public interest. This power could be balanced by a requirement for the Privacy Commissioner to advise the 'respondent' that a complaint has been lodged and that while it is not being investigated in this instance, any further complaints of a similar nature may be.
  2. The Office recommends the introduction a specific decline power where a privacy complaint is being handled by a recognised industry dispute resolution body. Consideration should be given to provide the Privacy Commissioner with an additional function to recognise such bodies for the purpose of this provision.
  3. The Office recommends the introduction of a power to allow the Privacy Commissioner to simultaneously decline a complaint that would be more suitably handled by a recognised industry body, and to formally refer that complaint to the appropriate body with a request for investigation.
  4. The Office recommends that the Privacy Commissioner be given a specific power to cease consideration of a complaint if the complainant has ceased to pursue the matter or has withdrawn the complaint.

Back to top

Question 6-14

Office position:

  1. The Office suggests that the offence provisions under the Privacy Act be reviewed to ensure that they relate to sufficiently serious misconduct and that the test for an offence is higher than the test for a breach of the Privacy Act in all cases.

Question 6-15

Office position:

  1. The Office supports the continued inclusion of the Privacy Commissioner's investigation powers currently provided in ss 43-47 of the Privacy Act.
  2. The Office suggests that consideration be given to clarifying the terminology of ss 43-47 of the Privacy Act. In particular, the term 'compulsory conference' in ss 46 and 47.
  3. The Office suggests that consideration be given to extending the application of ss 46 and 47 of the Privacy Act to complaints relating to the NPP.

Question 6-16

Office position:

  1. The Office recommends the Privacy Commissioner's determination powers should be amended to provide a broader range of enforcement remedies for systemic issues.

Question 6-17

Office position:

  1. The Office recommends that all determinations made by the Privacy Commissioner should be reviewable by the Administrative Appeals Tribunal, including determinations made against private sector organisations. This review power should extend to all decisions made using the determination power, and should not be limited to decisions regarding compensation or remedy.

Question 6-18

Office position:

  1. The Office supports the continuation of the Privacy Commissioner's powers in respect of public interest determinations (PID) and temporary public interest determinations (TPID).
  2. The Office suggests consideration should be given to introducing a requirement that applicants must consult with the Office before making an application for a PID or TPID, and/or the inclusion of the discretion not to consider an application under certain circumstances.

Back to top

Question 6-19

Office position:

  1. The Office suggests consideration should be given to amending s 98 of the Privacy Act to include a test of 'standing' for persons applying for an injunction.

Question 6-20

Office position:

  1. The Office recommends that the existing code provisions in the Privacy Act should be amended to take into account the interests of efficiency and national consistency.
  2. The Office does not support the removal of the equivalence requirement in relation to codes.
  3. The Office reiterates its recommendation 7 from the Private Sector Review that consideration should be given to amending the Privacy Act to provide the Privacy Commissioner with the power to make binding codes.
  4. The Office suggests that binding codes initiated by the Privacy Commissioner be disallowable instruments.

Question 6-21

Office position:

  1. The Office proposes a compliance model that retains the Privacy Commissioner's existing complaint handling functions and conciliation focus but compliments this with stronger powers to handle systemic issues and issues arising from industry practice.

Question 6-22

Office position:

  1. The Office is of the view that a conciliation model should remain the primary complaint handling model under the Privacy Act, including where the individual is seeking compensation.
  2. The Office supports the introduction of coercive orders as an enforceable remedy following an Own Motion Investigation.
  3. The Office considers that non-discretionary fines and infringement notices would not be suitable remedies to introduce into the Privacy Act.
  4. The Office suggests that consideration be given to introducing civil penalties as a sanction under the Privacy Act in limited circumstances. However, the Office recognises that further consideration would need to be given to any possible scale and range of penalties.
  5. The Office considers that a cautious approach should be taken to the inclusion of further criminal sanctions in the Privacy Act
  6. The Office considers that any offence provisions in the Privacy Act should relate to sufficiently serious misconduct. The Office suggests that the test for an offence should be substantially higher than the test for a breach of the Privacy Act. (See also Office position at Question 6-14)

Back to top

Chapter 7

Question 7-1

Office position:

  1. The Office recommends the harmonisation of privacy regulation nationally to facilitate the consistent protection of personal information within Australia.
  2. The Office recommends an amendment to the Privacy Act to confer powers on the Privacy Commissioner to:
    • decline to investigate a complaint if a recognised industry body is investigating, or has already adequately investigated the privacy aspects of the complaint;
    • simultaneously decline a complaint that would be more suitably handled by a recognised industry body, and formally refer the complaint to that body with a request for investigation on behalf of the complainant. (See also Office position at Question 6-13)

Question 7-2

Office position:

  1. The Office recommends legislative amendments to ensure that state and territory contractors are bound by the Privacy Act or equivalent legislation.

