Getting in on the Act:

The Review of the Private Sector Provisions of the Privacy Act 1988

March 2005

---

Copyright © Office of the Privacy Commissioner 2005

ISBN 1-877079-46-4

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Office of the Privacy Commissioner.

Requests and enquiries concerning reproduction, right and content should be addressed to:

Copyright Officer
Corporate and Public Affairs
Office of the Privacy Commissioner
GPO Box 5218
SYDNEY NSW 2001

E-mail: privacy@privacy.gov.au

---

The Hon Philip Ruddock MP
Attorney-General
Parliament House
CANBERRA ACT 2600

Dear Attorney-General

I refer to your request of 13 August 2004 asking me to undertake a review of the private sector provisions of the Privacy Act 1988. I have pleasure in presenting to you the report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988.

Yours sincerely

Karen Curtis
Privacy Commissioner

31 March 2005

---

Table of Contents

Foreword

Overview and Executive Summary

Approach to the review
Terms of reference
Participants in the review
Timing of the review
Provisions work well on balance
A single national scheme
Main recommendations
Recommendations:
Recommendation: Wider review of Privacy Act
Recommendations: National consistency
Recommendations: Telecommunications consistency
Recommendations: Health consistency
Recommendations: Residential tenancy databases
Recommendation: EU ‘adequacy’ and APEC
Recommendation: NPP 9
Recommendations: Control over personal information
Recommendations: Direct marketing
Recommendations: Consumer education
Recommendations: Access generally
Recommendations: Transfer of health records
Recommendations: Health service ceases to operate
Recommendations: Complaints handling and compliance
Recommendation: Approved privacy codes
Recommendations: Business awareness
Recommendations: Small business exemption
Recommendations: Private sector contracting
Recommendation: Due diligence
Recommendations: Media exemption
Recommendations: Research
Recommendations: Decision-making where capacity is impaired
Recommendation: Law enforcement
Recommendation: Private investigations
Recommendations: Alternative dispute resolution schemes
Recommendations: Large scale emergencies
Recommendations: New technologies
Recommendation: NPP 1.3(d)
Recommendation: Reasonable steps for NPP 1.3 and 1.5
Recommendation: NPP 1.5 – ‘Someone’
Recommendations: Primary purpose and health information
Recommendation: NPP 3 – Data quality
Recommendation: NPP 7 - Identifiers
Recommendations: NPP 10 – Public Interest Determinations
Recommendations: NPP 10.2(b)
Recommendations: Deceased persons

1 Background

1.1 This Inquiry

Background to the review
Terms of Reference
Matters not included in the review
Other relevant privacy related reviews and processes
Research
Framework for assessing issues
Conduct of the review- overview of consultation
Issues Paper
Consultation Meetings
Written Submissions
Structure of report

1.2 Private Sector Provisions of the Privacy Act

History of Commonwealth Privacy Legislation
What do the Private Sector Provisions cover?

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation
Issues
Other law impacting on privacy
Submissions favour national consistency
What submissions say - issues
What submissions say – addressing the issues
Options for reform

2.2 Recommendations: National consistency

2.3 Consistency in telecommunications

Law and policy
Complaints and enquiries
What the submissions say - issues
What submissions say – addressing the issues
Options for reform

2.4 Recommendations: Telecommunications consistency

2.5 Consistency in protection of health information

Law and policy
What the submissions say - issues
Options for reform

2.6 Recommendations: Health Consistency

2.7 Residential tenancy databases

What are residential tenancy databases?
Application of the Privacy Act
Issues
Options for reform

2.8 Recommendations: Residential tenancy databases

3 International issues and obligations

3.1 EU Adequacy and APEC

Law and Policy
Issues
What submissions say - issues

3.2 Recommendation: EU ‘adequacy’ and APEC

3.3 NPP 9

Law and policy
Issues
What submissions say – issues
What submissions say – addressing the issues
Options for reform

3.4 Recommendation: NPP 9

4 Protecting individual’s right to privacy

4.1 Control over personal information

Law and policy
Issues
Community attitudes survey
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.2 Recommendations: Control over personal information

4.3 Direct marketing

What is direct marketing?
Law and policy
Rationale
Community attitudes survey
Issues
What submissions say – the issues
What submissions say – addressing the issues
Options for reform

