Submission Home | Executive Summary | Submission Summary | Summary of Positions | Part A | Part B | Part C | Part D | Part E | Part F | Part G | Part H | Part I | Part J | Bibliography

PART E

EXEMPTIONS

CHAPTER 30

OVERVIEW-EXEMPTIONS FROM THE PRIVACY ACT

Proposal 30-1  The Privacy Act should be amended to group together in a separate part of the Act exemptions for certain categories of entities or types of acts and practices.

1. The Office agrees with proposal 30-1.

2. The Office believes that grouping exemptions together in one part of the Privacy Act 1988 (Cth) would enhance clarity. The proposal is in accordance with the Office's position in its submission to the ALRC's Issues Paper 31 (IP 31) at question 5-1.[286]

Proposal 30-2 The Privacy Act should be amended to set out in a schedule to the Act exemptions for specific, named entities. The schedule should distinguish between entities that are completely exempt and those that are partially exempt from the Privacy Act. For those entities that are partially exempt, the schedule should specify those acts and practices that are exempt.

3. The Office agrees with proposal 30-2.

4. The proposal is in accordance with the Office's position in its submission to IP 31 at question 5-1.

CHAPTER 31

DEFENCE AND INTELLIGENCE AGENCIES

Proposal 31-1   The privacy rules and guidelines, which relate to the handling of intelligence information concerning Australian persons by the Australian Security Intelligence Organisation, Australian Security Intelligence Service, Defence Imagery and Geospatial Organisation, Defence Intelligence Organisation, Defence Signals Directorate and Office of National Assessments, should be amended to include consistent rules and guidelines relating to:

(a) incidents involving the incorrect use and disclosure of personal information (including a requirement to contact the Inspector-General of Intelligence and Security and advise of the incident and measures taken to protect the privacy of the Australian person);

(b) the accuracy of personal information; and

(c) the storage and security of personal information.

1. The Office agrees with proposal 31-1.

2. The proposal is in accordance with the Office's position in its submission to IP 31 at question 5-2.[287]

Proposal 31-2 Section 15 of the Intelligence Services Act 2001 (Cth) should be amended to provide that:

(a) the responsible minister in relation to the Defence Intelligence Organisation is required to make written rules regulating the communication and retention by the Defence Intelligence Organisation of intelligence information concerning Australian persons; and

(b) before making rules to protect the privacy of Australian persons, the ministers responsible for the Australian Security Intelligence Service, the Defence Imagery and Geospatial Organisation, the Defence Signals Directorate and the Defence Intelligence Organisation should consult with the Office of the Privacy Commissioner.

3. The Office agrees with proposal 31-2.[288]

4. The proposal is in accordance with the key element of the Office's position in its submission to IP 31 at question 5-2.

5. The Office agrees that it would be appropriate for the ministers responsible for the various defence and intelligence agencies to consult with the Privacy Commissioner (as opposed to the Office of the Privacy Commissioner) before making privacy rules for their agencies.

Proposal 31-3

The Office of National Assessments Act 1977 (Cth) should be amended to provide that:

(a) the responsible minister in relation to the Office of National Assessments (ONA) is required to make written rules regulating the communication and retention by the ONA of intelligence information concerning Australian persons; and

(b) before making rules to protect the privacy of Australian persons, the minister responsible for the ONA should consult with the Office of the Privacy Commissioner.

6. The Office agrees with proposal 31-3.

7. The proposal is in accordance with the key element of the Office's position in its submission to IP 31 at question 5-2.[289]

8. The Office agrees that it would be appropriate for the minister responsible for the ONA to consult with the Privacy Commissioner (as opposed to the Office of the Privacy Commissioner) before making privacy rules for the ONA.

Proposal 31-4

Section 8A of the Australian Security and Intelligence Organisation Act 1979 (Cth) should be amended to provide that, before making rules to protect the privacy of Australian persons, the responsible minister should consult with the Office of the Privacy Commissioner.

9. The Office agrees with proposal 31-4.

10. The Office notes that on a previous occasion the Privacy Commissioner has been consulted in relation to the Australian Security and Intelligence Organisation's (ASIO) rules to protect the privacy of Australian persons. The Office agrees that it would be appropriate for the minister responsible for ASIO to consult with the Privacy Commissioner (as opposed to the Office of the Privacy Commissioner) before making privacy rules for ASIO.

Proposal 31-5

The privacy rules and guidelines referred to in Proposal 31-1 should be made available electronically to the public; for example, on the websites of those agencies.

11. The Office agrees with proposal 31-5.

12. The Office notes that ASIO's guidelines are currently available on ASIO's website, to the extent that this would not compromise national security. The Office believes it would be appropriate for all the named agencies to similarly make available their privacy rules and guidelines on their respective websites as well as in other accessible forms as requested by members of the public. This would enhance community confidence in how personal information is handled by these agencies.

Proposal 31-6

The Privacy Act should be amended to apply to the Inspector-General of Intelligence and Security (IGIS) in respect of the administrative operations of that office.

13. The Office has no specific comment on whether the Privacy Act should be amended to apply to the Inspector-General of Intelligence and Security (IGIS) in respect of its administrative operations.

14. However, this proposal raises a broader issue of consistency across exemptions. As indicated in its submission to ALRC IP 31, question 5-3, the Office holds that entities with like functions should be treated consistently under the Privacy Act.[290] This proposal is also consistent with the Office's general position that exemptions to the Privacy Act should be minimised and only established where there is a clear and compelling public interest.

Proposal 31-7

The Inspector-General of Intelligence and Security, in consultation with the Office of the Privacy Commissioner, should develop and publish information-handling guidelines to ensure that the personal information handled by IGIS is protected adequately.

15. The Office agrees with proposal 31-7.

16. The Office believes that all entities, whether covered by the Privacy Act or not, should implement a set of standards for the handling of personal information. These could be adapted from the privacy principles taking into account the particular national security requirements. The proposal is in accordance with the main message of Office's position in its submission to IP 31 at question 5-2.

17. The Office agrees that it would be appropriate for the minister responsible for the IGIS to consult with the Privacy Commissioner (as opposed to the Office of the Privacy Commissioner) before making privacy rules for the IGIS.

CHAPTER 32

FEDERAL COURTS AND TRIBUNALS

Proposal 32-1 Federal courts that do not have a policy on granting access for research purposes to court records containing personal information should develop and publish such policies.

1. The Office supports proposal 32-1.

2. Developing policies of this kind may facilitate research in the public interest, while providing appropriate privacy protections.

Chapter 32 - Access Issues

3. In addition to the research access issue addressed by proposal 32-1, the ALRC also considers access to court records by the media and the general public.

4. The ALRC explored these issues in its inquiry into the protection of classified and security sensitive information. In its report, Keeping Secrets: the Protection of Sensitive and Security Classified Information,[291] the ALRC recommended that the Standing Committee of Attorneys-General (SCAG) order a review of court and tribunal rules for non-party access to court records. The ALRC reaffirms this recommendation in Discussion Paper 72 (DP 72).[292]

5. The Office supports this recommendation, noting that SCAG would appear to be the appropriate forum to address privacy issues in this area.

6. As noted in its submission to ALRC IP 31, the Office suggests that such a review could also usefully address privacy and electronic publication of court records.[293] While closely related to the issues outlined above, electronic publication raises discrete policy issues which merit particular attention, including the ease with which this material can be searched and disseminated.

7. Accordingly, the Office suggests that the question of access by non-parties and electronic publications of court records be referred to SCAG for consideration.

Federal tribunals: Access rights for parties to the matter

8. The ALRC requests comment on whether exceptions should apply when granting an individual access to their personal information held by a federal tribunal.[294]

9. The Office notes that this matter could usefully be explored within the proposed SCAG review of court and tribunal rules on access to court records discussed above.

