The Issues Paper

The Office of the Privacy Commissioner has prepared this paper to assist individuals and organisations to prepare submissions to the review of the private sector provisions of the Privacy Act 1988 (Cth) (the Privacy Act). The Office can make this Issues Paper available in a range of formats on request. It is available on the Office’s web site at http://www.privacy.gov.au/act/review/index.html

Key inquiry dates

Receipt of terms of reference 13 August 2004

Due date for submissions 22 December 2004

Final Report 31 March 2005

Contacts

General information: Hotline Ph: 1300 363 992 TTY: 1800 620 241

Administrative matters: Chris Jefferis Ph: 02 9284 9800

Other matters: Robin McKenzie Ph: 02 9284 9800 Fax: 02 9284 9666

Email: privatesectorreview@privacy.gov.au

Website: www.privacy.gov.au/act/review/index.html

Postal address for submissions: GPO Box 5218, Sydney NSW 2001

---

How to make a submission

There is no specified format for a submission. Submissions may range from a letter addressing one issue to a systematic analysis of the operation of the private sector provisions of the Privacy Act. Submissions will also be accepted in a range of styles of presentation and in electronic or hard copy form. Similarly, oral and audio submissions will be accepted, including using TTY.

Submissions received in electronic format will become publicly available documents and will be posted on the web site of the Office of the Privacy Commissioner unless submitters indicate to the Office they do not want their submission posted on the Office web site. Mark your submission as ‘CONFIDENTIAL’ if you do not want it posted on the website. The web site and the final report will list the names of all those who made submissions. If you have marked your submission as confidential, but still want your name listed as having made a submission, make this clear on the submission. Otherwise, all that will appear in the list next to the submission number will be the word ‘confidential’.

The suggested topics in the issues paper are presented only as a guide. Participants should not feel the need to address all the topics or be restricted to the issues which the topics raise.

Participants are encouraged to provide data, examples, case studies, or other evidence to support the arguments presented in their submission.

---

Terms of reference

REVIEW OF THE PRIVATE SECTOR PROVISIONS OF THE PRIVACY ACT 1988

I, PHILIP RUDDOCK, Attorney-General of Australia, under section 27(1)(f) of the Privacy Act 1988, request that the Privacy Commissioner review the operation of the private sector provisions contained in the Privacy Amendment (Private Sector) Act 2000 and report on that review not later than 31 March 2005.

In undertaking the review, I ask that the Privacy Commissioner consider the degree to which the private sector provisions meet their objects, being:

1. to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations; and
2. to do so in a way that:
   1. meets international concerns and Australia's international obligations relating to privacy;
   2. recognises individuals' interests in protecting their privacy; and
   3. recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.

Recognising that certain aspects of the private sector provisions are currently, or have recently substantively been, the subject of separate review, the Privacy Commissioner exclude review of:

• genetic information;
• employee records;
• children's privacy; and
• electoral roll information, and the related exemption for political acts and practices.

Dated: 12 August 2004
Philip Ruddock
Attorney-General

---

 

Table of contents

The Issues Paper

Key inquiry dates

Contacts

How to make a submission

Terms of reference

Table of contents

1. Introduction

History of Commonwealth privacy legislation

What do the private sector provisions cover?

What is the review about?

Framework for assessing issues

2. A single, comprehensive nationally consistent scheme

This section

Developments in privacy regulation and regulation with an impact on privacy

Other provisions of the Privacy Act

New technologies

3. International issues and obligations

This section

EU adequacy

Transfer of information overseas

4. Recognising individual rights

This section

Awareness of rights

Community confidence that rights are protected

Individuals able to exercise their rights

Individual’s control over personal information

Health records transfer

Access to personal information

5. Balance of individual privacy interests with business efficiency

Light touch approach

High level provisions

Costs of compliance

Codes

Small business exemption

Direct marketing

Business compliance with obligations

Business efficiency and private sector contracting

6. Balance between privacy of individual and other social interests

The balance

Media exemption

Effective planning and delivery of health services

Other important social interests

7. National Privacy Principles generally

8. Matters that have an impact on the operation of the private sector provisions

9. Any Other Issues

Glossary of terms

Appendix 1

Community Attitudes towards Privacy 2004

Knowledge of privacy rights

Level of knowledge of privacy

Awareness of Federal Privacy Commissioner

Trust in organisations

Perceptions of invasions of privacy

Reluctance to provide personal information

Protective Behaviours

Marketing material, the electoral roll and the white pages

Trade off between privacy and customer service

Government departments and Privacy

Health services

Privacy in the Workplace

Internet usage

Appendix 2

Some readily accessible background information

---

1. Introduction

History of Commonwealth privacy legislation

Commonwealth agencies

The Privacy Act was enacted in 1988. It provides for the Office of the Privacy Commissioner and a Privacy Commissioner and lists 11 principles governing the collection, use, storage, access to, maintenance and disclosure of an individual’s personal information. These Information Privacy Principles (IPPs) apply to personal information held by Australian Government agencies. Since 1994, the IPPs have also applied to Australian Capital Territory (ACT) agencies.

Tax file numbers and credit reporting

The Privacy Act also provides for the Commissioner to issue tax file number guidelines and to investigate acts or practices of tax file number recipients that breach these guidelines.

In 1990 the Privacy Act was amended to regulate the handling of credit reports and other credit worthiness information about individuals held by credit reporting agencies and credit providers.1

Private sector

Voluntary principles

In February 1998, following extensive consultation, the then Privacy Commissioner issued the National Principles for the Fair Handling of Personal Information (the National Principles), compliance with which was voluntary.

This was partly in response to a directive on information privacy adopted in October 1995 by the European Parliament and the Council of the European Union (EU) which included a provision that personal data could not be transferred from an EU country to a non-EU country unless there was an adequate level of information privacy.

Privacy Amendment (Private Sector) Act 2000

In late 1998 the government announced its intention to legislate to support and strengthen privacy protection in the private sector. After widespread consultation the Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 with a commencement date of 21 December 2001. It aimed to establish a single comprehensive national scheme governing the collection, holding, use, correction, disclosure and transfer of personal information by private sector organisations. It did so by means of the National Privacy Principles (NPPs) and provisions allowing organisations to adopt approved privacy codes.

Co-regulation

The approach adopted by the legislation was co-regulation. This refers to a legislative framework within which self regulatory codes of practice can be given official recognition.2 The aim of the legislation was ‘to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice’.3 In the absence of a code, the NPPs would apply. This co-regulation aimed to ensure consistency and standardisation of personal information handling.4

Balancing rights and obligations

The legislation acknowledges that privacy is not an absolute right and that an individual’s right to protect his or her privacy must be balanced against a range of other community and business interests. These include the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently. The legislation seeks to achieve the appropriate balance by providing for, among other things, a number of exemptions from the legislative requirements, including most small businesses.

Key drivers for private sector provisions

The Explanatory Memorandum for the private sector provisions outlined concerns raised in consultations on the absence of privacy protection that self-regulation had not resolved. It said

“These concerns include

<0l>

the potential for barriers to international trade for business;

the lack of protection afforded to the consumer;

the effects on the take-up of electronic commerce resulting from lack of protection to consumers;

the lack of comprehensive coverage of business;

the possibility that some States and Territories will impose stricter controls, which may result in inconsistencies between jurisdictions.” 5

Another driver was the International Covenant on Civil and Political Rights (ICCPR), that Australia had ratified. This provides that individuals shall not be subjected to arbitrary or unlawful interference with their privacy and that they have the right to the protection of the law against such interference or attacks.6

Recent amendments to the legislation

Recent amendments to the legislation7 make it clear that the protection provided by NPP 9, which regulates transborder data flows, applies equally to the personal information of individuals who are Australian and those who are not. They remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information. They also give businesses and industries more flexibility in developing privacy codes by allowing the codes to cover otherwise exempt acts and practices where the authors of the code wish to do so.

What do the private sector provisions cover?

Purpose

The private sector provisions of the Privacy Act give individuals greater control over the way personal information about them is handled by private sector organisations than they would otherwise have. They regulate the way many private sector organisations collect, use, keep secure and disclose personal information.

Who is covered?

The provisions apply to organisations, including corporations and unincorporated associations, with an annual turnover of more than $3 million.