4.4 Recommendations: Direct marketing

4.5 Awareness of, confidence in and capacity to exercise rights

Law and policy
Issues
Role of the Office
Role of organisations
Community awareness survey
Demographic information about complainants
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.6 Recommendations: Consumer education

4.7 Access generally

Law and policy
Issues
What submissions say - issues
What submissions say – addressing the issues
Options for reform

4.8 Recommendations: Access generally

4.9 Transfer of health records to another health service provider

Law and policy
What submissions say
Options for reform

4.10 Recommendations: Transfer of health records

4.11 Access to health records when health service ceases to operate

Law and policy
Health services ceasing to operate
What submissions say
Options for reform

4.12 Recommendations: Health service ceases to operate

5 Enforcing individual rights and ensuring compliance

5.1 Introduction

5.2 Law and policy

Approach to compliance
Complaints process
Review rights

5.3 Issues

5.4 What submissions say – issues

Approach to compliance
Level of compliance
Office does not use existing powers
Systemic issues not being addressed
Complaints process

5.5 What submissions say – addressing issues

Transparency
Fairness
More help to complainants – streamline process
Improving levels of compliance
Are levels of compliance adequate?

5.6 Options for reform

More education and awareness
Increase transparency in complaints process
More external review
Fairer process
Make better use of existing powers
Power to enforce own motion investigations
Power to audit private sector
Other power to address systemic problems in complaints
Improve liaison with overlapping complaint handlers
Advice about complaint rights
Address delay in handling complaints
Review practices

5.7 Recommendations: Complaints handling and compliance

6 Balancing individual privacy interests with business efficiency

6.1 Introduction

Law and policy
Issues
Striking the balance
Principles or rules
Principles may need some illumination

6.2 Approved Privacy Codes

Law and policy
Issues
What submissions say - issues
What submissions say – addressing the issues
Options for reform

6.3 Recommendation: Approved Privacy Codes

6.4 Compliance costs

Law and policy
Issues paper
What submissions say

6.5 Business awareness

Issues
What submissions say
Options for reform

6.6 Recommendations: Business awareness

6.7 Small business exemption

Law and policy
Issues
What submissions say
Options for reform

6.8 Recommendations: Small business exemption

6.9 Private sector contracting

Law and policy
What submissions say
Options for reform

6.10 Recommendations: Private sector contracting

6.11 Due diligence on sale or purchase of business

What is due diligence?
Information Sheet 16
Issues
What submissions say
Options for reform

6.12 Recommendation: Due diligence

7 Balancing individual rights and other social interests

7.1 Media exemption

Introduction
Law and policy
Issues
What submissions say – issues
Options for reform

7.2 Recommendations: Media exemption

7.3 Medical research

Law and Policy
What submissions say - issues
What submissions say – addressing the issues
Options for reform

7.4 Recommendations: Research

7.5 Decision-making where capacity is impaired

Introduction
Relevant privacy principles
What submissions say - issues
Options for reform

7.6 Recommendations: Decision-making where capacity is impaired

7.7 Law enforcement

Law and policy
Issues paper
What submissions say - issues
Options for reform

7.8 Recommendation: Law enforcement

7.9 Private investigation

Introduction
What submissions say – issues
Private detectives and other jurisdictions
Options for Reform

7.10 Recommendation: Private investigations

7.11 Alternative Dispute Resolution

Alternative Dispute Resolution
What submissions say – issues
What submissions say – addressing the issues
Options for Reform

7.12 Recommendations: Alternative dispute resolution schemes

7.13 Responding to large scale emergencies

Introduction
Law and policy
Issues
What submissions say – addressing the issues
Options for reform

7.14 Recommendations: Large scale emergencies

8 New technologies

8.1 Developments

Telecommunications and internet
Data aggregation and mining
Biometrics
Electronic health records
Role of technology in protecting privacy
Issues