10. Where the tribunal record in question is covered by the Act, the Office's view is that access by a party to their personal information would best be addressed within the general access provisions for agencies, subject to any specific exceptions which may apply.

Question 32 - 1 Should the Privacy Act be amended to provide that federal tribunals are exempt from the operation of the Act in respect of their adjudicative functions? If so, what should be the scope of ‘adjudicative functions'?

11. The Office has no specific comment on whether federal tribunals should be exempt from the Privacy Act in respect of their adjudicative functions.

12. However, this question raises a broader issue of consistency across exemptions. As indicated in its submission to ALRC IP 31, Chapter 5, question 5-3, the Office holds that entities with like functions should be treated consistently under the Privacy Act.

13. Question 32-1 also asks what the scope of the term ‘adjudicative functions' should be.

14. While the Office has no comment on this specific issue, it notes that, at paragraph 32.22 of DP 72, the ALRC supports the words ‘non-administrative nature' being used in relation to federal courts.

15. The Office suggests that the ALRC consider using the words ‘non-administrative' in framing any applicable exemption for federal tribunals so as to promote consistency. If the ALRC chooses to retain the distinction between ‘adjudicative functions' for tribunals and ‘non-administrative matters' for courts, it would be useful for the ALRC to explain the policy basis for introducing this distinction.

16. Whichever form of words is used, the Office submits that the exemption should be clearly defined so as to enable agencies, organisations and the community to determine what information falls within the scope of an exemption.

CHAPTER 33

EXEMPT AGENCIES UNDER THE FREEDOM OF INFORMATION ACT 1982 (CTH)

Proposal 33-1    The Privacy Act should be amended to remove the partial exemption that applies to the Australian Fair Pay Commission under s 7(1) of the Act.

1. As in the Office's response to question 5-3 of ALRC's IP 31, the Office has no specific view on whether the current partial exemption applying to the Australian Fair Pay Commission is appropriate.

2. However, the Office suggests that in considering the merit in the removal of the partial exemption for the Australian Fair Pay Commission, consideration be given to whether maintaining the exemption is supported by a clear and demonstrable public interest which reflects community attitudes and values.

3. Consideration should also be given to the benefits of treating entities with like functions consistently under the Privacy Act 1988 (Cth) (‘Privacy Act').

Proposal 33-2    The following agencies listed in Schedule 2 Part I Division 1 and Part II Division 1 of the Freedom of Information Act 1982 (Cth) should be required to demonstrate to the Attorney-General of Australia that they warrant exemption from the operation of the Privacy Act:

(a) Aboriginal Land Councils and Land Trusts;

(b) Auditor-General;

(c) National Workplace Relations Consultative Council;

(d) Department of the Treasury;

(e) Reserve Bank of Australia;

(f) Export and Finance Insurance Corporation;

(g) Australian Communications and Media Authority;

(h) Classification Board;

(i) Classification Review Board;

(j) Australian Trade Commission; and

(k) National Health and Medical Research Council.

The Australian Government should remove the exemption from the operation of the Privacy Act for any of these agencies that, within 12 months, do not make an adequate case for retaining their exempt status.

4. As noted in the Office's response to question 5-1 of IP 31,[295] the Office submits that, wherever possible, exemptions to the Privacy Act should be kept to a minimum and only established where there are clear policy or public interest reasons for doing so.

5. Where exemptions do apply, the exemption should be clearly defined to enable agencies, organisations and the community to determine which agencies fall within the scope of the exemption.

6. The Office further submits that a review of exemptions to the Privacy Act should also address the irregularity of exemption coverage and the extent to which exemptions have the potential to undermine national consistency and promote fragmentation in privacy regulation.

7. While the Office is not aware of clear and compelling justifications for the agencies listed above to be exempt from Privacy Act, the Office is supportive of the approach adopted by the ARLC to determine their exempt status.

Proposal 33-3 The Privacy Act should be amended to remove the exemption of the Australian Broadcasting Corporation and the Special Broadcasting Service listed in Schedule 2 Part II Division 1 of the Freedom of Information Act 1982 (Cth).

8. As noted above in response to proposals 33-1 and 33-2, the Office submits that, wherever possible, exemptions to the Privacy Act should be kept to a minimum and only established where there are clear policy or public interest reasons for doing so.

9. The Office offers no comment on whether the Privacy Act should be amended to remove the exemption for the Australian Broadcasting Corporation and the Special Broadcasting Service. It should be noted that in chapter 38 of this submission, the Office has generally supported the retention of the journalism exemption (albeit in revised form). Accordingly, if the exemptions for the ABC and SBS were removed, the journalism activities of those entities would remain exempt from the National Privacy Principles (NPPs).

10. However, the Office notes that careful consideration should be given to any policy or public interest reasons for retaining the exemption.

CHAPTER 34

OTHER PUBLIC SECTOR EXEMPTIONS

Proposal 34-1 The Attorney-General's Department, in consultation with the Office of the Privacy Commissioner, should develop and publish the information-handling guidelines for royal commissions to assist in ensuring that the personal information they handle is protected adequately.

1. The Office supports proposal 34-1, which reflects its submission to the ALRC's Issues Paper 31 (IP 31), question 5-3.[296]

Proposal 34-2 The Privacy Act should be amended to remove the exemption that applies to the Australian Crime Commission and the Board of the Australian Crime Commission by repealing s 7(1)(a)(iv), (h) and 7(2) of the Act.

2. The Office has no specific comment on whether the Privacy Act 1988 (Cth) should be amended to remove the exemption that applies to the Australian Crime Commission (ACC) and the Board of the ACC.

3. However, this question raises a broader issue of consistency. As indicated in its submission to ALRC IP 31, question 5-3, the Office holds that entities with like functions should be treated consistently under the Privacy Act.[297]

4. In that submission to IP 31, at question 5-3, the Office suggested that it would be timely to assess whether the ACC's full exemption from the Privacy Act continues to be suitable.

Matters to be considered

5. In considering the ongoing suitability of the exemption, the Office believes that there should be a clear public interest enunciated for it to be maintained.

6. The Office submits that any review of exemptions should also address irregularity of exemption coverage; that is where a specific entity is exempted from coverage of the Privacy Act while other entities of a similar nature and function are not. The Office notes that other Commonwealth law enforcement agencies such as the Australian Federal Police (AFP) and AUSTRAC are covered by the Privacy Act and that the ACC's exemption could be considered an irregularity.

7. In addition, the Office is concerned that exempting the ACC may create a break in the continuity of privacy protections. If the ACC sources personal information from agencies such as the AFP, AUSTRAC, Customs or ASIC which are covered by the Privacy Act, that information falls outside the scope of the Privacy Act while it is held on ACC records, and also when the ACC discloses it. [298] This includes records held in the Australian Criminal Intelligence Database (ACID), which is used by all Australian police forces and a range of other Commonwealth government agencies. Accordingly, removing this exemption would promote consistency in privacy regulation and protection.

8. The Office notes that comprehensive privacy protections for information shared among enforcement bodies would then require positive steps by all states and territories to ensure that their enforcement bodies, such as state police, were also subject to privacy regulation.

Applying privacy in law enforcement contexts

9. In a recent submission to a Senate inquiry into the future impact of serious and organised crime on Australian society, the ACC stated that its exemption from the Privacy Act prevents the exposure of its methods and operations to criminal groups.[299] However, the Office notes that other law enforcement agencies covered by privacy regulation are not required to reveal information about their methods and operations. Access provisions that apply to agencies under Information Privacy Principle (IPP) 6 operate under the applicable provisions of the Freedom of Information Act 1982 (FOI Act). The FOI Act specifically exempts access to such sensitive operational information under s 37, which provides, in part, that:

(2) A document is an exempt document if its disclosure under this Act would, or could reasonably be expected to:

...