Question 7-3

Office position:

  1. The Office recommends that uniform Residential Tenancy Database (RTD) legislation be introduced in the states and territories. If this does not occur, consideration should be given to amending the Privacy Act to bring RTD operators within the Act's jurisdiction.

Question 7-5

Office position:

  1. The Office recommends the development of a consolidated digest of all legislative provisions that require or authorise personal information to be handled in ways that the Privacy Act may otherwise prevent.

Back to top

Question 7-6

Office position:

  1. The Office recommends amendments to IPP 6 and 7 to provide access to, and correction of, personal information held by Australian and ACT government agencies. This mechanism should be in addition to those provided for under the Freedom of Information Act 1982 (Cth).
  2. The Office recommends consideration be given to whether the Office's complaint files should be exempt from disclosure obligations under the Freedom of Information Act 1982 (Cth).
  3. The Office suggests that consideration be given to whether the Privacy Act should extend to cover certain classes of Commonwealth records in the 'open access period' established by the Archives Act 1983 (Cth).
  4. The Office suggests that s 33(1)(g) of the Archives Act 1983 (Cth) be amended to align with the protection of 'personal information' under the Privacy Act and the Freedom of Information Act 1982 (Cth).
  5. The Office suggests that the criminal offence provisions of the Taxation Administration Act 1953 (Cth) relating to the mishandling of Tax File Numbers (TFNs) remain in that Act.
  6. The Office recommends the current voluntary public sector data matching guidelines be made mandatory to enhance data-matching regulation. (See also Office position at Question 11-1)
  7. The Office recommends extending the protections that are afforded to information on the Electoral Roll, including the introduction of obligations to ensure that recipients handle and dispose of information appropriately and securely.
  8. The Office recommends removing the Electoral Roll from the definition of generally available publication, thus ensuring that all information on the Electoral Roll is covered by the Privacy Act.
  9. The Office suggests additional protections in the Commonwealth Electoral Act 1918 (Cth) to ensure that all persons and entities that collect information pursuant to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 would incur obligations to hold the information securely and disposed of it when no longer required.

Question 7-9

Office position:

  1. The Office supports the use of industry-specific rules, codes and guidelines to allow for more prescriptive regulation than the Privacy Act, where appropriate. The Privacy Act should allow the Privacy Commissioner to make binding guidelines for this purpose. (See also Office position at Question 6-20)

CHAPTER 8

Question 8-1

Office position:

  1. The Office believes that a separate health-specific set of principles is unnecessary. Health privacy regulation can be enhanced by building on the basic content of existing provisions.
  2. The Office suggests that if a separate instrument is pursued for health privacy regulation, it should ensure that the protections offered will be at least equivalent to those already provided by the Privacy Act and that this instrument should be located in the Privacy Act.

Back to top

Question 8-2

Office position:

  1. The Office recommends s 3 of the Privacy Act be amended to make it clear that the Privacy Act covers the field for Australian Government agencies and the private sector including private sector health service providers.

Question 8-3

Office position:

  1. The Office recommends the proposed National Health Privacy Code should not be adopted as an instrument for regulating health information. The Privacy Act, with amendments where necessary, should cover the field with respect to private-sector health regulation.

Question 8-4

Office position:

  1. The Office recommends the proposed National Health Privacy Code should not be adopted as a schedule to the Privacy Act. Health privacy reform, where necessary, should be pursued through amendment to the existing NPPs.

Back to top

Question 8-5

Office position:

  1. The Office recommends that the implementation of electronic health information systems be accompanied by specific establishing legislation that could include:
    • Provisions to allow participation on an 'opt-in' basis;
    • Provisions setting out primary uses of data;
    • A designated authority and processes for approval of secondary uses of data;
    • Consent processes; and
    • Sanctions and complaint mechanisms.
  2. The Office suggests consideration should be given to reform of the Privacy Act to address the standards by which an individual's health information may be disclosed to and collected from shared electronic health records.