8.2 What submissions say – the issues

8.3 What submissions say – addressing the issues

8.4 Options for reform

8.5 Recommendations: New technologies

9 Clarifying how the National Privacy Principles work

9.1 NPP 1.3(d)

Law and Policy
The issue
Options for Reform

9.2 Recommendation: NPP 1.3(d)

9.3 NPP 1.3 and 1.5 – ‘reasonable steps’

Law and Policy
The issue
Options for Reform

9.4 Recommendation: Reasonable steps for NPP 1.3 and 1.5

9.5 NPP 1.5 – collection from ‘someone’ else

Law and Policy
Options for Reform

9.6 Recommendation: NPP 1.5 – ‘Someone’

9.7 NPP 2 – primary purpose and the collection of health information

Background
Options for Reform

9.8 Recommendations: Primary purpose and health information

9.9 NPP 3

Law and Policy
What submissions say – issues
Options for Reform

9.10 Recommendation: NPP 3 – Data quality

9.11 NPP 4

9.12 NPP 5

9.13 NPP 6

9.14 NPP 7

Law and policy
Issues
What the submissions say – issues
Options for reform

9.15 Recommendation: NPP 7 - Identifiers

9.16 NPP 8

9.17 NPP 9

9.18 NPP 10 – Collection of Family History Information – PID 9 and 9A

Law and Policy
What the submissions say – issues
Options for Reform

9.19 Recommendations: NPP 10 – Public Interest Determinations

9.20 NPP 10.2 – Collecting health information without consent

Law and Policy
Scope of the exception
Options for Reform

9.21 Recommendations: NPP 10.2(b)

10 Other issues with the private sector provisions of the Privacy Act

10.1 Information of deceased persons

Law and Policy
What submissions say – issues
Options for Reform

10.2 Recommendations: Deceased persons

10.3 Employee Records Exemption

Law and Policy
What submissions say

10.4 Political Exemption

Law and Policy
What submissions say

Appendix 1

Terms of Reference

Appendix 2

Review Reference Group

Appendix 3

Submissions Received

Appendix 4

National Privacy Principles

Appendix 5

Information Privacy Principles

Appendix 6

Community Attitudes towards Privacy 2004

Appendix 7

Information Sheet 13: 2001 Privacy Commissioner’s Approach to Promoting Compliance

Appendix 8

Summary of complaint handling provisions, including powers to investigate

Appendix 9

Complaints Statistics

Appendix 10

Own Motion (section 40 (2)) power

Appendix 11

Current Powers to enforce determinations

Appendix 12

Decision Appeal Processes in comparable legislation

Appendix 13

Demographic information about complainants

Appendix 14

Complainant and respondent satisfaction survey

---

Forward

This report is the first major examination of how the laws governing the use of personal information by the private sector in Australia have worked in their first years of operation.

It has been a significant project for the Office and leadership team since last August. The project team was headed by Robin McKenzie.

The report has drawn on information and views from a wide range of sources including individuals, businesses, industry organisations, interest groups, and government agencies across the Commonwealth, and states and territories.

The review has benefited from discussions, consultations and material contained in submissions. I thank all those involved for contributing their ideas and views, and for the constructive way in which those views were conveyed.

I particularly thank the members of the Steering Committee and the Reference Group for their advice and guidance.

Many members of staff contributed in various ways – preparation of the Issues Paper, organising meetings for the Steering Committee and Reference Group, organising public consultations, analysing submissions, developing policy options, putting submissions on the website, undertaking surveys, writing sections of the report, editing and formatting. The Corporate and Public Affairs Section of the Office was involved in all aspects of the review process.

While I hesitate to single out individuals, it would be remiss if I did not acknowledge the major contributions of Robin McKenzie, Pauline Kearney , Paul Armstrong , Chris Cowper and Timothy Pilgrim . Suzanne Christian was responsible for the report compilation, formatting and editing.

To my staff, I express my gratitude for their contribution to this important review and I look forward to further improving the operation of the private sector provisions for the benefit of the community and business.

Karen Curtis
Privacy Commissioner

March 2005

---

Overview and Executive Summary

Approach to the review

Terms of reference

The Office has undertaken a review of the operation of the private sector provisions of the Privacy Act to see whether they meet their objectives. The objects are outlined in the terms of reference from the Attorney-General which are at Appendix 1.