(b) disclose lawful methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures;

10. As discussed below at question 34-1, the Office believes that current privacy regulation allows for the specific needs of law enforcement. For example the Privacy Act provides exceptions that allow law enforcement agencies to collect personal information broadly and use and disclose it for law enforcement needs. Similarly, in many operational matters, ‘reasonable steps' to provide notification at the time of collection may entail no steps.

11. The Office would welcome clarification of the public interest for retaining the ACC's exemption.

Proposal 34-3 The Privacy Act should be amended to apply to the Integrity Commissioner in respect of the administrative operations of his or her office.

12. The Office supports proposal 34-3, which is consistent with its submission to IP 31 at question 5-3.[300]

Proposal 34-4 The Integrity Commissioner, in consultation with the Office of the Privacy Commissioner, should develop and publish information handling guidelines to ensure that the personal information handled by the Integrity Commissioner and the Australian Commission for Law Enforcement Integrity is protected adequately.

13. The Office supports proposal 34-3, which is consistent with its submission to ALRC IP 31, question 5-3.[301]

Question 34-1 Should the Privacy Act be amended to set out, in the form of an exemption, the range of circumstances in which agencies that perform law enforcement functions, such as the Australian Federal Police and the Australian Crime Commission, are not required to comply with specific privacy principles?

14. The Office does not support the introduction of a law enforcement exemption to law enforcement agencies whether applying in full, or to limited circumstances.

15. In the Office's view, exceptions applying to law enforcement functions, contained in the body of the principles are a much more flexible option than comprehensive exemptions and would lead to greater consistency of application.

Flexibility

16. One of the major advantages of prescribing exceptions to the principles of the Privacy Act, rather than exemptions, is that they could apply to a range of entities when performing certain types of functions.

17. Of the current exceptions, some are framed specifically in terms of law enforcement functions. For example, IPP 10 creates an exception to the general ‘use' provisions allowing uses that are :

... reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

18. Other exceptions are framed more broadly, but may apply to law enforcement activities. For example, IPP 11 (d) creates an exception to the general prohibition against disclosure of personal information where that disclosure ‘required or authorised by or under law.'

19. In contrast, given their absolute nature, exemptions may not be sufficiently flexible to accommodate the variety of activities for which an agency may handle personal information. The Office notes that only a portion of an agency's normal activities may clearly merit being placed outside the general scope of the principles. For example, some information may be collected by an agency for management of revenue collection, but could also be used for enforcement purposes.

20. In the Office's view, exceptions are more flexible in their application than are exemptions.

Complexity

21. The Office notes that there is a broad range of entities that could meet the definition of an ‘enforcement body' in the Privacy Act. If the intention is to cover all of these agencies, it is unclear how select activities of this diverse group could be adequately captured by an exemption provision without affecting privacy protections relating to other functions.

22. On the other hand, by exempting a limited number of enforcement agencies when performing particular functions, there is a risk that other agencies that occasionally perform similar enforcement functions would have to meet different requirements for handling the personal information. This would create additional inconsistencies and promote regulatory complexity and uncertainty.

23. In the Office's view, exceptions are arguably better placed to deal with the handling of personal information by a broader range of entities in specific contexts. The present structure, reflected in the exceptions under the proposed Unified Privacy Principles (UPPs), appears sufficiently broad to accommodate law enforcement agencies within the body of privacy regulation.

24. Accordingly, to minimise the complexity of the UPPs, the Office submits that exemptions should not be created which are specific to law enforcement agencies in certain circumstances.

Additional benefits

25. Good information handling practice supports all aspects of law enforcement because information is elemental to any investigation. A large proportion of this information will be personal information. Decisions based on poor information can have adverse impacts for individuals and the reputation of law enforcement agencies. This, in turn, could undermine community trust and confidence in enforcement agencies and the administration of law.

26. The Office submits that information handling practices required under the Privacy Act enhance overall data quality and support better decision-making. For example, officers frequently have to make critical decisions in tight timeframes and rely on the accuracy of the information they have at that time. The ‘Data Quality' principle is therefore particularly important for law enforcement.

27. The Office believes that the Privacy Act includes the right balance of requirements and necessary exceptions for the efficient and effective operation of enforcement agencies including intelligence, investigations and public safety functions. The IPP guidelines provide further information on the application of the principles to law enforcement.

28. The Office does not support exemptions applying to law enforcement agencies that might lessen privacy protections for individuals and remove useful frameworks for the handling of personal information.

Question 34-2 Should the Department of the Senate, the Department of the House of Representatives and the Department of Parliamentary Services continue to be exempt from the operation of the Privacy Act? If so, what should be the scope of the exemption?

29. The Office does not have a specific view on whether the Department of the Senate, the Department of the House of Representatives and the Department of Parliamentary Services should continue to be exempt from the operation of the Privacy Act.

30. As noted above at proposal 33-1, in the Office's view there should be a clear public interest enunciated for any exemption to be maintained.

31. The Office notes that the current exemptions are not explicitly referred to in the Privacy Act or the Public Service Act 1999 (Cth), from which the Privacy Act derives its definition of a department. It appears that the current exemption is set out in Parliamentary Service Act 1999 (Cth).

32. If these bodies are to be exempt from the operation of the Privacy Act, the Office submits that:

• any exemption should be explicitly referred to in the Privacy Act;
• exemptions should be included in a schedule to the Act; and
• all entities that are not covered by the Privacy Act should implement and make publicly available a set of standards for the handling of personal information.

Proposal 34-5 Subject to Proposal 4-4 (states and territories to enact legislation applying the proposed Unified Privacy Principles and Privacy (Health Information) Regulations), the Privacy Act should be amended to:

(a) apply to all state and territory incorporated bodies, including statutory corporations, except where they are covered by obligations under a state or territory law that are, overall, at least the equivalent of the relevant obligations in the Privacy Act; and

33. The Office supports in principle this proposal, which is consistent with its submission to IP 31, question 5-5.[302]

34. The precise form that should be pursued for health privacy regulation is discussed in chapters 4 and 56.

(b) empower the Governor-General to make regulations exempting state and territory incorporated bodies from coverage of the Privacy Act on public interest grounds.

35. The Office supports this proposal, which is consistent with its submission to IP 31, at question 5-5.[303]

36. The Office welcomes the specificity of this regulation making power, in contrast to that suggested in proposal 3-1.

Proposal 34-6 The Privacy Act should be amended to provide that, in considering whether to exempt state and territory incorporated bodies from coverage of the Privacy Act, the Minister must:

(a) be satisfied that the state or territory has requested that the body be exempt from the Act;

(b) consider:

(i) whether coverage of the body under the Privacy Act adversely affects the state or territory government;

(ii) the desirability of regulating under the Privacy Act the handling of personal information by that body; and

(iii) whether the state or territory law regulates the handling of personal information by that body to a standard that is at least equivalent to the standard that would otherwise apply to the body under the Privacy Act; and

(c) consult with the Privacy Commissioner about the matters mentioned in paragraphs (ii) and (iii) above.

37. The Office supports this proposal, noting that it broadly reflects the terminology, if not effect, of the current section 6C(4) (‘making regulations to stop instrumentalities being organisations'). This is consistent with the Office's submission to IP 31, question 5-5.[304]

CHAPTER 35

SMALL BUSINESS EXEMPTION

Proposal 35-1 The Privacy Act should be amended to remove the small business exemption by:

(a) deleting the reference to ‘small business operator' from the definition of ‘organisation' in s 6C(1) of the Act; and

(b) repealing ss 6D-6EA of the Act.

1. The Office submits that, wherever possible, exemptions to the Privacy Act 1988 (Cth) (‘Privacy Act') (specifically, the National Privacy Principles) (NPPs) should be kept to a minimum and only established where there are clear and compelling public interest reasons for doing so.