Question 8-6

Office position:

  1. The Office recommends the Privacy Commissioner retain the functions conferred by s 135AA of the National Health Act 1953 in relation to the Medicare Benefits Program and the Pharmaceutical Benefits Program.

Question 8-7

Office position:

  1. The Office recommends the current definition of 'health information' in the Privacy Act should be retained.
  2. The Office recommends the current definition of 'health service' in the Privacy Act should remain. However, consideration should be given to amending s 6(a)(iii) of that definition to include the word 'injury'.

Back to top

Question 8-8

Office position:

  1. The Office does not support any amendment which would remove existing exemptions for agencies based on whether they handle health information, as the grounds for these exemptions remain valid regardless of whether the agency holds health information.
  2. The Office is mindful that an amendment to the Privacy Act which required all organisations that collect, hold or use health information to comply with the Privacy Act may result in increased regulatory complexity and regulatory burden on small business operators. (See also Office position at Question 3-4)
  3. The Office suggests consideration should be given to the introduction of provisions to bring childcare centres within the scope of the Privacy Act. (See also Office position at Question 9-1)

Question 8-9

Office position:

  1. The Office submits that guidance remains the best response to clarify when organisations may disclose information for the purposes of health service management activities. The Office does not support legislative amendments in this area.
  2. The Office recommends the present provisions subjecting health management activities to ethics oversight remain. Particular operational concerns in this area are best addressed through institutional reforms.
  3. The Office suggests that if the public and private sector provisions for health and medical research are merged (see also Office position at Question 8-32), a new provision should be introduced making explicit provision for the handling of health information for the purposes of managing health services.

Question 8-10

Office position:

  1. The Office does not consider that the NPPs, when correctly interpreted and applied, create impediments to health services delivery. The Privacy Act does not prevent the collection, use or disclosure of health information where necessary for providing healthcare. Accordingly, amendments in this area are not required.

Question 8-11

Office position:

  1. The Offices believes the basic framework for handling health information relating to individuals with impaired capacity is effective and should be retained.
  2. The Office suggests consideration should be given to amending the Privacy Act to include further specific reference to dealing with individuals with impaired capacity, in particular, NPP 6 may benefit from amendments to this effect.

Back to top

Question 8-13

Office position:

  1. The Office recommends the Privacy Act be amended to give statutory effect to Public Interest Determinations 9 and 9A. This could be achieved most effectively by inserting an additional subclause into NPP 10.2(b). However, the scope of any amendment should be limited to exclude genetic information and information contained in an electronic health record.

Question 8-14

Office position:

  1. The Office does not support an amendment to the Privacy Act to allow insurance companies to collect health information about third parties without the parties' consent.

Question 8-15

Office position:

  1. The Office suggests consideration should be given to amendments to better align disclosures of sensitive information allowed under NPP 2 and corresponding collections under NPP 10.
  2. The Office recommends NPP 10 should be retained in its present form, with the exception of NPP 10.2(b)(ii), which could be amended to better reflect the regulatory and ethical context in which health service providers operate.
  3. The Office believes that NHPP 1 would afford lesser privacy protection to health information in several areas.

Question 8-16

Office position:

  1. The Office submits that if its recommendations in response to Questions 8-15 and 8-32 are pursued, consequential amendments to NPP 10.3 would be needed to facilitate the collection of all sensitive information, not just health information.

Back to top

Question 8-17

Office position:

  1. The Office submits that the permitted disclosures of health information for the 'primary purpose' for which it was collected and for 'directly related secondary purposes' contained in NPP 2 do not impede the provision of health care. Accordingly, further guidance on the scope of appropriate uses and disclosures of health information is the most effective means of bringing clarification to this area.

Question 8-18

Office position:

  1. The Office submits that NHPP 2 should not be adopted as a basis for regulating the circumstances in which organisations may use or disclose health information as the Office considers that a number of provisions in NHPP 2 reduce the level of privacy protections currently available under NPP 2.