They also apply, regardless of annual turnover, to all private sector health service providers, to organisations that buy and sell information without the individual’s consent, and contracted Commonwealth service providers in relation to their contractual activities.8 Specified acts and practices of organisations are exempt from the operation of the Privacy Act. These include in general terms acts or practices:

• done by an individual other than in the course of the individual’s business, for example, in the course of his or her personal, family or household affairs9
• that are related to an employee record and directly related to the employment relationship10
• done in the course of journalism by a media organisation that is publicly committed to observing published privacy standards11 and
• done by a politician or political organisation, and their contractors, subcontractors and volunteers, in relation to electoral matters.12

What obligations are imposed?

In general terms, a private sector organisation covered by the Act must not do anything that breaches an approved code binding on it. If not bound by an approved code, it must not do anything that breaches an NPP.

National Privacy Principles

The NPPs govern the collection, use and disclosure, security, quality and access to and correction of personal information. They include principles applicable to the use and disclosure of personal information for specific purposes, including:

• direct marketing
• in the case of health information, research or statistical compilation or analysis relevant to public health or public safety
• protection of health and safety and
• law enforcement.

The general principle that a person should have access to information organisations hold about them includes exceptions, such as exceptions based on health and safety, law enforcement and national security. Special provisions apply to sensitive information, including information about an individual’s racial or ethnic origin, membership of political or professional or trade associations, religious beliefs and so on.13

Approved codes

The Act provides for the approval of privacy codes by the Commissioner. To be approved a code must:

• set out obligations that, overall, are at least the equivalent of all the obligations set out in the NPPs
• specify which organisations are bound by the code
• bind only organisations that consent to be bound and
• if the code includes procedures for dealing with complaints, the procedures must meet specified standards.

In addition, members of the public must have been given adequate opportunity to comment on a draft of the code.14 The Commissioner must keep a register of approved privacy codes.15

Complaints

An individual may complain to the Commissioner about an interference with his or her privacy, unless an approved code applies and the code has its own code adjudicator. The Commissioner is required to investigate complaints, unless it is appropriate to exercise one of the discretions not to investigate, including for example, if the individual has not first complained to the organisation in question. If the complaint is upheld, the Commissioner may make a determination that the organisation should not repeat the conduct complained about.

What is the review about?

The Review of the Privacy Act was foreshadowed by the former Attorney-General Mr Daryl Williams AM QC MP in his second reading speech for the Privacy Amendment (Private Sector) Act 2000. The Commissioner was asked to review the operation of the private sector provisions of the Act by the Attorney-General the Hon Philip Ruddock MP on 13 August 2004.

The Office will conduct the review within the terms of reference outlined by the Attorney-General. They are included at the beginning of this issues paper (at page 3) and provide for an assessment of the operation of the private sector provisions and a consideration of the extent to which the private sector provisions meet their objects.

These objects include creating a single comprehensive national scheme for the appropriate handling of individual’s personal information by organisations, in a way that:

• meets international concerns and obligations relating to privacy
• recognises individuals’ interests in protecting privacy and
• recognises important human rights and social interests that compete with privacy, including the general desirability of the free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.

The terms of reference exclude aspects of the private sector provisions from the review including

• genetic information
• employee records
• children’s privacy and
• electoral roll information and the related exemption of political organisations from the Privacy Act.

The terms of reference state that these areas are currently, or have recently been subject to processes of review.

The terms also mean that Part IIIA of the Privacy Act, which deals with credit reporting, is not to be reviewed. However the credit reporting provisions (along with other parts of the Privacy Act) could be relevant to the review in circumstances where it is considered that they have an impact on the operation of the private sector provisions.

There are a number of review processes operating in the current environment that touch on privacy in some way. For example, initiatives to develop a national health code (Australian Health Ministers’ Advisory Council (AHMAC) process) and the review of privacy protection for employee records are also underway at the moment. In developing its final report, the Office will take into account, where appropriate, the work being done in these areas.

To help inform the review work, including submissions to the review the Office conducted research into community attitudes towards privacy in April 2004. This complements research it conducted in July 2001 into attitudes towards privacy in the spheres of government, business and the community. This research can be found on the Office’s website at http://www.privacy.gov.au/publications/index.html#R. The results of the 2004 research are summarised at Appendix 1 and the full report is to be found on the Office’s web site at http://www.privacy.gov.au/business/research/index.html.

Framework for assessing issues

The terms of reference ask the Privacy Commissioner to consider the degree to which the private sector provisions meet their objects. The Office will use this framework for assessing the provisions. This involves considering the following issues.

1. Do the provisions provide a comprehensive, national, consistent set of standards for privacy? Do they fit seamlessly into the Privacy Act? Do they relate effectively with other federal privacy provisions, the privacy laws of the States and Territories and other relevant federal law?
2. Do the provisions operate in a way that assists Australian businesses to operate internationally? Are they adequate to ensure Australia fulfils its international obligations relating to privacy?
3. Are individuals confident that their interests in protecting their privacy are recognised and that personal information that is collected, used, stored and disclosed by organisations is adequately protected? Are individuals aware of, and able to exercise, their rights?
4. Do the provisions strike an appropriate balance between privacy and competing human rights and social interests, including free speech, medical research, national security, law enforcement and property rights? Is there a free flow of information? Is business aware of its obligations and able to comply with them while still achieving its objectives efficiently?

---

2. A single, comprehensive nationally consistent scheme

This section

In introducing the private sector provisions of the Privacy Act, the Government intended to establish a single comprehensive national scheme for the protection of personal information by the private sector, by providing a ‘…national, consistent and clear set of standards to encourage and support good privacy practices’.16 However, the Government also made it clear that the intent was for any state and territory laws to continue to operate, so long as they were not directly inconsistent with the NPPs.17

This section discusses the developments in privacy regulation since this time, and also in other regulation that has an impact on privacy and raises the issue of, in the light of these developments, whether this vision for the new scheme has been realised.

This section also looks at how the private sector provisions fit into the existing provisions of the Privacy Act, and whether the private sector provisions interact well with these existing provisions.

Finally, this section looks at developments in technology and asks whether the private sector provisions have kept pace with the challenges to privacy that these developments raise.

Developments in privacy regulation and regulation with an impact on privacy

State and Territory privacy regulation

The Australian Capital Territory, New South Wales, Victoria and the Northern Territory have privacy legislation that covers all or part of their own public sectors.18 Tasmania may also soon have such legislation. Other jurisdictions have administrative arrangements which seek to establish appropriate information handling practices. For example, Queensland has established two standards for privacy regulation in its public sector on an administrative basis.19 Each scheme is slightly different and so are the principles on which they are based.

In the area of privacy in the private sector, two States (in addition to the ACT which in 2001 already had law covering health service providers in the private sector) have enacted law which purports to regulate the handling of personal information both in their public sectors, and the private sector. Victoria has enacted the Health Records Act 2001and in NSW, the Health Records Information Privacy Act 2002 came into force on 1 September 2004.20 These Acts contain similar, though not identical principles to the NPPs. For example, the Victorian legislation has provisions regarding access to ‘old’ personal health information which have no equivalent in the NPPs.21

The ongoing commitment of Health Ministers, through the Australian Health Ministers’ Advisory Council (AHMAC), to work toward a proposed National Health Privacy Code may offer one way of achieving national consistency for the handling of personal health information.22 Issues to be resolved include what is to be the final form of the code, how it will be implemented across jurisdictions and what complaint handling arrangements will exist (including remedies for individuals).

Other regulation with an impact on privacy

The Privacy Act operates alongside a number of other regulatory mechanisms. These mechanisms include Commonwealth legislation, State and Territory legislation, self-regulatory schemes with a legislative basis, and other self-regulatory schemes. In addition, many industries and sectors aim to adhere to generally accepted guidelines, principles, codes or other common standards, including Australian or international standards.

Regulatory mechanisms which include personal data protection obligations on organisations that may interact with the private sector provisions of the Privacy Act include the following.