Participants

In the course of the review, information has been considered from a wide range of sources. They are:

• 136 written submissions

• 12 stakeholder workshops in all capital cities

• the Review Steering Committee, which includes members of the Privacy Advisory Committee

• the Review Reference group, which includes over 40 representatives from community, business and government

• the Office's Community Attitudes Research

• research conducted by other stakeholders, for example, the National Health and Medical Research Council and the Australian Direct Marketing Association

• statistics collected by this Office either specifically for this review, or from its complaints management system

• Office staff experience in the course of providing policy advice to stakeholders, or managing complaints

• meetings with stakeholders.

A wide range of stakeholders have participated in the review. They include major business and industry sectors, including banking, insurance, finance, private detectives and debt collection, credit reporting, marketing, fundraising, health and allied care, manufacturing, retail, small business, housing, real estate, superannuation, internet, hospitality and welfare. There has also been input from consumer and privacy advocacy groups including consumer, credit, health and academia. In addition, the Office has received input from state and federal government agencies, including health, law enforcement agencies and other regulators, and also dispute resolution bodies.

Timing of the review

The private sector provisions have been in operation since 21 December 2001, or just over three years for non-small business operators, and since 21 December 2002, or just over two years for small businesses that do not qualify for the small business exemption. Given that implementing a privacy scheme, particularly for some sectors, involves complex attitude change and understanding rather than simply complying with clear, black letter law, this is a relatively short period of time to be assessing the operation of the provisions.

In addition, it was not possible to conduct the kind of detailed quantitative research that might give a clearer indication of the actual level of business compliance with its obligations under the scheme. Further, because the scheme is complaint based and the Office has only limited powers to investigate practices on its own initiative, it is possible that there are areas of non-compliance of which the Office is not aware. As a result, although the Office has sought to gain and draw upon quantitative evidence to the extent it is possible and available, it is in the end relying to a considerable extent on anecdotal evidence as well as its own complaint statistics for its conclusions.

Provisions work well on balance

Overview

The review process shows that the private sector provisions have met with their objectives in some areas and not in others. In some areas it has failed to meet with an objective, but in practice the impact may not have been significant. In others, objectives were met in a way quite different from that envisaged at the time the legislation was implemented. In some, the provisions have not met the objective.

Indeed, it could be argued for example that the private sector provisions have not met the two objectives of ‘a national scheme' or ‘international concerns'. But this does not take away from the overall effect that the National Privacy Principles (NPPs) have worked well and delivered to individuals protection of personal and sensitive information in Australia in those areas covered by the Act.

No fundamental flaw

Although 85 recommendations have been made, this does not equate to dissatisfaction with the provisions. Rather, it means with the benefit of three years experience it has become apparent there are ways to improve existing elements of the regime, and there are external influences which have impacted on the efficacy of the legislation.

Although there were a few calls from privacy advocates for the Government to ‘go back to the drawing board' entirely on the provisions, the Office has no substantive evidence to suggest that the private sector scheme has any significant flaws to warrant dramatic changes.

Provisions have generally worked well for business

The overall view from the business sector is that the scheme has worked well for them, and that there is considerable support for it as it currently stands. Generally speaking, it appears that in most areas, the scheme has met its objective of not unduly impeding the free flow of information, or the right of business to achieve their objectives in an efficient way.

Consumers are less satisfied

Generally speaking however, those representing the consumer and privacy advocate groups were less satisfied that the private sector provisions had met their objectives of adequately providing for the privacy rights of individuals.

International concerns

One area where the private sector provisions have not met their objectives in the way that was anticipated is the objective of meeting international concerns and Australia 's international obligations relating to privacy. It appears that this has been less of a concern to many stakeholders than might have been expected at the time the provisions were enacted. A particular example of this is achieving European Union (EU) adequacy to enable businesses to engage in trade involving personal information with European businesses.

Despite the fact that the private sector provisions have not yet been found adequate by the EU, in general, business does not report a major impediment to trade. In addition, the issue of global trade beyond the EU has meant that the need to address consistency in privacy regulation at a global level has become important. The APEC initiatives on privacy are evidence of this shift.

Approved NPP Codes

Another area where the objectives of the private sector provisions have not been achieved in the way that was anticipated is the adoption of industry and organisation codes by the private sector to regulate their collection, use and disclosure of personal information. There are only three approved codes under the Privacy Act. However, there is no call for the repeal of the code provisions of the Act despite the very low level of take-up. Most businesses appear content to be regulated by the NPPs and to have the Office as their external complaints handling body.