Question 8-20

Office position:

  1. The Office submits that NPP 6.1(b) is an appropriate and effective exception to the Privacy Act's access provisions, and should not be extended to encompass threats to the therapeutic relationship alone.
  2. The Office suggests that consideration should be given to inserting a note to NPP 6.1(b) to clarify that a serious threat to life or health referred to in paragraph 6.1(b) could include situations where deterioration in the therapeutic relationship resulting from granting access would itself constitute a serious threat to any individual's life or health.
  3. The Office suggests an amendment to NPP 6.1(b) could provide that access to health information may be denied to an individual where granting access is 'reasonably likely' to pose a serious threat to the life or health of any individual'.

Back to top

Question 8-21

Office position:

  1. The Office submits that NHPP 6 and Part 5 appear to be overly complex and prescriptive, and may add unwarranted regulatory complexity.
  2. The Office suggests that some of the policy objectives reflected in NHPP 6 could be adopted to usefully reform the Privacy Act.
  3. The Office suggests the ALRC should consult with the health sector to ascertain the feasibility of amendments to the Privacy Act imposing obligations on health service providers to correct disputed information.
  4. The Office suggests consideration should be given to amending the Privacy Act to require organisations who have disclosed incorrect information to notify third parties that the information has been corrected. (See also Office position at Question 4-25)
  5. The Office suggests consideration should be given to amending NPP 6.3 to give individuals a right to request a health service provider to serve as an intermediary where access to health information has been denied.
  6. The Office suggests consideration be given to amending the Privacy Act to require organisations to notify individuals of their right to seek an intermediary upon refusal of access to their health information.
  7. The Office can see merit in limiting stronger intermediary provisions to only apply to circumstances where the 'serious threat to life or health' exception is relied upon to deny an individual access to their health information.
  8. The Office submits that should a table of prescribed maximum fees for access to medical records be introduced, it should adequately cater for the diverse organisational requirements of healthcare providers.

Question 8-22

Office position:

  1. The Office recommends that the Privacy Act should be amended to clarify health providers' obligations concerning patient records when the health provider ceases trading. Consideration should be given to achieving an appropriate balance between privacy rights and the need to avoid imposing an unreasonable regulatory burden.

Question 8-24

Office position:

  1. The Office submits that the Privacy Act should be amended to require a health service provider to transfer a patient's records to another health service provider on request by that patient.

Back to top

Question 8-25

Office position:

  1. The Office believes that the present public interest test regulating the use of personal information without an individual's consent for health research is appropriate and effective. Accordingly, the Office does not support amendments in this area.

Question 8-26

Office position:

  1. The Office believes that the Privacy Act should not be amended to include a definition of 'research'.

Question 8-27

Office position:

  1. The Office submits that the Privacy Act should not be amended to include definitions of 'identifiable', 'reidentifiable' and 'non-identifiable'.

Question 8-28

Office position:

  1. The Office submits that the Privacy Act should not be amended to draw a distinction between identifiable and re-identifiable information in the context of health and medical research.

Back to top

Question 8-29

Office position:

  1. The Office affirms the effectiveness of the existing mechanisms for non-consensual use of health information in medical research provided by ss 95 and 95A, as well as in the NPPs. Accordingly, the Office does not support amendments in this area.

Question 8-30

Office position:

  1. The Office believes that the framework contained in NPP 2 for the use of health information in medical research without consent is appropriate and effective.

Question 8-31

Office position:

  1. The Office is of the opinion that the Human Research Ethics Committee model is sound and there is no reason to depart from it.

Question 8-32

Office position:

  1. The Office recommends that the provisions for health and medical research contained in ss 95 and 95A of the Privacy Act should be harmonised. Consideration should be given to merging the two sections into one provision.
  2. The Office suggests that consideration should be given to amending the Privacy Act, using the words 'health and medical research' to define the scope of provisions resulting from the harmonisation of ss 95 and 95A.
  3. The Office suggests consideration should be given to amending the Privacy Act to permit the use of personal information, other than health information, for health and medical research.

Back to top

Question 8-33

Office position:

  1. The Office suggests consideration should be given to introducing specific legislative provision for establishing health data registers, which will bring the activity within the 'required or authorised by law' exceptions of NPP 10.
  2. The Office believes that the linking of health information on registers requires a degree of specificity in the approval process for future uses of a health register.
  3. The Office notes strong community support for consent-based research, and considers that individuals' consent should be sought before health data is collected for inclusion on a register.