Commonwealth statutory regulation

• Part 13 of the Telecommunications Act 1997 provides for the confidentiality of personal information and the contents of communications, including restrictions on how telecommunications carriers and carriage service providers may use and disclose certain personal information. Further, Part 6 of the Telecommunications Act 1997 provides for industry to develop voluntary industry codes, and for the Australian Communications Authority (ACA) to develop mandatory industry standards, which may deal with privacy.23
• The Telecommunications (Interception) Act 1979 has two key purposes. Its primary object is to protect the privacy of individuals who use the Australian telecommunications system by making it an offence to intercept communications. The second purpose of the Interception Act is to specify the circumstances in which it is lawful for interception to take place.
• The Spam Act 2003 (Spam Act) sets up a scheme for regulating commercial email and other types of commercial electronic messages. Under the Spam Act, unsolicited commercial electronic messages must not be sent, and there are restrictions on the use of address-harvesting software.
• Section 52 of the Trade Practices Act 1974 provides that a corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive. This provision may inform the understanding of the particular NPPs, for example NPP 1.3, NPP 1.5, NPP 5.1, NPP 5.2, and NPP 6.7.
• Section 12DA of the Australian Securities and Investments Commission Act 2001 provides that person must not, in trade or commerce, engage in conduct in relation to financial services that is misleading or deceptive or is likely to mislead or deceive. This may also have an impact on the way financial services providers provide information in compliance with NPPs 1.3, 1.5, 5.1, 5.2 and 6.7.
• Other legislation that protects particular collections of personal information includes, for example
  • The Corporations Act 2001 in relation to company shareholder registers24
  • The Commonwealth Electoral Act 1918 in relation to electoral roll information25 and
  • The Corporations Act 2001 in relation to disclosure obligations as they relate to the provision of financial product advice to retail clients.26

Commonwealth regulators

• The Australian Communications Authority (ACA) monitors the performance of telecommunications carriers and carriage service providers.
• The Telecommunications Industry Ombudsman (TIO) has jurisdiction to investigate complaints about a range of telecommunications issues, including printed and electronic White Pages, privacy and breaches of the Customer Service Guarantee and industry Codes of Practice.27
• The Australian Broadcasting Authority (ABA) may investigate complaints alleging a breach of broadcasting industry codes or practice. Several codes of practice include provisions expressly intended to protect individual privacy.28
• The primary responsibility of the Australian Competition and Consumer Commission (ACCC) is to ensure that individuals and businesses comply with the Commonwealth competition, fair trading and consumer protection laws.
• Australian Securities and Investments Commission (ASIC) enforces and regulates company and financial services laws to protect consumers, investors and creditors.

Industry self-regulatory codes

Examples of these include

• The Australian Communications Industry Forum (ACIF) develops a number of industry codes and guidelines for the telecommunications industry, some of which deal with matters that relate to the handling of personal information.
• Following the passage of the Spam Act, up to three industry self-regulatory codes relating to e-marketing activities are under development in relation to commercial messages. These codes may be submitted to the ACA for registration under Part 13 of the Telecommunications Act 1979 (Cth).

Common law obligations

Some common law obligations overlap with privacy obligations in the Privacy Act. These include:

• legal obligations of confidence (e.g. patient/doctor confidentiality and the banker’s duty of confidence) and
• legal professional privilege.

Legislation regulating surveillance activities

The Privacy Act does not specifically mention surveillance as a method of collection. However, generally the NPPs will apply to surveillance where it is conducted by an organisation to which the Privacy Act applies, and where the personal information obtained during the surveillance is collected in a record.

There may be many instances of surveillance activity in our society which do not necessarily fit these criteria and so would not be covered by the private sector provisions of the Privacy Act. For instance, surveillance could be undertaken by an individual, who is not acting as, or on behalf of, an organisation. In addition, the surveillance may occur in ‘real time’ with no collection of personal information in a record (as may be the case with surveillance conducted via closed circuit television cameras for example).

Many of the States and Territories have enacted legislation which covers some aspects of surveillance, and which may apply to individuals or surveillance conducted without the collection of personal information in a record. In particular, a number of State Acts address issues involving the recording of telephone conversations, including:

• Listening Devices Act 1972 (SA)
• Listening Devices Act 1984 (NSW)
• Invasion of Privacy Act 1991 (QLD)
• Listening Devices Act 1991 (Tas)
• Listening Devices Act 1992 (ACT)
• Surveillance Devices Act 1998 (WA)
• Surveillance Devices Act 1999 (Vic)
• Surveillance Devices Act 2000 (NT)

Some of these Acts also incorporate provisions which apply restrictions to video surveillance.

The Workplace Video Surveillance Act 1998 (NSW) regulates covert workplace video surveillance by individuals and organisations in NSW.29 Generally, this type of surveillance is unlikely to be covered by the NPPs because of the employee records exemption.30

Regulation of Tenancy Databases

The NPPs apply to the activities of tenancy databases, for example, in relation to the accuracy of the information they hold and the requirement to give individuals access to their information. It may be, however, that more specific regulation is needed in this area.

For example, following amendments in April 2004, the Residential Tenancies Act 1994 (QLD) now contains guidelines for the use of tenancy databases by Queensland real estate agents. These guidelines incorporate listing criteria and dispute resolution processes. Further, the recent Property, Stock and Business Agents Amendment (Tenant Databases) Regulation 2004 (NSW) specifies rules of conduct for real estate agents in the use of tenancy databases. These new rules include limitations on the reasons for listing, and a requirement to notify individuals if they are listed. The joint Standing Committee of Attorneys-General/Ministerial Council on Consumer Affairs Working Party is looking at this issue.

Issues

There is clearly a wide range of regulation in the Commonwealth and States and Territories that either directly relates to privacy or, while not directly relating to privacy, overlaps with privacy related activities. This means that an organisation seeking to comply with privacy requirements must be aware of a wide range of legislation, regulators and in some cases, possibly conflicting requirements. It also potentially creates confusion for individuals who find that their privacy has been infringed.

Other provisions of the Privacy Act

It was intended that the NPPs would operate alongside the pre-existing provisions of the Act, such as the Information Privacy Principles (IPPs) regulating public sector agencies, and the provisions regulating credit reporting (largely contained in Part IIIA of the Act).

Interaction with the IPPs

The NPPs are similar to the IPPs and serve the same purpose of regulating the handling of ‘personal information’. The definition of ‘personal information’ is common to the IPPs and NPPs and reflects the overall focus of the Privacy Act as applying to information privacy (rather than, for example, other notions of privacy, such as bodily privacy).

There are, however, some differences between the NPPs and IPPs. For instance, the NPPs include specific provisions concerning the transfer of data overseas which the IPPs do not have (see NPP 9). The private sector provisions also provide a higher degree of protection to defined types of ‘sensitive personal information’, including health information.

Commonwealth Contractors

In some instances, an organisation could be covered by the IPPs and NPPs. This can arise in relation to Commonwealth contracting. The new private sector provisions (see section 95B) impose obligations on Commonwealth agencies when entering into contracts to provide services to or on behalf of the agency to include provisions to ensure that the contactor does not breach the Information Privacy Principles (IPPs) of the Privacy Act. Some of the NPPs also apply to the contractor if the IPPs do not have equivalent provision (eg NPPs 7–10) and if there are areas that the NPPs cover that are not in the contract and are not inconsistent with the contract. The contract is the primary source of obligation for the contractor. Depending on the clauses of the contract, if a contractor with a Commonwealth agency breaches any of these principles, or section 16F (which relates to direct marketing), it is a breach of privacy under section 13 the Privacy Act. This is so, even if the contractor is a small business operator that would otherwise be exempt from the Privacy Act. For more detail about how these provisions operate, see Information Sheet 14–2001 Privacy Obligations for Commonwealth Contracts and other information at http://www.privacy.gov.au/government/contractors/index.html

Some of the IPPs that Agencies are required to provide for in their contracts do not translate well into the private sector, for example, IPP 5 which provides for agencies to tell the Commissioner annually about the kinds of records containing personal information they keep. It is not always clear whether a contractor falls within the definition of contracted service provider in section 6. For example, it may be difficult to determine if a private sector organisation receiving funding to provide a service to third parties is a contracted service provider. Also, a State or Territory authority providing services to a Commonwealth agency is not covered by these provisions.