A single national scheme

There is significant inconsistency

There is evidence that the failure of the privacy sector provisions to meet their objective of achieving national consistency in privacy regulation has had consequences for business efficiency. There is also some evidence that this has posed some impediments in the way of individuals seeking to be aware of, and have respected, their privacy rights. The inconsistency operates at a number of levels, including within the Privacy Act itself, within Commonwealth regulation impacting on privacy, and between state and Commonwealth legislation. The area of privacy involving health information, including health research has been clearly identified as being greatly affected by all these levels of inconsistency. Other areas affected include employee privacy and tenancy databases.

Reasons for the inconsistency

These inconsistencies have emerged for a number of reasons, some of which relate directly to the formulation of the private sector provisions. Others are a consequence of the rapidly changing environment in which the provisions are operating, and in particular, the heightened security concerns following September 11, and the developments in new technology.

One factor contributing to inconsistency is that within the Privacy Act, there are two sets of slightly different privacy principles, one for the Australian public sector and one for the private sector. As the Government has increasingly drawn upon the private sector - for example, welfare organisations - to carry out activities that were once performed by its agencies, this has become more of an issue.

Another factor appears to be the presence of exemptions in the Act. Submissions and consultations suggest that areas of inconsistency are arising because states and territories are legislating in areas covered by the exemptions. A key example of concern to business is the area of surveillance in the workplace. In the absence of privacy protection in this area in the federal Privacy Act, states and territories are legislating and each in a slightly different way.

There are also problem areas such as the regulation of tenancy databases by states and territories. As the NPPs do not totally regulate tenancy databases states and territories are legislating in this area, once again, in a slightly different way.

The desire for more detailed and binding guidance for health care providers together with inconsistency between private sector provisions and state public sector privacy principles, could also be considered reasons for states to legislate in the health area. Submissions from business and consumers, and consultations indicate overwhelmingly that this has created a range of different rules that is confusing for health care providers, other businesses holding health information and consumers.

The Office's complaints caseload that is larger than expected as a result of the private sector provisions has meant that the Office has not clarified the application of the NPPs in some of these areas (for example, tenancy databases) as speedily as it would like. In the mean time, states have moved to address what was emerging as a community need to ensure that tenants were not denied housing as a result of inaccurate and unfair listings.

Finally, rapidly changing technology has resulted in Commonwealth legislation that is outside of, but overlaps with, the Privacy Act. The Spam Act 2003 is an example. Spam was less of a concern in 1999 when the private sector provisions were formulated and the private sector provisions did not address this issue. This situation may arise again with the (future) development of new pervasive technologies. Businesses are concerned to ensure that when it does, the provisions fit well with the private sector provisions.

Approach to recommendations

This report makes a range of recommendations including strategies to address these inconsistencies. But as indicated by the complex factors contributing to these, there is no easy or single fix, especially in a federal system of government. Resolving the issues will involve commitment from all levels of government and a willingness to focus on the big picture.

One thing that became clear in conducting the review is that many of the issues that arise in relation to the operation of the private sector provisions are inter-related. This inter-relation has to be taken into account in recommendations. Recommendations on one aspect of operation will also have the potential to address issues on other aspects of operation.

It is also the case that there are a number of ways that issues arising out of the review could be addressed. Which approach is taken in one area, may affect what approach is best taken in other areas. For this reason, in a number of areas, this report has made recommendations as options that could be taken up depending on the approach taken in addressing other issues.

Resourcing implications of reform

In developing recommendations as part of this review, the Office has been aware of the resource implications of reform. Since the implementation of the private sector provisions, the Office has shifted resources from its guidance and advice role to its compliance role to try to better manage and resolve the complaints received. Even so, there is an unacceptably long waiting list of complaints to be handled. This satisfies neither business, who have invested in compliance and in whose interest it is to have complaints against them settled quickly, nor consumers.

Submissions from all sectors discuss funding for the Office 1. A number of submissions expressly support an increase in resources being granted to the Office 2. Many of these submissions are particularly concerned by the backlog of complaints and subsequent delay in resolving complaints 3.