CHAPTER 9

Question 9-1

Office position:

  1. The Office believes that the Privacy Act does not inhibit appropriate disclosure of information to protect child welfare, and does not interfere with the administration of juvenile justice. Accordingly, amendment to the Act is unnecessary in this area.
  2. The Office believes that the common law approach to establishing young people's capacity to make decisions about their information, including their health information, which relies on a case-by-case assessment, should be retained.
  3. The Office suggests consideration should be given to extending, or clarifying, the application of the protections in the Privacy Act to cover:
    • Child care centres; and
    • Family counselling and dispute resolution services
  4. The Office suggests further consultation with consumer and business representatives regarding the regulatory costs of removing the application of the small business exemption to child care centres.
  5. The Office suggests the protection of children's privacy in an online environment should be addressed by measures such as industry-targeted legislation, a binding code of conduct or an industry standard.
  6. The Office suggests that criminal sanctions for individuals who inappropriately take, use or disclose photographs of children or young people is more appropriate than dealing with this issue through the Privacy Act.
  7. The Office suggests consideration should be given to the effectiveness of the regulation of court records in promoting children's privacy, in particular where a child or young person's name is removed from court records, but the individual can be identified from other personal information in the court record. (See also Office position at Question 11-5)

Question 9-3

Office position:

  1. The Office suggests consideration should be given to amending NPP 2.4 to permit the disclosure of information, other than health information, to a responsible person. The ALRC should also consider whether organisations which hold information other than health information have the necessary expertise to assess whether an individual lacks capacity to consent to the disclosure of their information, such that they could rely on an amended NPP 2.4 provision.
  2. The Office could provide additional guidance on the circumstances in which the Privacy Act currently allows health service providers to disclose information to a responsible person under NPP 2.4.
  3. The Office suggests consideration should be given to whether the IPPs make adequate provision for disclosures of information to people responsible for individuals, where those individuals lack capacity or the ability to communicate consent.
  4. The Office suggests consideration should be given to whether the Privacy Act and related laws should allow a person to engage in financial transactions on an individual's behalf in the event of an individual suddenly and unexpectedly losing capacity.
  5. The Office suggests consideration should be given to amending IPP 6 and NPP 6 to clarify that an individual's legal representative has a right to access personal information concerning that individual. This right to access should be limited to reflect the particular area of responsibility of that representative and, where the incapacity is temporary or the individual is likely to recover capacity, access should be limited to the information necessary to make the necessary decisions.

CHAPTER 10

Back to top

Question 10-1

Office position:

  1. The Office suggests consideration be given to where there is more than one applicable reason for a disclosure under the Telecommunications Act 1997 (Cth), each reason be recorded.
  2. The Office holds the view that the protections conferred on personal information by Part 13 of the Telecommunications Act 1997 (Cth) are limited and the extent of the exceptions need to be revisited.
  3. The Office believes that there are certain activities that should be regulated because of the nature of the activity, rather than the size of the organisation.
  4. The Office reiterates its recommendation 9 from the Private Sector Review that the Australian Government should consider making regulations under s 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.
  5. The Office recommends prescribing small businesses in the telecommunications sector under s 6E of the Act if the small business exemption is retained in the Privacy Act.
  6. The Office suggests s 117 of the Telecommunications Act 1997 (Cth) should specifically provide for the Privacy Commissioner to state if, in his or her opinion, the proposed code materially 'derogates' from the provisions of the Privacy Act.
  7. The Office suggests that the Telecommunications Amendment (Integrated Public Number Database) Act 2006 could be improved by including more detail in the Act about the categories and activities of researchers and by dealing with the issue of directory products produced from other sources.
  8. The Office suggests that the Telecommunications (Interception and Access) Act 1979 (Cth) should provide for greater accountability as to when and why an expanded range of agencies, including public revenue agencies, can gain access to stored communications.
  9. The Office suggests that the Telecommunications (Interception and Access) Act 1979 (Cth) should require agencies to review whether information they have accessed via stored communications warrants is still required for a permitted purpose or should be destroyed.