Interaction with credit reporting provisions

The NPPs also operate in conjunction with the credit reporting provisions of the Privacy Act. These provisions, largely contained in Part IIIA, impose specific obligations on ‘credit providers’ and ‘credit reporting agencies’ in relation to their handling of consumer credit information. These ‘credit providers’ and ‘credit reporting agencies’ will also generally be ‘organisations’ for the purposes of the private sector provisions. In some instances, it may be unclear how various provisions of the NPPs and Part IIIA interact. Relevantly, section 16A(3) of the Act states that the NPPs operate in addition to Part IIIA, and do not derogate from them.

New technologies

Developments

The NPPs were intended to be technology neutral to ensure that they would remain relevant despite technological change.31

Since they were developed there have been some dramatic changes in technology that have had a considerable impact on the ways that personal information can be collected, tracked, connected and disclosed. For example, new mobile phone technology, and Radio Frequency Identification (RFID) technologies could become means of tracking the movements of individuals or subjecting them to covert surveillance. Other new technologies such as Electronic Number Mapping (ENUM) and Voice Over Internet Protocol (VOIP) are also leading to much greater connectivity. This enables a much greater number of organisations to have access to information about telephone numbers, including mobile phone numbers and related information. This may be unprotected by telecommunications legislation that has regulated telephone numbers in a more conventional environment. Much of this technology is available to, and used by, individuals as well as organisations.

Technology has also made it much easier to connect information, such as a telephone number, with an individual’s name or other contact information such as a postal or email address. Also, people can be more easily contacted, for example, by email, without the need for a name.

Issues

Such developments may raise a number of issues about the operation of the private sector provisions. For example, developments in new technology may mean that the current focus on identification as the basis for privacy protection is no longer adequate. It may be that privacy provisions should focus additionally on whether information creates an ability to contact a person, by whatever means whether their name is known or not. The accessibility of these new technologies may mean that individuals acting in their personal capacity may also be capable of invading individual privacy in ways that warrant further consideration.

In addition some telecommunications technology may be falling outside the ambit of existing telecommunications legislation and may therefore be left to be regulated by the private sector provisions of the Privacy Act, which may not be as privacy protective as the telecommunications specific legislation.

---

3. International issues and obligations

This section

It was an object of the new private sector provisions to ensure that Australia is in a position to meet international obligations and concerns that Australia is not disadvantaged in the global information market. The provisions aimed to provide adequate privacy safeguards to facilitate further trade with the EU. In the absence of the new provisions, the Explanatory Memorandum stated ‘there are serious questions surrounding the ability of Australia to meet the requirements for continued trade with EU members under the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data’.32

This section considers the private sector provisions from the international perspective. It discusses international developments since they came into effect, raises issues about whether the provisions have achieved their object of meeting international obligations and concerns, and whether they have facilitated international trade, particularly in the global information market.

EU adequacy

Since the private sector provisions came into effect, the Australian Government has been in discussions with the European Commission (EC) about whether they can be regarded as adequate for the purposes of the European Directive. The Privacy Amendment Act 2004 (Cth) aims to clarify and increase protections for the protection of non-citizens. For example the amendments clarify that the extra-territorial application of NPP 9 (which governs transborder data flows) covers the personal information of non-citizens, as well as Australian citizens and permanent residents.The amendments allow the Office to investigate complaints from non-Australians in relation to access to, and correction of, their personal information. The 2004 amendments also enable organisations in Australia to sign up to a code that includes regulation of areas currently exempted from the private sector provisions, including for example, small business and acts and practices in relation to employee records.

Transfer of information overseas

The operation of NPP 9 is a crucial aspect of the global operation of the private sector provisions. NPP 9 outlines the circumstances in which an organisation can transfer personal information it holds to other countries. This principle is based on the restrictions on international transfers of personal information set out in the European Union Directive 95/46.

In the simplest terms, NPP 9 prevents an organisation from disclosing personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the individual's consent or some other circumstances apply including where

• the transfer is for the benefit of the individual and the organisation can show grounds for a belief that if it were practicable to obtain consent the individual would be likely to give it or
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party.

NPP 9 does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned. Section 5B provides for the Privacy Act to operate extra-territorially in these circumstances.

A company transferring personal information overseas to a related company must comply with NPP 9.

Issues

It is not clear the extent to which organisations are trading freely with Europe or are having their commercial activities impeded by the private sector provisions in their current form. It is also not clear how easy or otherwise organisations are finding it to work with the provisions of NPP 9 when transferring information, or the extent to which they are complying with it .

---

4. Recognising individual rights

This section

One object of the private sector provisions is to establish a privacy scheme for the handling of personal information that recognises individuals’ interests in protecting their privacy. The provisions recognise those interests in a number of ways including by:

• requiring organisations, where reasonable, to give an individual information about their information handling practices so he or she can make a decision about whether or not to give their personal information
• requiring organisations to get an individual’s consent to collect or disclose in certain circumstances
• giving individuals the right to access information a business holds about them
• enabling individuals to complain to the Office if a business does not comply with the NPPs.

The provisions aimed to ensure that ‘Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way’.33

This section looks at whether individuals are aware of their privacy rights, confident that their rights are protected and are exercising those rights.

The private sector provisions also aim to ensure that individuals’ interests are balanced against other competing human rights and social interests. The issue of whether the private sector provisions have achieved their objects in a way that balances appropriately these interests is considered in the next section.

Awareness of rights

Individuals cannot best exercise their rights if they are not aware that they have them. Accordingly the Office has sought to give individuals as much information about privacy rights as possible through mediums such as the Office’s information hotline, its web site which includes all its publications as well as answers to Frequently Asked Questions, media comments, media releases, speeches, case notes, online complaint checker, multi-lingual web pages, guidelines, information sheets, brochures and the annual report.

Many individuals would also have received information about privacy from a number of organisations after the private sector provisions came into effect in the form of NPP 1.3 notices and privacy policies.

There is some evidence that awareness of privacy law has increased since the private sector provisions came into effect in 2001. For example, calls to the hotline and written inquiries have more than doubled, and complaints have increased six fold.34

Research the Office undertook in 2001 and 2004 indicates that there is a considerable increase in awareness of the existence of federal privacy laws since 2001 (60% 2004, 43% 2001). However, there appears to be only a small increase in knowledge in the community about privacy rights, and levels of knowledge remain low with only one in four individuals surveyed claiming to know an adequate amount or more.

Results show that 53% of individuals know that government agencies are covered by privacy law; 56% of individuals know that banks, insurance companies and other financial institutions are covered by privacy law, while 47% know there are some restrictions on charities, private schools and private hospital and other Non Government Organisations.

Issues

In circumstances where enforcement of an Act relies largely on complaints from individuals ensuring an awareness of privacy rights amongst the community is a central component of protecting individual’s privacy interests. Awareness also helps individuals to be privacy wise in their interactions with private sector organisations. From the Office research it appears that there may still be considerably more work to be done to improve the level of individual awareness both about the law, and about how to take action to ensure their rights are respected. It also appears that the information provision requirements of the private sector provisions, such as those provided for in NPP 1 and NPP 5 have not been fully effective in raising awareness of privacy rights.

Some recent global initiatives to develop a layered notice approach to privacy notices are relevant to this issue.35

Community confidence that rights are protected

Confidence that privacy is protected facilitates open and fluid engagements between the community and organisations. This was an underpinning rationale for the new private sector provisions particularly in relation to electronic commerce.

The community’s confidence that their rights are protected is likely to be limited by their awareness of these rights. As discussed in the previous section there is evidence that the community’s awareness of their privacy rights is not comprehensive.

In line with this, the results from the Office’s 2004 community attitudes survey conveys mixed messages about the community’s confidence that their rights are protected.

There is some evidence from this research that individuals have differing levels of trust in organisations in regard to their protection of personal information. Health service providers have the highest levels of trust (89%), followed by financial organisations (66%), government organisations (64), charities (54%), retailers (39%), market research organisations (35%), real estate (26%) and mail order companies (19%).