2. In the Office's Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (‘Private Sector Review') and the Office's response to ALRC's Issue Paper 31 (IP 31), it was noted that there are two policy drivers underpinning the small business exemption. Firstly, in the second reading speech accompanying the Privacy Amendment (Privacy Sector) Bill 2000, the then Attorney-General, the Hon Daryl Williams QC explained that the exemption ‘...is based on the premise that not all private sector organisations pose the same risk to privacy. Many small businesses do not have significant holdings of personal information'.[305]

3. In addition, it was a policy objective of the Privacy Act generally, and the small business exemption specifically, to balance privacy protections against the need to avoid unnecessary cost on small business. In debates on the 2000 Amendment Bill, the then Attorney noted that:

...while protecting privacy is an important goal, it must be balanced against the need to avoid unnecessary costs on small business. For this reason, only small businesses that pose a high risk to privacy will be required to comply with the legislation.[306]

4. At the same time, there are mechanisms that allow small businesses to be included under the coverage of the NPPs where their acts or practices may raise particular privacy risks. For example, all private sector health service providers, even if small businesses, are covered by the NPPs, as are small businesses that trade in personal information. This coverage has applied since the NPPs were introduced.

5. Further, other small businesses are being brought under the jurisdiction of the Privacy Act where deemed appropriate. For example, the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Act 2006 brings personal information collected by small business ‘reporting entities' under the coverage of the NPPs. This measure was taken in recognition of the privacy risks involved in the handling of individuals' personal financial information, and to ensure that personal information collected compulsorily should be afforded appropriate protections.

6. In addition, there is a regulation making power in the Privacy Act (section 6E) which permits small businesses to be treated as if they were organisations. This has most recently been used to prescribe residential tenancy database operators as organisations. [307]

7. The Office discussed the small business exemption in its submission to IP 31 at chapter 5 paragraphs 76-87 where it recommended that the coverage of the NPPs should be extended to ensure small businesses in sectors that deal with significant amounts of personal information are prescribed under the Act. This included small businesses in the telecommunications sector, including internet service providers and Public Number Directory Producers, and small businesses that collect and use biometric information. In addition, the Office submitted that if States and Territories do not pass uniform legislation to regulate estate agents, landlords and listing agents who use residential tenancy databases, then section 6E should be used to bring these businesses under the coverage of the NPPs.

8. Further, in its submission to IP 31 at chapter 9 paragraphs 15-17 and 34-36, the Office suggested that consideration should be given to extending, or clarifying, the application of the protections in the Privacy Act to child care centres and family counselling and dispute resolution services. In each case, specific privacy risks raised by the nature or context of the personal information that might be handled, warrant the protections of the NPPs being applied.

9. The Office believes it is appropriate to address identified privacy risks through amendments to the Privacy Act, including the various exemptions. However, the scope of any amendments or extension of the protections in the Privacy Act should not be disproportionate to the issues being addressed.

10. There are many small businesses that do not collect personal information in a formal way and in such cases complying with the NPPs, for example by providing clients with a privacy policy, would seem to be impractical as well as creating an unnecessary compliance burden without a demonstrable problem that requires addressing.

11. The Office's purpose is to promote and protect privacy in Australia. The Office submits that, in terms of small businesses that do not handle large amounts of personal information, this intent can most successfully be achieved by providing encouragement and support to those businesses that choose to opt in to the Act. Further the Office can assist small businesses by promoting the benefits of embedding relevant privacy practices into their business operations and encouraging good privacy practice.

12. The Office believes that there is a risk the Privacy Act may be brought into disrepute if unnecessary burdens are placed on small business where these obligations do not deliver a clear benefit to individuals. The Office submits that the exemption should not be removed unless there is a demonstrated benefit to individuals from imposing this compliance burden on all small businesses.

13. The Office reiterates its position as expressed in its response to ALRC IP 31 at chapter 5 paragraphs 67-87. This includes the Office's position that the definition of small business should be aligned with that used by the ABS. The effect of this would be that a small business would be defined as one with more than 20 employees, rather than the definition turning on the annual financial turnover of the business.

Retention and extension of the opt-in mechanism in s 6EA

14. As with the small business exemption, the Office believes that the opt-in provision in s 6EA of the Privacy Act should be retained for the following reasons:

• Firstly, the Office sees value in allowing small businesses to choose to be covered by the Privacy Act. By opting-in, small businesses show that they are committed to respecting privacy which can enhance their brand and community trust in their operations.
• Secondly, the opt-in provision allows an exempt organisation to apply for a privacy code. Under s 18BA a privacy code applicant must be an organisation. For example, recently the Biometric Institute decided to opt in under s 6EA so that the Privacy Commissioner could consider its application for a privacy code under Part IIIAA of the Privacy Act. The Biometrics Institute Privacy Code was subsequently approved by the Commissioner and took effect on 1 September 2006.
• Certain codes not connected to the Privacy Act may also require organisations to opt-in to coverage under the Privacy Act as a condition of signing up to the code. An example of this is the Credit Union Code of Conduct which requires credit unions that are small businesses to opt-in to the Privacy Act under s 6EA.
• Thirdly, s 73 requires a private sector applicant for a Public Interest Determination (PID) to be an organisation. Allowing an applicant to opt-in under s 6EA facilitates the making of privacy codes or PIDs by the Privacy Commissioner in the public interest.

15. In addition, the Office suggests that the opt-in mechanism be extended so that other forms of entity have the ability to opt-in to coverage of the NPPs if they see fit. For example, the Office has submitted in response to Proposal 37-1 that such a measure would permit political parties, if they remain exempt and if they so chose, to opt-in to coverage.

Proposal 35-2 Before the proposed removal of the small business exemption from the Privacy Act comes into effect, the Office of the Privacy Commissioner should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Act, including by:

(a) establishing a national small business hotline to assist small businesses in complying with the Act;

(b) developing educational materials-including guidelines, information sheets, fact sheets and checklists-on the requirements under the Act;

(c) developing and publishing templates for small businesses to assist in preparing Privacy Policies, to be available electronically and in hard copy free of charge; and

(d) liaising with other Australian Government agencies, state and territory authorities and representative industry bodies to conduct programs to promote an understanding and acceptance of the privacy principles.

16. If the small business exemption were to be removed, then the proposals in 35-2(a) - (d) are all sensible and necessary to assist small business in understanding and meeting their obligations.

17. The Office believes providing guidance, such as educational materials, fact sheets, checklists and templates, and being involved in programs that promote understanding and acceptance of the privacy principles, is consistent with the Office's functions under sections 27(d) and (e) of the Privacy Act, and accordingly the Office should provide such support.

18. It is noted that fulfilling the additional requirements resulting from removal of the small business exemption from the Privacy Act, will require appropriate resources for the Office.

CHAPTER 36

EMPLOYEE RECORDS EXEMPTION

Proposal 36-1 The Privacy Act should be amended to remove the employee records exemption by repealing s 7B(3) of the Act.

1. The Office, on balance, agrees with proposal 36-1 which generally accords with the Office's position in its response to question 5-9 of the ALRC's Issues Paper 31 (IP 31).[308]

2. The Office submits that, wherever possible, exemptions to the Privacy Act 1988 (Cth) (‘Privacy Act') (specifically, the National Privacy Principles (NPPs) in schedule 3 of the Privacy Act) should be kept to a minimum and only established where there are clear and compelling public interest reasons for doing so. This approach would promote uniformity and consistency in the application of privacy regulation.

3. The Office also considered that, in the event that the Information Privacy Principles (IPPs) and NPPs are replaced by a single set of privacy principles, the removal of the employee records exemption would improve the consistent application of the principles to both the public and private sectors. Reference was also made to a number of benefits that may result from coverage of employee records under the Privacy Act, including being consistent with protection of an employee's rights as a private citizen, providing certainty about rights and obligations for employers and employees, eliminating regulatory difficulties in interpreting the exemption, and providing access to a conciliation-based complaints process through the Office.[309]

4. The Office also believes that any exemptions under the Privacy Act should reflect community expectations. In the Office's 2007 Community Attitudes survey, 86% of those surveyed thought that employees should have access to information employers keep about them.[310]

5. In the second reading speech for Privacy (Private Sector) Amendment Bill 2000, the then Attorney General, the Hon Daryl Williams QC, noted that employee records were ‘...deserving of privacy protection', though stated that such protection was ‘more properly a matter for workplace relations legislation'.[311] The Office notes that privacy protection for employee records has not subsequently been progressed through workplace relations legislation.