Question 10-2

Office position:

  1. The Office is of the opinion that increasing the consistency and clarifying the relationship between the Telecommunications Act 1997 (Cth) and the Privacy Act, would help to ensure adequate privacy protection, reduce complexity for businesses, and assist consumers to understand their rights.
  2. The Office suggests that s 282 of the Telecommunications Act 1997 (Cth), which requires law enforcement agencies to provide certificates for disclosures, could be strengthened to ensure the use and disclosure of information by law enforcement agencies is more closely aligned to those respective requirements under NPP 2.
  3. The Office believes consideration should be given to removing the exceptions under Division 3 of Part 13 of the Telecommunications Act 1997 (Cth), and allowing NPP 2 to regulate use and disclosure of information. Alternatively, the exceptions in Part 13 could be aligned with the use and disclosure provisions under NPP 2.
  4. The Office recommends maintaining the offence provisions in Part 13 of the Telecommunications Act 1997 (Cth).
  5. The Office reiterates the comments made in its Private Sector Review which noted that, where possible, the Telecommunications Act and the Privacy Act should be compared and reviewed to ensure the highest of the two standards always operates.
  6. The Office submits that there is merit in retaining the following requirements under Part 13 of the Telecommunications Act 1997 (Cth) (subject to any amendments required to promote consistency with NPP 2):
    • the current record-keeping requirements (Division 5);
    • the Privacy Commissioner's monitoring role in relation to record-keeping (s 309);
    • the requirement that disclosures to certain law enforcement agencies be 'certified' by those agencies.
  7. The Office suggests that if the exceptions to use and disclosure offences are retained under Part 13 of the Telecommunications Act 1997 (Cth), consideration should be given to amending both the Privacy Act and the Telecommunications Act to clarify what constitutes authorised uses and disclosures under the two Acts.
  8. The Office holds the view that state and territory law enforcement authorities should be covered by one set of privacy principles to ensure consistency and uniformity of privacy protections. (See also Office position at Question 5-4).

Back to top

Question 10-3

Office position:

  1. The Office submits that if the Telecommunications Industry Ombudsman retains its role in handling NPP-related complaints in the telecommunications sector, the Privacy Act should be amended to introduce of a specific decline power where a privacy complaint is being handled by a recognised industry dispute resolution body. (See also Office position at Question 6-13)
  2. The Office suggests that the definition of 'carriage service provider' in s 87 of the Telecommunications Act 1997 (Cth) should be reviewed to ensure that it captures Internet Service Providers (ISPs) when, for example, an ISP is hosting Voice over Internet Protocol (VoIP) services.

CHAPTER 11

Question 11-1

Office position:

  1. The Office supports Australia's involvement in international forums to coordinate data protection schemes.
  2. The Office believes that in the context of developing technologies, consideration should be given to clearly recognising the importance of the Office's education function by including express reference to it in s 27 of the Privacy Act in either or both of sub-sections 27(1)(c) and (m).
  3. The Office recommends that consideration be given to making the voluntary public sector data matching guidelines mandatory. (See also Office position at Question 7-6)
  4. The Office submits that because of the increasing privacy risks posed by data matching or similar activities, consideration be given to addressing whether there needs to be additional private sector regulation for data matching, whether that be in the form of additional measures in NPPs or binding code.
  5. The Office reiterates recommendation 70 from the Private Sector Review that the Australian Government should consider initiating discussions through appropriate international forums about how to deal with the major international jurisdictional issues arising from the global reach of technologies such as Voice over Internet Protocol (VoIP.)

Question 11-2

Office position:

  1. The Office suggests that Privacy Act be amended to cover small businesses that handle biometric information for the purposes of how they handle that information.
  2. The Office reiterates recommendation 9 from the Private Sector Review that consideration be given to making regulations under s 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector including Internet Service Providers (ISPs) and Public Number Directory Producers (PNDPs). (See also Office position at Question 10-1)
  3. The Office suggests that the Privacy Act be amended to ensure that private sector toll road operators are covered by the Privacy Act, to the extent that they are not covered by privacy regulation established by the relevant state or territory Parliament.