Individuals’ trust is lowest of all in internet companies (9%). These were intended to particularly benefit from the introduction of the private sector provisions.36 Trust in internet companies appears to remain unchanged since 2001. Six in ten respondents to the Office’s 2004 survey have more concerns about the security of their personal details than usual when using the internet and this level of concern has risen since the 2001 study.37

Issues

It is possible that a lack of awareness about privacy rights has prevented people from developing a clear and concrete sense of confidence that their privacy rights are protected. Members of the community appear to have conflicting perceptions about the extent to which their privacy is protected, particularly in the online environment. There may be a need for more awareness raising activity to improve this confidence. On the other hand, there may be other matters relating to the private sector provisions themselves that may be the reason why they have not achieved their goal of increasing confidence, particularly in the online environment.

 

Individuals able to exercise their rights

The NPPs protect privacy by setting obligations for organisations, including telling individuals that information is being collected, and by giving individuals privacy rights, including the right to seek access to personal information held about them and correct it if it is wrong. Individuals may complain to the Privacy Commissioner if they think there may have been an interference with their privacy and they have not been able to resolve the issue with the organisation.38

Indications of whether individuals are able to exercise their rights include the extent to which they ask organisations to give them access (see issue for discussion below) and the level of complaints to the Commissioner.

Interactions with Office

The following statistics give a brief overview of the extent of complaints and enquiries to the Privacy Commissioner.39

The figures above include all complaints and enquiries to the Office. Office experience since 21 December 2001 is that NPP issues make up about 60% of the total numbers. In 2001 and early 2002 most calls to the hotline were from organisations about if and how they would need to comply with the new obligations. Now, the great majority of calls are from individuals concerned about their privacy. An analysis of complaints closed in 2003–2004 shows that 75% were closed within 1 month, 94% within 3 months and 99% within 6 months.

Who is interacting

Although it does not collect detailed demographic information, the Office receives complaints from individuals from a wide range of backgrounds. It has provided translation/interpreter assistance when requested. It has also recently translated the complaint information pages on its website into 11 languages other than English at www.privacy.gov.au. However, it seems likely that people from a non-English speaking background or of Aboriginal or Torres Strait descent are under represented. The Office plans to collect demographic information about complainants over the next three months and will then report on this.

Awareness of Office

Community attitudes research the Office conducted in May 2004 found that only 7% of respondents would report misuse of their personal information by an organisation to the Office of the Privacy Commissioner.41

Approach to complaint handling

The Office’s approach to complaint handling is based on the Commissioner’s power to investigate and if appropriate conciliate complaints.42 The Commissioner may close complaints on the basis of a decision, for example that there is no breach or, following conciliation, that the matter has been adequately dealt with. Alternatively the Commissioner may close complaints by determination. A determination is enforceable through the Federal Court or the Federal Magistrates Court on application by the Commissioner or the complainant. In this circumstance the Court can hear the merits of the case and may make a fresh decision.

To date the Office has focussed on resolving complaints by conciliation between the parties rather than the more formal determination process.43 The aim is to provide timelier, lower cost, satisfactory outcomes for individuals. The Office publishes statistics about complaints and prepares de-identified case notes.

Rights of review

The Privacy Act provides that a person may apply to the Federal Administrative Appeals Tribunal (AAT) for review of the Commissioner’s decision

• about whether or not to make a determination that a complainant is or is not entitled to compensation (s 61(1)) and
• to refuse to approve, or revoke an approval of guidelines issued by the NHMRC or other prescribed authority for the purposes of the NPPs (section 95A(7)).

In reviewing the decision the AAT conducts a merits review. This means that the tribunal reconsiders the Commissioner’s decision to determine whether it was the ‘correct or preferable decision’. Having reconsidered the Commissioner’s decision the AAT can either, affirm the Commissioner’s initial decision, remit matters to the Commissioner for further consideration, or set it aside and make its own decision.

A person who is ‘aggrieved’ by a decision made or proposed to be made by the Commissioner under the Privacy Act may also be entitled to seek review of that decision by the Federal Court or Federal Magistrates Court under the Administrative Decisions (Judicial Review) Act 1977 (Cth) (ADJR Act). Only ‘administrative decisions’ made by the Commissioner under the Privacy Act are reviewable under the ADJR Act. An example of an administrative decision made under the Privacy Act able to be reviewed by a court under the ADJR Act is the decision by the Commissioner to close a complaint under one of the provisions of section 41(1)(a)-(f).

Review of a decision by a court under the ADJR Act is limited to reviewing the legality of the decision. Grounds for review under the ADJR Act include a breach of the rules of natural justice or excess of power. Where the court finds an error of law the matter will be remitted back to the Commissioner for reconsideration according to law.

Although the parties to a complaint to have the right to have certain administrative decisions of the Commissioner reviewed as outlined above, there is no right for aggrieved complainants or respondents to have the merits of a Commissioner’s determination under section 52 reviewed by a court. The only way a case can be heard afresh by a court is if an organisation refuses to comply with a determination against it and the Commissioner or the complainant seeks to enforce the determination in court. As long as an organisation complies with a determination, a complainant that does not agree with a determination cannot seek to have the case heard afresh by a court.

Issues

The fact that the Office does not collect demographic information may limit its ability to assess which sections of the community are having trouble exercising their rights and which have had their privacy breached. Lack of awareness of the Office as the complaint handler for privacy breaches is possibly a concern. Those that do complain may find that they have to wait a considerable period before the Office can handle their complaints due to the volume of complaints since the private sector provisions came into effect. There may be concerns that the complaints process lacks transparency because the confidential nature of conciliation settlements means that the nature of breaches, and the Office’s view about the application of the NPPs, is hidden from public scrutiny.44

It may be argued that individuals’ ability to exercise their rights is impeded by the Office’s focus on conciliation in handling complaints. Individuals may not be in a position to negotiate their interests effectively in this process. In the absence of understanding the basis on which cases have been decided or resolved in the past, they may be negotiating in a vacuum. On the other hand, conciliation can be a fast and cost effective way of handling complaints which meets the needs of individuals making complaints. It could be argued that this appears to have worked well for most complainants to the Office.

The fact that there is no right of review of the substance of a Commissioner’s determination could be a matter of concern. Respondents have the possibility of having a case hear afresh by refusing to comply with a determination and waiting for the Commissioner to seek to have the case enforced in court. However, this strategy is not available to an aggrieved complainant.

Individual’s control over personal information

Law and policy

The NPPs reflect the policy that an individual should generally know what personal information an organisation has about him or her and how it intends to use it. Whether the information is collected from the individual or from a third party, the organisation should ‘take reasonable steps’ to tell the individual, among other things, the purposes for which the information was collected, to whom the organisation usually discloses such information and the consequences of not providing it. Generally speaking, the organisation cannot use or disclose the information for a purpose other than that for which it was collected (a secondary purpose) unless

• the secondary purpose is related (or directly related if the information is sensitive information) to the primary purpose and the individual would reasonably expect the organisation to use it for such a purpose or
• the individual has consented to the use or disclosure.

The individual has a right to access and, if necessary, correct personal information an organisation holds and the organisation must tell him or her of the right to access the information and its contact details.

Indirect collection

The private sector provisions provide for situations where an individual gives information to an organisation directly, for example, by filling out an organisation’s form, or telling a member of staff the information who then writes it down. They also provide for where an organisation collects personal information indirectly.

Personal information is collected indirectly when it is collected not from the individual the information is about, but from another source. This may be another organisation, for example, when

• it buys a list
• has information cleansed against another database
• an individual gives information about a third party to an organisation (eg for life insurance, medical check, during market research)
• a real estate agent discloses information to a tenancy database
• a contractor collects information from an organisation to carry out its contract eg call centre, (possibly under a corporate brand that means the person may not know they are dealing with a contractor)
• or the information may be publicly available, for example, in a newspaper or telephone directory or on a web site.45

When an organisation collects personal information indirectly it may be more difficult to ensure the individual is aware of the matters listed in NPP 1.3 and so in some cases it may be ‘reasonable’ to make less effort to give people NPP 1.3 information, or even to do nothing at all.

If an individual is not informed of the information an organisation holds, and the use intended to make of it, it could be argued that he or she has lost the control over personal information the NPPs intended individuals should generally have as a means of privacy protection. Information provided to one organisation for a specific purpose (compulsorily, in the case of some publicly available information) may be used by another organisation for a completely different purpose without the individual’s knowledge and the collecting organisation would not be in breach of the Privacy Act even if the disclosure was unlawful. In the absence of individuals having such knowledge, there may be other ways to provide some protection for individuals’ personal information that does not create an undue burden on business.