6. In addition, the Office observed that employers may hold sensitive information about their employees, and, generally sensitive information as defined in section 6 of the Privacy Act should be fully covered by the Act.[312]

7. Notwithstanding the above, in chapter 35 of its response to DP 72 the Office has submitted that there are clear and compelling public policy reasons why the small business exemption should be retained. In effect this would mean that their employee records would also remain exempt. Further discussion regarding the small business exemption can be found in chapter 35 of this submission.[313]

Proposal 36-2 The Privacy Act should be amended to provide that an agency or organisation may deny a request for access to evaluative material, disclosure of which would breach an obligation of confidence to the supplier of the information. ‘Evaluative material' for these purposes means evaluative or opinion material compiled solely for the purpose of determining the suitability, eligibility, or qualifications of the individual concerned for employment, appointment or the award of a contract, scholarship, honour, or other benefit.

8. The Office does not support this proposal.

9. The Office submits that the current exceptions under NPP6 (and those proposed for Unified Privacy Principles (UPP) 9) would satisfy the intent of the ALRC's proposal.

10. The ALRC's proposal suggests that a specific exception be created to apply to denial of access to evaluative material compiled solely for the purpose of determining the suitability, eligibility or qualifications of the individual concerned for employment, a contract or other benefits. The Office notes that the ‘evaluative material' discussed in DP 72 refers mainly to confidential referee reports[314].

11. In chapter 36 of DP 72 the ALRC discusses stakeholder concerns about the existing exemption, particularly, that different standards exist between public and private sector employees. The ALRC goes on to report concerns about the undesirability that employees' information would be treated less favourable to customers or clients in terms of privacy protection.[315]

12. With these comments in mind, there does not appear to be a sound policy reason for differentiating between how evaluative material of employees (or potential employees) is handled and how the organisation or agency handle other personal information they hold.

13. Further, the proposal has the potential to create complexity and unnecessary compliance costs for agencies and organisations. For example, it is not unlikely that organisations and agencies will deal with their employees in other contexts, that is, as a customer or client. In addition, an employer may collect other person information including sensitive information about their employees. By creating a separate exception regarding access to ‘evaluative material' about an employee, the agency or organisation would need to identify and separate ‘evaluative material' from other personal and sensitive information they may hold if a request for access was received.

14. The Office acknowledges that the integrity of referee reports is important, as is maintaining the confidentiality of the individual who provided the report. However, the Office submits that the NPPs (and the UPPs) provide an adequate framework for assessment, provision and, where appropriate, denial of access so that confidentiality and integrity of such information can be preserved.

15. In particular, NPP 6.1(g) provides that an organisation can deny access if ‘denying access is required or authorised by or under law'. The NPP Guidelines state that this exception would cover circumstances where providing access to personal information would be a breach of confidence under the law. This current exception would appear sufficient to meet the policy outcome being proposed by the ALRC.

16. Further, in chapter 26 of DP 72 the ALRC has proposed that NPP 6 should provide the general template for UPP9[316] (concerning Access and Correction) on the grounds that the principle based nature of NPP 6 strikes the right compliance balance. The ALRC has also suggested that the Office could provide guidance as to the meaning of ‘reasonable steps' in the context of making clear that an organisation or agency need not take any steps where this would undermine a lawful reason for denying a request for access in the first place.[317]

17. On this basis, the Office reiterates that the current provisions in NPP6 (and those proposed for UPP9), will provide an adequate framework under which organisations and agencies can deny access to evaluative material such as referee reports, where it is appropriate to do so.

18. As such, there does not appear to be a compelling policy reason to create a specific exception under NPP6 (or UPP9) which would allow access to be denied where disclosure would breach an obligation of confidence to a referee, when a general exception for breach of confidence already exists (and will continue).

CHAPTER 37

POLITICAL EXEMPTION

Proposal 37-1 The Privacy Act should be amended to remove the exemption for registered political parties and the exemption for political acts and practices by:

(a) deleting the reference to a ‘registered political party' from the definition of ‘organisation' in s 6C(1) of the Act;

(b) repealing s 7C of the Act; and

(c) removing the partial exemption that is currently applicable to Australian Government ministers in s 7(1) of the Act.

1. The Office reiterates its position expressed in its response to the ALRC Issues Paper 31 (IP 31).[318]

2. The Office submits that, wherever possible, exemptions to the Privacy Act 1988 (Cth) (‘Privacy Act') (specifically, the National Privacy Principles (NPPs)) should be kept to a minimum and only established where there are clear and compelling public interest reasons for doing so. This approach would promote uniformity and consistency in the application of privacy regulation.

3. In practice, the Office receives very few complaints or inquiries about the political exemption and therefore the Privacy Act may currently provide an appropriate balance in terms of the political exemption. At the same time though, the relative absence of complaints or enquiries may be a result of individuals not being aware of how political parties might handle their personal information.

4. If the political parties exemption is retained, the Office suggests that political parties should be required to comply with a few key privacy principles that will provide individuals with transparency and protection regarding how political parties handle their information. These key principles include the openness principle, NPP 5, and access and correction principle, NPP 6.

5. The Office considers that if political parties are required to have a privacy statement, as required by NPP 5, this would enhance the transparency of political party information handling and allow individuals to understand how the political party may use their information.

6. The Office also believes that privacy protection would also be enhanced if political parties complied with the access and correction principle, NPP 6 (or an equivalent form of privacy protection), which would allow an individual to have access to information held about them by a political party, including sensitive information, and have it corrected if it is wrong.

7. The application of key privacy principles would also be consistent with the ALRC proposal 13-1 and 13-2 regarding the Commonwealth Electoral Act 1918 (Cth). While the Office understands that political parties may collect information from sources in addition to the electoral roll, the adoption of these proposals would likely be a useful way of affording appropriate protections to a significant proportion of the personal information handled by political parties.

8. In addition, the Office suggests that the opt-in provision in s 6EA should be extended to any form of entity that is currently exempt from the operation of the NPPs in the Privacy Act. This would allow entities other than small business operators to opt-in to coverage under the NPPs.

9. These enhancements will provide that political parties observe privacy protections and demonstrate good privacy handling practices as well as enabling political parties to voluntarily opt-in to coverage by the Privacy Act if they wished to do so.

10. Further, while the Office supports the retention of the small business exemption, if it were repealed, the Office suggests that an opt-in mechanism be retained so that other forms of entity could opt-in to coverage.

Proposal 37-2 The Privacy Act should be amended to provide that the Act does not apply to the extent, if any, that it would infringe any constitutional doctrine of implied freedom of political communication.

11. The Office agrees with proposal 37-2.

12. The Office considers there is merit in the suggestion by the ALRC to insert a provision in the Privacy Act stating the Act does not apply to the extent, if any, that it would infringe any constitutional doctrine of implied freedom of political communication. This appears to be consistent with similar provisions contained in other legislation such as the Spam Act 2003 (Cth) and the Telecommunications Act 1997 (Cth), as noted by the ALRC and reflects the general policy intent that the right to privacy should be balanced with other important public interests.

Proposal 37-3  Before the proposed removal of the exemptions for registered political parties and for political acts and practices from the Privacy Act comes into effect, the Office of the Privacy Commissioner should develop and publish guidance to registered political parties and others to assist them in understanding and fulfilling their obligations under the Act.

13. As previously stated, the Office believes promoting an understanding and acceptance of the privacy principles and preparing and publishing guidance material is consistent with the Office's functions under sections 27(1) (d) and (e) of the Privacy Act.