There was also a general call for more resources to ensure consumers and businesses are educated about their rights and obligations under privacy laws. 4

In this review recommendations are made that, if implemented, will impact upon the operation of the Office. This has implications in terms of resources, for both staff and program delivery.

Main recommendations

This report makes recommendations about how the operation of the private sector provisions could be improved. Recommendations are primarily written as either actions that the Australian Government should consider doing, or as measures that the Office could or intends to undertake. A small number of recommendations involve measures that could be taken by state and territory governments.

Some recommendations involve broad high level principles around the operation of the private sector provisions, for example, recommendations to improve national consistency in privacy regulation, including health privacy regulation, and to ensure that the private sector provisions adequately protect privacy in the face of rapidly developing new technologies.

Recommendations for measures to raise awareness of both consumers and business on a range of topics are found in a number of places in the report.

These particular recommendations could be regarded as forming the ‘lynch pin' for a scheme that is intended to operate in a way that benefits individuals while recognising the right of businesses to achieve their objectives in an efficient way.

Other recommendations aim to increase the control that individuals have over their personal information, particularly in relation to information collected about them indirectly or used or disclosed for other purposes such as direct marketing. These include measures to promote short form privacy notices, and a general opt-out right for direct marketing.

The report makes recommendations about the small business exemption aimed at simplifying its application while suggesting that some sectors that have higher privacy risks should be covered by the private sector provisions.

The report also makes recommendations aimed at improving the transparency and fairness of the Office's complaints process, and to enable it to better identify and address systemic issues.

Some issues raised are complex and need further consideration by the Australian community. The Office identified the application of the private sector provisions to research, in particular medical research, and to new technologies as warranting further debate. The main recommendations on these issues are that they should be considered in the context of a wider review of the Privacy Act.

In response to concerns that organisations need more guidance or that the NPPs may need amending to ensure that they are applied in a commonsense way, recommendations are made on such matters as alternative dispute resolution schemes, access to health records and major national emergences.

The report makes a number of more technical recommendations that aim to increase certainty about the application of the NPPs, which in many cases clarify what is already existing practice.

Throughout the report, but particularly in the recommendations, there has been careful consideration of the balance between protecting individual rights while recognising the collective needs of the community including the business community.

Finally, it became apparent that while the private sector provisions work well, it may be appropriate for the Government to undertake a wider review of privacy for Australians in the 21 ^st century.

The NPPs are based on principles developed in the 1970s and it may be fitting to consider how the operating environment has changed over the last 30 years. For example: Is our definition of personal information still appropriate given technological advances? Do we need different sets of privacy principles covering the private and public sectors? Should the legislation make a distinction between data controllers and data operators? Should the legislation only cover protection of data about living persons? In a changed security environment what are people's expectations about their personal information?

In some of the 85 recommendations there is a reference to this wider review of privacy. Given that it is a recurring theme throughout the report to give more considered thought to ‘bigger picture' issues, a recommendation has been made here in the Overview Section. It is the first recommendation listed below, and is followed by the recommendations as identified in each chapter.

Recommendations:

Recommendation: Wider review of Privacy Act

1. The Australian Government should consider undertaking a wider review of privacy laws in Australia to ensure that in the 21 ^st century the legislation best serves the needs of Australia.

Recommendations: National consistency

The Privacy Act has not achieved its object of establishing a ‘single comprehensive national scheme' for the protection of personal information. As submissions reveal, national consistency is important to business, to charities and to individuals. The lack of national consistency contributes significantly to the costs imposed on business.

2. The Australian Government should consider amending section 3 of the Privacy Act to remove any ambiguity as to the regulatory intent of the private sector provisions.

3. The Australian Government should consider asking the Council of Australian Governments (COAG) to endorse national consistency in all privacy related legislation.

4. The Australian Government should consider setting in place mechanisms to address inconsistencies that have come about, or will come about, as a result of exemptions in the Privacy Act, for example, in the area of workplace surveillance.

5. The Australian Government should consider commissioning a systematic examination of both the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations. This would address the issues surrounding Australian Government contractors.

6. The Australian Government should consider changing, by legislative amendment, the name of the Office of the Privacy Commissioner to the Australian Privacy Commission.