Bundled consent

The NPPs do not specifically require organisations to get an individual’s consent to collect personal information. The exception to this is that an organisation must, generally speaking, get an individual’s consent to collect sensitive information. An organisation can use and disclose personal information without getting an individual’s consent as long as the use or disclosure is for the main purpose of collection, or related (or directly related in the case of sensitive information) to the main purpose of collection and within the individual’s reasonable expectations. Generally speaking, the NPPs only require an organisation to get an individual’s consent for uses and disclosures of personal information that are for unrelated secondary purposes.46

Bundled consent refers to organisations bundling together consent to a wide range of uses and disclosures of personal information without giving individuals an opportunity to choose which uses and disclosures they agree to and which they do not. The consent is often sought as part of the terms and conditions of a service. This appears to occur in a number of ways:

• Bundling a wide variety of uses and disclosures. This arises when an organisation does not distinguish between giving notice of uses and disclosures for which they do not need consent and seeking consent for other uses and disclosures. It also arises when an organisation seeks consent for multiple uses and disclosures without giving the individual the opportunity to consent to some but not to others.
• Vague statements of how the information will be used or disclosed. This arises when an organisation seeks consent for uses and disclosures using vague statements of how, with the consent of the individual, the information will be used and disclosed, for example, ‘we may disclose the information to x y’ and ‘z or services may not be provided’ if the individual does not agree.
• Denial of services for failure to provide personal information. This arises if an organisation states or implies that it will not provide, or continue to provide, a service unless the individual consents to specified uses and disclosures of personal information.

Issues

The privacy protections in the NPPs rely to a considerable extent on individuals knowing what is happening to their personal information and being able to make decisions about whether or not to give an organisation personal information, and whether or not to agree to use or disclosure for particular purposes. Some of the ways that the NPPs are being applied outlined above may mean that in some cases, individuals do not have this control. On the other hand, there may be good business reasons for the NPPs to be applied in this way. There may be ways that privacy protections for individuals can be improved without unduly burdening business.

Health records transfer

When introducing the private sector provisions, the Government recognised that ‘…Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by those who come into contact with it.’ 47 One element of fair and appropriate handling of health information is that the individual retains a right to access information that a health service provider has about them. This right may be difficult to exercise when a health service provider ceases to operate or where the individual elects to change to another provider. Under common law, the provider generally retains ownership of the medical records,48 however, this should not reduce individuals’ rights to access their health information.

Health services ceasing to operate

The Office has become aware of a number of cases where individuals have not been able to gain access to their own health information due to their health provider ceasing to operate. This may happen in circumstance where, for example, a practitioner retires, dies or the practice ceases to provide services. In such cases, the individual’s right of access under NPP 6 is difficult to guarantee. In some jurisdictions, specific legislative provision is made for ‘abandoned’ records to be retained by a central body, such as a medical registration board. For example, in Queensland, section 260 of Medical Practitioners Regulation Act 2001 says that the Board may take possession of records it considers abandoned.49 In NSW, the Medical Practice Regulations 2003 imposes some obligations on how medical practitioners should handle health records in the event of a disposal of a practice.50

Such circumstances also raise difficulties for NPP 4, as abandoned records may not be afforded an adequate level of storage and security.

Individuals requesting the transfer of health records

The NPPs do not regulate the transfer of medical records if an individual chooses to change to another health service provider. An individual may exercise general access rights to their health information, though it is not an obligation on the provider to transfer this information in full to another provider. Other regulation may require health providers to do certain things though. For example, the Victorian Health Records Act 2001 requires that if an individual asks, then a health service provider must provide ‘a copy or written summary of the individual’s health information’ to another health provider.51 Some professional bodies have noted that health providers should accord with good clinical practice and any relevant codes of ethics to ensure that a new practitioner receives adequate information to treat the patient.

Access to personal information

An important element of giving individuals control over their personal information is to give them a right to ask an organisation to see any personal information it holds about them and to correct the information if it is wrong.52

The Office has found that failure to provide access is a commonly received complaint, particularly in the health area.

---

5. Balance of individual privacy interests with business efficiency

Light touch approach

The private sector provisions of the Privacy Act implemented what the then Attorney-General called a ‘light touch’ approach to privacy protection. They established a co-regulatory regime which was intended to be responsive to both business and consumer needs.53 In the case of business, this was achieved by the development of high level principles rather than prescriptive rules and by providing for organisations and industries to develop their own privacy codes. Further the legislation included a number of exemptions, including for employee records, on the ground they could be better dealt with under the workplace relations legislation,54 and for most small businesses.

In addition, the inclusion of a specific provision for direct marketing aimed to acknowledge the commercial practice of direct marketing while also recognising that individuals may be unwilling recipients of direct marketing activity. A part of the light touch approach was to rely on complaints as the main enforcement mechanism for the provisions.

The legislation also was recognised as being of benefit for business, for example, by encouraging consumers to engage in electronic commerce, and raise consumer confidence in business generally.

This section looks at these provisions and the approach the Office took to compliance and raises the issue of whether these provisions and the Office’s approach strike the right balance between business and consumer needs. It also looks at whether the provisions have been successful in minimising the compliance burden on business, including small business.

Issues relating to the impact of the private sector provisions on business are also to be found in the section ‘A single, comprehensive nationally consistent scheme’ (see p 13) and ‘International issues and obligations’ (see p 22).

High level provisions

The NPPs are high level, non-prescriptive principles, aimed at giving business the flexibility to adapt them to their own particular business and to be technology neutral. On the other hand, this could be said to have made it more difficult for business to be aware of the obligations and how to implement them in practice.

A survey of business attitudes towards, and knowledge of, the private sector provisions the Office carried out in June 2001 indicated that Australian business had ‘demonstrated a positive attitude to its impending responsibilities. However, this is matched by a low level of understanding of what exactly those responsibilities are’.55 To address this, the Office’s compliance strategy has included an emphasis on providing advice, assistance and information to help business understand its responsibilities. The Office’s hotline, website, publications, speeches, information sheets and brochures have been key mediums through which the Office has sought to provide advice and raise awareness of privacy obligations with business. This has included providing special material targeted at small business http://www.privacy.gov.au/business/small/index.html.

It has also included case notes setting out some examples of how the Office deals with complaints in particular circumstances.

This was partly in response to the considerable number of requests from business for specific advice about whether a particular proposed strategy was compliant with the Privacy Act, or asking for specific advice about how to comply with the Privacy Act in a particular situation, for example, in relation to drafting a privacy policy.

There have been very few court cases clarifying how the NPPs apply in specific circumstances.56

Anecdotal evidence and the increasing presence of privacy policies on web pages and in business correspondence, indicate that the Office has had a measure of success in raising business awareness of their obligations. However, the Office is also aware through the media of a number of ‘privacy furphies’ or myths, about privacy which illustrate that there may be a substantial level of misunderstanding about privacy obligations present in some parts of the private sector or among front line staff. The Office’s Frequently Asked Questions are a response to awareness of a number of these.57

Issues

The private sector provisions of the Privacy Act are principle based regulations. Accordingly, they are less amenable to specific direction on how to comply with them. One issue for the review could be whether the benefits of having high level principles in terms of flexibility and technological neutrality offset problems for some business caused by the lack of prescriptive direction about how to adhere practically to the principles. On the other hand, the guidelines the Office prepared on the operation of the NPPs may have been sufficient for most businesses.

Interpretations of laws and regulations by the courts often generate a body of practical information about how to adhere to regulation, plugging the gap between principles and practice. Precedents and cases give concrete examples of good practice and bad practice. However, the Office has not had the need to make many determinations and there have been few judicial decisions made on the private sector provisions. This may be an issue of particular importance to legal organisations who as a result of this have little case law to inform organisations about their obligations and the suitability of their practices. On the other hand, it could indicate that the NPPs are working well.

An issue that may need to be considered is the Office’s role in promoting awareness. Ways of bridging this gap between principles and practice may need to be looked at including ways of giving organisations the expertise to self audit.