14. Additional guidance material would be required if the exemptions for political parties and for political acts and practices were removed. It is noted that the fulfilling the additional requirements resulting from changes to the Privacy Act, will require appropriate resources.

CHAPTER 38

MEDIA EXEMPTION

Proposal 38-1 The Privacy Act should be amended to define ‘journalism' to mean the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:

(a) material having the character of news, current affairs or documentary; or 

(b) material consisting of commentary or opinion on, or analysis of, news, current affairs or a documentary.

1. The Office submits that, wherever possible, exemptions to the Privacy Act 1988 (Cth) (Privacy Act) (specifically, the National Privacy Principles (NPPs) contained in schedule 3 of the Privacy Act) should be kept to a minimum and only retained where there are clear and compelling public interest reasons for doing so.

2. The Office notes that, given the limited scope of this exemption, it may be more appropriate to refer to it as a ‘journalism exemption'. This simple measure could assist in promoting an understanding of its scope.

3. In the Office's Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (‘Private Sector Review') it was noted that while there are concerns that the news media can be intrusive, it is generally recognised that these intrusions must be weighed against the public interest in promoting free speech and an informed community. All submissions received recognised that the news media has an important role to play in informing the public.[319]

4. In the Office's response to questions 5-10 to 5-12 of the ALRC's Issue Paper 31 (IP 31), the Office noted that it receives very few enquiries and complaints about media organisations (though this may be because potential complaints are dissuaded from complaining by an awareness of the journalism exemption).[320]

5. Accordingly, given the important role of a free press in a liberal democracy, and in absence of strong evidence of abuse, the Office suggested in its Private Sector Review that removing the journalism exemption appeared to be unnecessary.[321]

6. However, the Office does submit that the drafting of the exemption be revisited. The Office noted in its response to IP 31 that the wording of the media exemption is broad and contains terms that are ill-defined.[322] The Office also noted that the exemption lacks specificity in relation to the level of standards to which a media organisation must commit itself and has no requirement that there be a means of enforcing such standards. In the Private Sector Review, the Office recommended that the term ‘in the course of journalism' could be defined and the term ‘media organisation' could be clarified to ensure that the exemption focuses on news and current affairs, and is in the public interest.

7. The Office generally agrees that the Privacy Act should be amended to define ‘journalism' and notes the ALRC considered four options for defining the word journalism. The Office believes there is merit in the ALRC proposal to include news, current affairs, and documentaries in the definition of ‘journalism'.

8. However it is important to note that this approach limits the scope of the term and this is contrary to the intention of parliament, as discussed in the explanatory memorandum and evidenced by the removal of the definition of ‘journalism' from the Privacy Amendment (Private Sector) Bill. The Australian Government has previously chosen not to define the term ‘journalism' as it ‘may change in nature' and it was the intention that the exemption ‘...cover a range of activities of different forms of media'.[323]

9. While the Office recognises the merits of the definition proposed in DP 72, it draws attention to the approached referred to in paragraph 38.28. This alternative approach places a focus on defining journalism in terms of the character of the activity taking place, rather than by limiting it by reference to traditional news media.[324] Including provision for such an approach may address concerns that a statutory definition would be unresponsive to changes in journalism.

10. The Office believes it is important to ensure the definition of ‘journalism' is broad enough to encompass a variety of mediums, and is able to keep pace with technological changes that create new and emerging channels for journalism, for example, news blogs.

11. The Office also notes that the elements of the proposed definition may themselves be difficult to define. For example, the Australian Communications and Media Authority (ACMA) has defined ‘documentary' as:

...a program that is a creative treatment of actuality other than a news, current affairs, sports coverage, magazine, infotainment or light entertainment program.[325]

12. Including provision for the definition to consider the purpose or character of the activity may help clarify the scope of the definition and provide for it to be flexible if the essential nature of journalism changes.

Proposal 38-2 In consultation with the Australian Communications and Media Authority and peak media representative bodies, the Office of the Privacy Commissioner should establish criteria for assessing the adequacy of media privacy standards for the purposes of the media exemption.

13. The Office believes there is merit in the proposal for the Privacy Commissioner, in consultation with industry and other stakeholders, to establish criteria for assessing the adequacy of media privacy standards for the purposes of the journalism exemption.

14. The proposal is similar to recommendation 59 of Office's Private Sector Review, that the Office work with ACMA to provide more definitive guidance to media organisations on appropriate levels of privacy protection in privacy standards for media organisations, and how to implement such standards.[326] The Office notes that, since the release of the Private Sector Review, ACMA has released its Privacy guidelines for broadcasters,[327] which could usefully inform the criteria proposed in 38-2.

Proposal 38-3 The Office of the Privacy Commissioner should issue guidelines containing the criteria for assessing the adequacy of media privacy standards established under Proposal 38-2.

15. The Office agrees with proposal 38-3.

16. The proposal generally accords with Office's position in its submission to IP 31 that the Office, in conjunction with ACMA, provide greater guidance to media organisations as to appropriate levels of privacy protection, especially in relation to health issues and make media organisations aware that the media exemption is not a blanket exemption.[328] The Office recognises that such guidance would require wide consultation with industry and other stakeholders.

17. The Office believes providing guidance, such as guidelines explaining the criteria for assessing the adequacy of media privacy standards, is consistent with the Office's functions under sections 27(1)(e) of the Privacy Act.

18. Additional guidance material may be required as a result of any change to the exemption, particularly in regard to proposals 38-1 and 38-4. It is noted that fulfilling the additional requirements resulting from changes to the Privacy Act will require appropriate resources.

Proposal 38-4 Section 7B(4)(b)(i) of the Privacy Act should be amended to provide that the standards must ‘deal adequately with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters)'.

19. The Office believes there is merit in the ALRC proposal to amend the Privacy Act to provide that the standards must ‘deal adequately with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters)'.

20. The proposal generally accords with the position in the Office's Private Sector Review, where the Office suggested the Privacy Act could be amended to establish criteria by which the Privacy Commissioner could measure whether the standards afford an appropriate level of privacy protection.[329]

21. The inclusion of the term ‘adequately' would also clarify that the standards must be robust and of substance. The Office has been aware of circumstances where the existing provisions may allow the journalism exemption to apply notwithstanding that the relevant standards offer little meaningful privacy protection.

Grounding the meaning of ‘adequately'

22. The Office submits that the introduction of a statutory adequacy test for media privacy standards should be accompanied by clear guidance from Parliament on the intended scope and effect of such a test.

23. For example, the Office suggests that any Bill introducing an amendment could include specific criteria to guide the interpretation and application of an adequacy test. Alternatively, any explanatory memorandum accompanying the bill could usefully provide explanation and guidance on the intended scope and content of such a test.

24. Equally, the Office suggests that the ALRC's final report of this inquiry, as a potentially significant aid for statutory interpretation, could outline a range of matters that might go to determining whether standards would be adequate. The Office has suggested below a list of possible criteria.

25. The Office further submits that if an express requirement of adequacy were introduced into the Privacy Act, it would become essential for the Office, in collaboration with other stakeholders such as ACMA, to produce the guidance material referred to in proposals 38-2 and 38.3.

26. Further, it would promote regulatory stability for these adequacy criteria to be set out in a legislative instrument made by the Privacy Commissioner and disallowable by Parliament.

27. The Office submits that this approach would assist by achieving flexibility in the assessment of what is adequate, and would ensure the Commissioner's assessment of adequate standards has the ability to keep pace with technological changes and is able to reflect society's expectations. The Office proposes that appropriate stakeholders, such as ACMA and the Australian Press Council, be consulted in drafting these binding rules.