Back to top

Question 11-3

Office position:

  1. The Office suggests that the definition of identifier be amended to include a 'number, symbol or other particular' assigned to an individual to identify uniquely the individual for the purposes of the organisation's operations.
  2. The Office suggests that the NPPs and IPPs be amended to give individuals access to their personal information in a comprehensible form where practicable.
  3. The Office suggests that the Privacy Act be amended to include a requirement that agencies and organisations have in place adequate review mechanisms for automated decisions, especially where those decisions may have an adverse effect on the individual.
  4. The Office welcomes further consideration of how the Privacy Act might be amended to encourage organisations to design systems that would allow for individuals to interact anonymously where this is lawful and practicable.
  5. The Office believes that the anonymity principle may be further strengthened by making anonymity the first principle rather that the eighth.
  6. The Office believes that the anonymity principle could also be changed to clarify that where an individual has an existing relationship with an organisation, that individual is still entitled to transact anonymously with that organisation where lawful or practicable. (See also Office position at Question 4-29)
  7. The Office would support the provision of data destruction in a single set of privacy principles.
  8. The Office could develop guidance material to assist agencies and organisations in understanding obligations to destroy or permanently delete personal information.
  9. The Office recommends the introduction of a statutory requirement that public sector agencies undertake PIAs for new projects and/or legislation that may significantly impact on privacy. (See also Office position at Question 6-6)
  10. The Office believes that all the basic principles of privacy law should be adopted when designing, implementing and using RFID technology, and would welcome further consideration of the privacy impacts of RFID technology by the ALRC.
  11. The Office suggests that the introduction of optical surveillance measures be pursued only where:
    • they are necessary to achieve a clear objective;
    • such measures constitute a proportional response to a defined threat or problem; and
    • they have been subject to scrutiny from a parliament.
  12. The Office recommends that the definition of sensitive information be amended to cover biometric samples collected for the purpose of biometric matching or biometric identification; and biometric template information.
  13. The Office suggests that the Privacy Act be amended to add provisions requiring agencies and organisations to advise affected individuals of a breach to their personal information in certain circumstances.

Question 11-4

Office position:

  1. The Office believes that the Privacy Act should remain technologically neutral while being technologically relevant.
  2. The Office believes a broad principle-based approach to privacy regulation remains the best way to deal with rapidly developing technology.
  3. The Office believes that the Privacy Act should provide for the Commissioner to make binding codes that go to certain acts or practices or certain technologies. (See also Office position at Question 6-20)

Question 11-5

Office position:

  1. The Office supports the further exploration of options for the protection of personal information contained in public records in the context of electronic publication.
  2. The Office believes consideration could be given to referring the matter of electronic court records to the Standing Committee of Attorney's General (SCAG) as recommended by the ALRC in its report Keeping Secrets: The Protection of Classified and Security Sensitive Information.

CHAPTER 12

Question 12-1

Office position:

  1. The Office submits that the privacy protections afforded Tax File Numbers (TFN) remain relevant and appropriate, particularly in light of the increased ability of information technology to link records across disparate sources.
  2. The Office suggests consideration should be given to reviewing the TFN Guidelines.

Back to top

Question 12-2

Office position:

  1. The Office recommends that the Privacy Act should continue to provide protections against the privacy risks associated with unique numbers.

Question 12-3

Office position:

  1. The Office recommends that the Privacy Act should continue to ensure that unique multi-purpose identifiers are handled in ways that do not unreasonably intrude on the privacy of individuals.
  2. The Office submits that the policy objective of NPP 7 remains relevant to an identifier issued in association with the access card.
  3. The Office suggests consideration be given to extending the definition of 'identifier' in the Privacy Act to include all identifiers issued by governments in all jurisdictions.

CHAPTER 13

Question 13-1

Office position

  1. The Office believes that NPP 9(c) could be enhanced by an added specification that the transfer of personal information overseas should be within the reasonable expectations of the individual.
  2. The Office suggests that the ALRC consider how NPP 9(d) and (e) may be clarified to give organisations greater direction. In particular, the Office believes there may be benefit in reviewing NPP 9(d) and (e) to assess whether the requirements for an organisation to determine whether the transfer is 'in the interests' or 'for the benefit' of the individual continue to be appropriate.
  3. The Office submits that NPP 9(f) may benefit from an amendment that makes this clause a precondition of transfer and thus consistent with the other subsections of NPP 9.
  4. The Office suggests that it work with business to develop guidance material on NPP 9(f) that explains what 'reasonable steps' an organisation should take to ensure that the information it transfers outside Austral