Costs of compliance

Compliance with the legislation certainly involves costs for organisations. There were the initial costs of revamping systems and of training staff. There are the ongoing costs of complying with obligations to inform individuals from whom personal information has been collected and of seeking consent for use and disclosure of the information for secondary purposes. Providing access to information, or deciding not to, and correcting it, or giving reasons why not, may also involve cost.

The downside of a light touch approach is that there may be a lack of certainty, another kind of cost. For very small businesses subject to the legislation the relative costs may be significant. Some businesses, for example, health businesses in Victoria and New South Wales, must also comply with overlapping, and possibly conflicting, State legislation. Particular problems arise when businesses are bought and sold. It may be difficult to determine how the NPPs apply to the disclosure of personal information in the course of due diligence. Depending on the nature of the business being sold, due diligence may involve disclosure of personal information about key employees or even sensitive information, for example, health information, about employees or clients.

Codes

Law provides for industry and organisation codes

A key feature of the private sector provisions of the Privacy Act is the ability of organisations and industries to develop their own codes. In his second reading speech, the then Attorney-General stated that the aim of the legislation was ‘to encourage private sector organisations and industries . . . to develop privacy codes of practice.’58 In order to approve a privacy code, the Privacy Commissioner must be satisfied, among other things, that the code incorporates all the NPPs or sets out obligations that, ‘overall are at least the equivalent’ of all the NPPs.59 This has been interpreted to mean that the code must include each obligation and must be consistent with the NPPs.

Codes approved

Although at the time the legislation was implemented there was an expectation that codes would play a major role in the new privacy scheme, there have been very few applications for code approval and only three codes have been approved. There are a number of possible reasons for this, including

• the length of time and cost to develop a code
• the interpretation of ‘overall . . . equivalent’ that has been adopted
• administering a code has costs
• an adequate complaints handling scheme is difficult to establish and maintain
• general satisfaction with the NPPs and
• the proliferation of industry codes (dealing with issues other than privacy), with which organisations have to comply, developed by industry bodies.60

On the other hand, there are reasons why an industry or organisation might want an approved privacy code. Approval may have the effect of branding an industry or organisation, or distinguishing it from a similar, perhaps less reputable, industry. As new industries develop on the back of new technology, approval of a code may give them credence it might otherwise take years to achieve. An industry may need to be bound by an approved code to meet European Union (EU) adequacy requirements, necessary if it wants to trade with EU countries.

Approval process

The approval process has been criticised as lacking in transparency. Having approved a code, the Commissioner does not publish reasons for doing so. It could be argued that he or she approves the code because it satisfies the provisions of the Privacy Act and that is sufficient.

Furthermore, given how long the process has taken to date, it may be a long time after the consultation that the code is finally approved. As a result, a question may arise as to whether or not the consultation was adequate.

Small business exemption

Current law

A ‘small business operator’ is exempt from the operation of the private sector provisions of the Privacy Act. A small business is one that does not have an annual turnover of more than $3 million and is not related to a business that has such a turnover. Some small businesses, however, must comply with the provisions. These are small businesses that

• provide health services to people and hold health information about them
• trade in personal information, for example, by buying or selling names and addresses for inclusion on a data base
• are contracted to provide a service to the Commonwealth.

However, not every small business that trades in personal information must comply. If an organisation whose turnover is $3 million or less sells personal information with the person’s consent it may do so without bringing itself under the Privacy Act. The law also allows for the Government to prescribe small business operators or acts or practices of small business operators bringing them within the operation of the Act. Finally, a small business may voluntarily opt in to be covered by the provisions. Currently 127 small businesses have opted in to coverage.

Reason for small business exemption

There are two main rationales for the small business exemption. First, it is based on the premise that not all small private sector organisations pose the same risk to privacy and that many small businesses do not have significant holdings of personal information.61 On this basis it was considered that there is no real need for small business to be covered and to do so would not justify the costs involved. Secondly, it reflects the premise that the right to privacy is not an absolute right and must be balanced against the need to avoid imposing unnecessary costs on small business.62

Issues

Does the small business exemption exempt only those businesses that do not pose a privacy risk?

Personal information bought and sold by organisations for inclusion on a data base should be protected by the Privacy Act. In some cases however it may not be protected where a small business is collecting it, because the person whose information it is gives his or her consent. Some argue, however, that the consent may not be real in some cases, for example, where refusing consent would result in real inconvenience or lack of access to housing or other basic services. Small businesses may hold significant personal information including sensitive information, for example, internet service providers.

Do consumers have enough information to have confidence in businesses they deal with?

One of the main justifications of the private sector provisions was to give consumers confidence in Australian business practices.63 It was believed that Australian consumers would be reluctant to participate in electronic commerce unless they were confident the personal information they supplied was protected. It may be possible that the small business exemption undermines this object. For example, the exemption is complex and many people would find it hard to determine whether or not a particular business is a small business and, if so, whether or not the legislation applies. Secondly, many internet based businesses are not large and the $3 million cut off point may well put them outside the operation of the Privacy Act.

Does the exemption avoid unnecessary costs on business?

Another justification for the small business exemption is the need to avoid unnecessary costs on small business.64 Some costs arise for a small business that is a respondent to a complaint in that it must first establish it is a small business before the complaint can be dismissed on the basis of the exemption. An exempt business may miss out on the potential benefits privacy legislation brings such as increased consumer confidence, especially in relation to online trading. Also, the small business exemption is complex. This makes it hard for small businesses to work out whether the Privacy Act applies to them or not. This could mean that to avoid risk, small businesses are complying even where the Privacy Act may not apply to them.

Direct marketing

Current law

The private sector provisions of the Privacy Act provide for the collection, use and disclosure of personal information for direct marketing in some circumstances.

An organisation may collect personal information from an individual for the primary purpose of direct marketing and use and disclose (including selling it) it for that purpose. It may acquire personal information from another organisation for the primary purpose of direct marketing and use and disclose it for that purpose.65

If an organisation has collected information for a purpose that is not direct marketing, and wishes to use or disclose it for direct marketing purposes, it can do so without the individual’s consent if the direct marketing is related to the purpose for which the information was collected in the first place (and directly related in the case of sensitive information) and the person from whom it was collected would reasonably expect the organisation that collected it to use or disclose it for direct marketing.66

An organisation can only use personal information for direct marketing that is unrelated to the primary purpose or not within the reasonable expectations of the individual, if

• the person from whom the information was collected has consented to the use or disclosure of the information for direct marketing or
• (if the information is not sensitive information) it is impracticable to get consent before using the information
  • the direct marketing organisation gives the individual the opportunity to opt out of receiving material (at no cost)
  • the individual has not already asked the organisation not send material
  • in every communication the organisation draws the individual’s attention to the fact that he or she may opt out of receiving further material; and
  • each communication includes the relevant contact details of the organisation (including electronic contact details if the material was sent by electronic means).67

This provision does not apply to disclosure to another organisation for the unrelated and unexpected purpose of direct marketing. In this case, the organisation would need the individual’s consent.

Rationale

The direct marketing provisions of the Privacy Act are intended to strike a balance between the business interests of organisations involved in direct marketing and the privacy interests of consumers affected by the activity. The legislation acknowledges the commercial practice of direct marketing and the related activity of acquiring personal information about individuals to enable organisations to market their products effectively and efficiently. It also recognises the privacy interests of individuals who may find themselves the unwilling recipients of direct marketing material.

Issues

The provisions provide some protection for individuals whose personal information is collected for one purpose (the primary purpose) and then used for direct marketing purposes (a secondary purpose) without their consent. They do not provide the same protection for information collected for the primary purpose of direct marketing, whether collected directly from the individual or from a third party. Organisations are not required to give an individual the chance to opt out on each communication in these circumstances. This may be a gap particularly where an organisation collects information from a third party for the primary purpose of direct marketing, for example, when it buys a list. In these circumstances, the individual may not necessarily know the organisation has collected his or her information, (for example, if taking a limited or no step to tell an individual is reasonable for the purposes of NPP 1.5) and may not have had the chance to agree or not as to whether the information should be used or disclosed for direct marketing. On the other hand, some individuals may know and agree. This would be the case, for example, if the organisation that originally collected the personal information from the individual has made it clear that it would disclose the information for these purposes to this kind of organisation and the individual was given the chance to agree at that point.