28. In terms of considering what factors might be relevant in determining whether the standards adequately deal with privacy in the context of the activities of a media organisation, the Office suggests that standards could provide the following:

• (a) prior to reporting about personal information, an assessment is made about whether the information is of a private nature;
• (b) personal information of a private nature will only be disclosed where an individual has consented to that disclosure or there is a substantial public interest for the disclosure. Such information may include a person's address, health information, financial affairs, family information, or private conduct. 
• (c) factors that would characterise an issue as being of ‘substantial public interest', such that it would necessitate the disclosure of information without adherence to the privacy provisions of the standard;
• (d) disclosure is limited to necessary information, and particularly, personal information of a private nature, should not be disclosed where it does not affect the meaning of the journalistic material being made available to the public;
• (e) use and disclosure of the information is assessed in terms of how it was collected.  For example, whether the information was collected in an intrusive way and out of the public domain;
• (f) consideration is given to whether the privacy of children or minors will be affected by information collected, used and disclosed; and
• (g) training and compliance controls are embedded into the standard to ensure that staff in media organisations know what their obligations are and how to comply with them.

Proposal 38-5 The Office of the Privacy Commissioner should issue guidance to clarify that that the term ‘publicly committed' in s.7B(4) of the Privacy Act requires both:

(a) express commitment by a media organisation to observe privacy standards that have been published in writing by the media organisation or a person or body representing a class of media organisations; and

(b) conduct by the media organisation evidencing commitment to observe those standards.

29. The Office agrees with proposal 38-5.

30. In terms of its response to question 38-4 above, the Office suggests that media organisations should bear the onus of proving that they have taken active and positive steps towards complying with published privacy standards. For example, in terms of the factors that the Office has suggested could be included in the Privacy Commissioner's binding rules, a media organisation should be able to demonstrate what steps it has taken to comply with those requirements.

31. The Office believes providing guidance is consistent with its functions under sections 27(1)(e) of the Privacy Act.

CHAPTER 39

OTHER PRIVATE SECTOR EXEMPTIONS

1. In chapter 39, the ALRC's Discussion Paper 31 (DP31) considers the remaining private sector exemptions relating to:

• personal, family or household affairs;
• related bodies corporate and change in partnership; and
• the circumstances under which overseas acts and practices of an organisation are excluded from the coverage of the privacy principles.

2. The ALRC makes no specific proposals in this chapter of DP 72.

Related bodies corporate

3. In paragraph 39.29 of DP 72, the ALRC supports the need for companies with a shared ownership or controlling interest to be able to share non-sensitive personal information. As noted by the ALRC, the Office is concerned with the disclosure of personal information to a related company for direct marketing purposes.

4. To resolve this issue, DP 72 proposes that individuals are provided with the means to opt out of direct marketing. Further the ALRC suggests that the organisation involved in the direct marketing should inform the individual from where it acquired their information[330].

5. While the Office agrees with aspects of the ALRC's position, the Office believes that in keeping with the spirit of the Privacy Act 1988 (Cth) (‘the Privacy Act') and the purpose of notice provisions, that individuals should be better informed that their personal information may be disclosed to a related body corporate. In particular, the relevant body corporate should include details of related companies with which it regularly exchanges information.

6. As such, the Office reiterates the need for improved notice provisions for companies with a shared ownership or controlling interest, when non-sensitive information is shared.

7. Further discussion about notice provisions can be found at chapter 20.

Transborder data flows between related bodies corporate

8. The Office's response to question 13-2 of the ALRC's Issues Paper 31 (IP 31) discussed the distinction between disclosures of personal information between related bodies corporate within Australia and transfer of personal information from an Australian body corporate to a related body corporate overseas.[331]

9. Specifically, the Office noted that organisations were unclear about whether s13B(1) enables a body corporate in Australia to transfer personal information to a related boy corporate located outside Australia without invoking NPP9. It was also noted that the extra territorial provisions under s5B do not appear to apply to related entities outside Australia.

10. In this regard, the Office suggested that the Privacy Act could be amended to clarify that if an organisation transfers personal information to a related body corporate in an overseas jurisdiction, that transfer will be subject to NPP 9 transborder requirements.

11. Further, in its submission to IP 31[332], the Office raised the need to include a note under section 13D reminding organisations of their obligations in relation to transborder data flows of personal information under NPP 9.

12. The Office suggests the ALRC revisit these considerations.

13. Further discussion on the issue of transborder dataflows and NPP 9 are discussed in chapter 28.

Direct Marketing

14. The Office supports the recommendation by the ALRC in DP 72 that the Office ‘...issue guidance to organisations involved in direct marketing that clarifies their obligations under the Privacy Act in dealing with particularly vulnerable people, such as individuals aged 14 and under'.[333]

15. The Office provides further comments regarding this issue and direct marketing, generally, at chapter 23 of this submission.

Change in partnership

16. The Office supports the ALRC's position that where a change in partnership arises, that the new partnership should seek to advise its customers of the change, as a matter of good practice rather than a formal statutory requirement.

CHAPTER 40

NEW EXEMPTIONS

Question 40-1  Should the Australian Government request that the Standing Committee of Attorney-General consider the regulation of private investigators and the impact of federal, state and territory privacy and related laws on the industry?

1. The Office supports the proposal that the Australian Government should request the Standing Committee of Attorneys-General (SCAG) to consider the regulation of private investigators and the impact of federal, state and territory privacy and related laws on the industry.

2. The suggestion is consistent with the Office's position in Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (‘Private Sector Review'), where the Office submitted SCAG should consider the issues raised by Australian Institute of Private Detectives (AIPD).[334]

3. In addition, the Office takes the view that to achieve uniformity and consistency of application of privacy legislation, exemptions should be minimised and, where they exist, there should be a clear public interest enunciated for any exemption to be maintained or created.

4. This proposal accords with the Office's position in its response to question 5-14 of the ALRC's Issue Paper 31 (IP 31).[335]

Question 40-2 Should the Privacy Act or other relevant legislation be amended to provide exemptions or exceptions applicable to the operation of alternative dispute resolution (ADR) schemes? Specifically, should the proposed:

(a) ‘Specific Notification' principle exempt or except ADR bodies from the requirement to inform an individual about the fact of collection of personal information, including unsolicited personal information, where to do so would prejudice an obligation of privacy owed to a party to the dispute, or could cause safety concerns for another individual;

5. The Office recognises the important role played by ADR bodies and realises the difficulties that some NPP obligations place on the dispute resolution process.

6. As a reflection of this, in the Office's Private Sector Review, the Office considered whether National Privacy Principle (NPP) 1 should be amended to better accommodate the collection requirements of ADR bodies. At the time, the Office identified an amendment to the Privacy Act 1988 (Cth) (the Privacy Act) as the most appropriate avenue to provide greater clarity in the law.[336]

7. The Office believes that it is not appropriate for ADR bodies to be granted an exemption from the requirement to inform an individual about the fact of collection of personal information.

8. The Office agrees in principle that exceptions from the requirement to inform an individual about the fact of collection of personal information (including unsolicited personal information) should apply to ADR bodies where to do so would produce an obligation of privacy owed to a party to the dispute, or would cause safety concerns for another individual.

9. However, the Office notes that paragraphs 20.72-20.73 of DP 72[337] discuss when ‘reasonable steps' to provide notice about collection may equate to ‘no steps' and that alternate dispute resolution schemes are referred to as one such exception. Further, the ALRC has proposed at 20-7 of DP 72 that the Office could issue guidance on the meaning of ‘reasonable steps' and in terms of Unified Privacy Principle (UPP) 3.3(a) proposed that an organisation may not need to provide notice when collecting information from a third party unless a reasonable person would expect to be notified.

10. In its response to proposals 20-2 and 20-5 of DP 72, the Office has suggested that UPP3 include 'if any' as a qualification of the term 'reasonable steps'. The 'if any' qualification is currently included in the Information Privacy Principles (IPPs). In addition, the Office has clarified in chapter 20, that the reasonable person test should relate more specifically to assisting agencies and organisations to determine what steps should be taken to ensure that an individual was made aware of certain matters rather than using a 'reasonable person test' to determine whether or not an individual would expect to be notified.

11. The Office suggests that the requirement for ADR bodies to have discretion not to provide notice when information is collected indirectly from another individual, including unsolicited personal information, will be adequately dealt with under the proposed UPP3. However, if it is suggested amendments to UPP3 are not taken up, the Office suggests that specific guidance about personal information handling by ADR bodies may be required.

(b) 'Use and Disclosure' principle authorise the disclosure of personal and sensitive information to ADR bodies for the purpose of dispute resolution; and

12. The Office recognises the need for ADR bodies to collect sensitive information where it is necessary for the investigation and resolution of claims under ADR mechanisms. In line with this, the Office recommended in its Private Sector Review that NPP 10 be amended to allow for this.

13. The Office believes that the 'Use and Disclosure' principle should authorise the disclosure of personal and sensitive information to ADR bodies for the purpose of dispute resolution.

14. After further consideration, the Office considers that ADR bodies could be authorised similarly to courts and tribunals in NPP 2.1(h)(v). That is the use and disclosure of personal information be extended to cover ‘..the preparation for, conduct of, proceedings' before an alternate dispute resolution body, in addition to a ‘..court or tribunal or implementation of the orders of a court or tribunal.' In terms of UPP5 as set out in chapter 22 of DP 72, the Office proposes that ‘alternate dispute resolution body' should be included in UPP5.1(f)(v).[338]

15. The Office submits that, to provide certainty regarding the exception for ADR bodies, those bodies that are deemed ADRs for the purposes of the Privacy Act should be set out in regulation. This would provide regulatory certainty and ensure that only properly constituted and reputable ADR bodies are able to avail themselves of these exceptions.

(c) 'Sensitive Information' principle authorise the collection of sensitive information without consent by an ADR body where necessary for the purpose of dispute resolution?

16. The Office is unsure how often an ADR body would need to collect sensitive information without consent as part of dispute resolution processes. Nor is the Office aware of whether there are compelling reasons for collecting sensitive information from third parties. However, as ADR bodies deal with disputes relating to, for example, life insurance and superannuation and these can involve joint policies and corporate superannuation plans where the policy owner and beneficiary are different parties, it is at least possible that sensitive information may form a substantive element of an ADR matter.

17. The Office considers there is merit in providing for an ADR body to be authorised to collect sensitive information without consent where it is necessary for the purpose of dispute resolution. This practice is permitted under the NPPs, however it is not explicit.

18. In this regard, the Office submits that NPP10.1(e) should be amended to provide that as well as being necessary for the ‘..establishment, exercise or defence of a legal or equitable claim', that collection is necessary ‘for the purpose of alternate dispute resolution'. In terms of UPP2 as set out in chapter 18 of DP 72, the Office proposes that ‘alternate dispute resolution body' should be included in UPP2.6(e)[339].

19. The Office reiterates that ADR bodies, for the purposes of the Privacy Act, should be prescribed in regulation.

[286] Available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L17526.

[287] Available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L17526.

[288] Question 5-2 considers whether a range of specific defence and intelligence agencies should be exempt, either completely or partially, from the Privacy Act, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L17565. 

[289] Available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L17565.

[290] Office position 5-3(iii) at p 169, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Question34

[291] At recommendation 7.1.

[292] See paragraph 32.56 at p 940.

[293] Question 11-5, paragraphs 142-147, available at http://www.privacy.gov.au/publications/submissions/alrc/c11.html#L25102

[294] At paragraph 32.105 of DP 72.

[295] This is available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L17526.

[296] Paragraph 42 at p 168, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Royal.

[297] Office position 5-3(iii) at p 169, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Question34 .

[298] Under s 7(1)(h) of the Privacy Act, records originating with or received from the ACC are exempt from the Privacy Act. 

[299] http://www.aph.gov.au/SENATE/committee/acc_ctte/organised_crime/submissions/sub17.pdf

[300] Chapter 5, paragraph 45 at p 168.  Available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Integrity

[301] Paragraphs 43-44 at p 168, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#Integrity

[302] Paragraphs 46-52 at pp 169-172, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L17827.  

[303] Paragraph 61 at p 172, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L17827

[304] Paragraph 61 at p 172, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L17827

[305] 8 November 2000, available at http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDR&Criteria=DOC_DATE:2000-11-08%3BSEQ_NUM:8%3B.

[306] The Hon Daryl Williams, Hansard 12 April 2000, available at http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDR&Criteria=DOC_DATE:2000-04-12%3BSEQ_NUM:4%3B.

[307] See, Privacy (Private Sector) Amendment Regulations 2007 (No. 3) available at http://www.comlaw.gov.au/ComLaw/Legislation/LegislativeInstrument1.nsf/0/40617C959BA055ECCA25732B00150FEB?OpenDocument

[308] See chapter 5, paragraphs 104-113 at p.183, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L18164.

[309] See chapter 5, paragraph 111, at p.183, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L18164.

[310] ‘Community Attitudes to Privacy', August 2007, Wallis Consulting Group Pty Ltd for the Office of the Privacy Commissioner. p52, http://www.privacy.gov.au/business/research/index.html#1b

[311] Second Reading Speech, Privacy Amendment (Private Sector) Bill 2000, Parliamentary Debates (Hansard), House of Representatives, 12 April 2000, p. 15075.

[312] See chapter 5, paragraph 112, at p.183, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html#L18164

[313] See paragraphs 1-15 in chapter 35.

[314] See paragraphs 36.35-38 pp 1058-9.

[315] See paragraphs 36.31-36.34 pp 1047-8.

[316] See paragraph 26.21 p758.

[317] See paragraph 26.22, proposal 26-2 pp760-761.

[318] In chapter 5 paragraphs 95-103.

[319] See chapter 7.1 at p 197, available at http://www.privacy.gov.au/act/review/review2005.htm#7_1.

[320] See p.184, paragraph 115, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L18233.

[321] See, http://www.privacy.gov.au/act/review/review2005.htm#7_1.

[322] See the Office's response to question 5-12 of IP 31, from paragraph 114, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L18233.

[323] DP 72, chapter 38, paragraph 38.37 at p 1091.

[324] For example, DP 72 explains, at paragraph 38.30, that in a judgment the Swedish Supreme Court focused on the purpose of journalism to ‘inform, exercise criticism and initiative debate in societal issues of importance to the public'.

[325] This is defined in the Broadcasting Services (Australian Content) Standard 2005, available at http://www.acma.gov.au/webwr/aba/tv/content/documents/broadcasting%20svces%20-%20australian%20content%20standard%202005.pdf.

[326] Recommendation 59 of the Private Sector Review is available at http://www.privacy.gov.au/act/review/review2005.htm#rec_media_exemption.

[327] http://www.acma.gov.au/webwr/_assets/main/lib100084/privacy_guidelines.pdf.

[328] This is discussed in response to questions 5-10 to 5-12, chapter 5 at paragraph 117, available at http://www.privacy.gov.au/publications/submissions/alrc/all.html#L18229.

[329] Available at http://www.privacy.gov.au/act/review/review2005.htm#options_for_reform_18.

[330] Paragraph 39.32

[331] See chapter 13, paragraphs 21-24, available at http://www.privacy.gov.au/publications/submissions/alrc/c13.html.

[332] See chapter 5, question 5-13, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html. 

[333] Paragraph 39.33.

[334] Office's Private Sector Review, Recommendation 66, available at http://www.privacy.gov.au/act/review/review2005.htm#7_10

[335] See question 5-14, available at http://www.privacy.gov.au/publications/submissions/alrc/c5.html

[336] See page 233 of the Office's Private Sector Review Available at http://www.privacy.gov.au/act/review/review2005.htm#options_for_reform_23

[337] See chapter 20, p646.

[338] See paragraph 22.118 p698

[339] See paragraph 18.45 p612