Even where an organisation collects the information directly from an individual it may not be entirely clear to an individual for what purpose information is being collected. His or her understanding of the purpose may be quite different from that of the organisation collecting the information. For example, in the case of an entry to a competition, the organisation may consider that collecting personal information is for the main purpose of marketing other material to an individual. On the other hand, the individual may think that the main purpose is to enable them to receive a prize if they win. Any information about the purpose in any case, could be buried in very small print which the individual is unlikely to read. Certainly an individual is unlikely to draw a distinction between a primary and secondary purpose and to understand the consequences of the distinction.

Business compliance with obligations

There are a number of ways that the private sector provisions sought to implement a light touch approach to the enforcement of privacy obligations. For example, the provisions rely on complaints from individuals as the main way of having individual rights enforced. The Commissioner does not have an audit power in relation to the private sector, although he or she has a power to conduct own motion investigations68 if it becomes aware of a possible breach and it can audit an organisation if invited by the organisation to do so. The Commissioner cannot fine an organisation that breaches privacy provisions (although it can award compensation). He or she cannot enforce any directions they might seek to give in relation to its findings after an own motion investigation.

Office approach to compliance

In the spirit of the provisions, the Office also took a particular approach to compliance. This was reflected partially in the Office’s strategic plan of the time which set a clear purpose of promoting an Australian culture that respects privacy. This was consistent with the range of functions set out in section 27 of the Privacy Act which, in summary, includes input to policy making and public education in addition to its compliance functions. This approach is based on the conclusion that the most efficient way to regulate privacy is to embed a respect for privacy into an organisation’s culture (which includes encouraging an awareness of rights and a sense of the value of privacy) so that recourse to the regulator’s enforcement powers are often unnecessary. It also recognised that privacy is context dependent and a community that is informed about the values that underpin privacy can apply them more flexibly to the situation, preventing privacy problems from arising, rather than just relying on ‘end of pipe’ legalistic solutions.

In line with this, the Office’s approach to compliance has emphasised providing advice, assistance and information to organisations.69

In general, the Office has taken an educative approach to private sector complaint handling and own motion investigations; it has aimed to work with individuals and organisations to resolve issues and improve practice. To date there has been limited or no use of the more formal enforcement powers – complaint determinations or injunctions – or the use of public ‘naming’ and ‘shaming’. This is in part because the Office has generally been able to resolve issues cooperatively. There are clearly privacy practices of concern, for example in relation to risk management databases, health records and internet security. In these cases the Office is continuing to work with the organisations or industry sectors to address issues. One effect of the law and the Office approach has been that enforcement may be less publicly visible in the privacy sphere than with some other regulatory schemes.

However, the Office has committed itself to actively pursuing breaches of the Privacy Act and taking care to ensure that breaches are remedied and complainants’ concerns are addressed, including through compensation where that is necessary.

The Office has identified complaint handling as a priority in the context of increasing complaints stemming from the introduction of the private sector provisions. The Office diverted resources from other areas of responsibility including auditing of Commonwealth agencies, towards complaint handling on the rationale that increasing complaint backlogs had the potential to undermine the operation of the Act.

Extent of complying with obligations

The level and nature of enquiries and complaints to the Office give some indication of the level of compliance with the NPPs.

The Commissioner’s annual reports contain detailed information about the nature of enquiries and complaints received by the Office. The reports are available at http://www.privacy.gov.au/publications/index.html. A few key statistics relevant to compliance with the NPPs are noted below.

There have been some consistent trends in aspects of the NPPs and industry sectors that most often appear in complaints. In particular, complaints about the NPPs have tended to cluster around the following industry sectors: finance and investment (17%); health service providers (14%); telecommunications (9%); insurance (6%); and landlords and real estate agents (6%).

Calls to the privacy Hotline are most frequently about possible improper use and disclosure of personal information. Concerns about collection practices and access to personal information, including charges for access, are also common. These concerns are mirrored in the nature of complaints to the Office. In 2003 – 2004, 44% of private sector complaints were about use and disclosures, 15% were about collection and 14% were about access.

While disclosure of personal information was the most frequently complained about act or practice, access was the most frequent issue where a breach of the NPPs was found. Thirty three percent of breaches found were in relation to requests for access to personal information; close to half the respondents were in the health sector. Disclosure of personal information was the next most common breach (19%). Data quality (12%) and data security (10%) issues occurred with similar frequency in relation to complaints received and complaints where breaches were found.

Issues

The Office’s experience in working with the private sector both in providing advice and when they have been respondents to complaints has been generally positive. Most organisations appear to have familiarised themselves with the NPPs, developed privacy policies, privacy notices on forms and taken other steps. Anecdotally, the widespread appearance of privacy notices was the most concrete sign that a new privacy regime had commenced. It may be, however, that a concern for privacy has not yet been built more deeply into compliance thinking. For example, it is not clear whether most organisations

• consider privacy when developing products or systems
• consider and review how personal information is protected
• track how personal information is being used and disclosed or
• have in place complaint handling systems.

Another issue is whether the unexpected increase in the number of complaints and a delay in which the Office can handle some of them has a significant impact on complainants and organisations; for example the organisation may have considered the matter to have been closed because they have not heard from the Office and, the paper trail becomes older and more difficult to retrieve, or poor practices continue for longer.

The Act provides quite strong powers to investigate complaints and to provide enforceable remedies through the Courts. However, the remedies for formal determination under section 52 focus on redress of loss or damage, including injury to feelings or humiliation, to the individual concerned. The Commissioner cannot impose punitive measures and can only address systemic issues that gave rise to a privacy complaint if it would be reasonable to redress loss or damage suffered by the complainant. 70 This is in contrast to complaints settled by agreement between the parties, or on the basis of a decision by the Commissioner that the matter has been ‘adequately dealt with’, which often includes agreement to implement systemic remedies such as staff training or systems or procedural change. One way of addressing this might be to give the Commissioner additional powers, for example, to ask organisations to commit to an undertaking that would be enforceable in the courts, or to issue a standard or binding code.71

In addition to investigating complaints the Privacy Act provides for the Commissioner to investigate possible interferences with privacy without a complaint, that is on his or her ‘own motion’, if desirable. However, there is no enforcement mechanism for own motion investigations into the practices of private sector organisations.72 If the Commissioner finds a breach, he or she can only seek to persuade the organisation to change its practices. The Commissioner or any other person may seek an injunction to stop actions, or to require actions, in relation to possible breaches of privacy.73 In addition, while organisations may invite the Commissioner to conduct an audit of its activities, the Commissioner has no power to proactively audit organisations’ compliance with the NPPs.

Business efficiency and private sector contracting

Many private sector organisations use contractors to carry out some of their functions or activities that involve the handling of personal information. They may be handing personal information over to contractors that are exempt from coverage of the Privacy Act because they are small business operators.

Sometimes the information given to contractors is sensitive information, such as health information. Unlike the IPPs, there is no clear obligation in the NPPs which would require organisations to ensure that their contractors only use the personal information given to them for the purposes for which it is given and keep it secure. Some organisations, although they are using contractors for core services, such as telephone contact with customers, or to provide transaction cards, seek to have such contractors identify themselves to customers as operating under the corporate brand. The Privacy Act does not make any specific provision for contractors to be regarded as acting as agents for the organisation they are providing services for.74 Therefore when an organisation gives personal information to a contractor, it is generally speaking regarded as a separate entity, and so the organisation is ‘disclosing’ information to the contractor, and the contractor is ‘collecting’ the personal information.

Issues

Because the Privacy Act does not provide specifically for the circumstances where an organisation discloses information to a contractor that is exempt from coverage of the Privacy Act, an individual’s personal information may lose the protection of the Privacy Act. Because the exempt business would in most circumstances be regarded as a separate entity, the contracting organisation would not be in breach of the Privacy Act if its contractor mishandled the personal information. Where personal information is sensitive information, the contractor needs the consent of each individual to collect the individual’s personal information from the contracting organisation. There may be concerns that the Privacy Act would require a contractor operating under a corporate branding to identify itself, under NPP 1.3 as being a separate organisation, or to require such a contractor to get the consent of the individual to disclose sensitive information to the contracting organisation on whose behalf it has collected the information.