7. The Australian Government should consider amending the Privacy Act to provide for a power to make binding codes.

Recommendations: Telecommunications consistency

8. The Australian Government should consider amending the Privacy Act and the Telecommunications Act to clarify what constitutes authorised uses and disclosures under the two Acts, and to ensure that the Privacy Act cannot be used to lower the standard of privacy protection in the Telecommunications Act.

9. The Australian Government should consider making regulations under section 6E of the Privacy Act to ensure that the Privacy Act applies to all small businesses in the telecommunications sector, including Internet Service Providers and Public Number Directory Producers.

10. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and Part 13 of the Telecommunications Act.

11. The Office will discuss with the Australian Communications Authority the development of guidance to clarify the relationship between the private sector provisions of the Privacy Act and the Spam Act.

Recommendations: Health consistency

12. The Office urges the National Health Ministers' Council to finalise the National Health Privacy Code. This should include agreement by all jurisdictions on the contents of the code and on its consistent implementation in each jurisdiction.

13. The Australian Government should consider adopting the National Health Privacy Code as a schedule to the Privacy Act. This would recognise the Australian Government's part in the consistent enabling of the Code. Should agreement not be reached by all jurisdictions about implementing the Code, the Australian Government should still consider adopting the code as a schedule to the Act to provide greater consistency of regulation for the handling of health information by Australian Government agencies and the private sector. (See also recommendations 29, 33 and 35.)

Recommendations: Residential tenancy databases

14. The Australian Government should advance as a high priority the work currently being undertaken by the Working Group on Residential Tenancy Databases of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General.

15. The Australian Government should consider, depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, making the Privacy Act apply to all residential tenancy databases. This could be done by using the existing power under section 6E to prescribe them by regulation, or by amending the consent provisions (section 6D(7) and section 6D(8)) that apply to the small business exemption. (See recommendation 53.)

16. If the Privacy Act is amended to provide for a power to make a binding code, (see recommendation 7), and depending on the outcome of the Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General, the Privacy Commissioner could make a binding code that applies to tenancy databases.

Recommendation: EU ‘adequacy' and APEC

17. There is no evidence of a broad business push for ‘adequacy'. Given the increasing globalisation of information, however, there may be long term benefits for Australia in achieving EU ‘adequacy'. Certainly the globalisation of information makes the implementation of frameworks such as APEC important. The Australian Government should continue to work with the European Union on the ‘adequacy' of the Privacy Act and to continue work within APEC to implement the APEC Privacy Framework.

Recommendation: NPP 9

18. The Office will provide further guidance to assist organisations comply with NPP 9 by issuing an information sheet outlining the issues that should be addressed as part of a contractual agreement and how to more easily assess whether a privacy regime is substantially similar.

Recommendations: Control over personal information

19. The Australian Government should consider amending NPP 5.1 to provide for short form privacy notices. This could also clarify the obligations on organisations to provide notice, and to clarify the links between NPP1.3 and NPP 5.1.

20. The Office will encourage the development of short form privacy notices. It will also play a more active role in assisting businesses develop their notices by developing template notices for different sectors, in consultation with them, and by issuing example of both satisfactory and unsatisfactory notices

21. The Office will develop guidance to the effect that privacy notices should be dated.

22. The Office will develop guidance on bundled consent, noting the possible tension between the desirability of short form privacy notices and the desirability of lessening the incidence of bundled consent.

Recommendations: Direct marketing

23. The Australian Government should consider amending the Privacy Act to provide that consumers have a general right to opt-out of direct marketing approaches at any time. Organisations should be required to comply with the request within a specified time after receiving the request.

24. The Australian Government should consider amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual's personal information.

25. The Australian Government should consider exploring options for establishing a national ‘Do Not Contact' register.

Recommendations: Consumer education

26. The Australian Government should consider specifically funding the Office to undertake a systematic and comprehensive education program to raise community awareness of privacy rights and obligations.

27. The Office will continue to collect demographic information about complainants. It will seek to identify and then remove any barriers that prevent sectors of the community from knowing about and exercising their privacy rights.

Recommendations: Access generally

28. The Australian Government should consider amending NPP 6 to provide that when an individual's personal information is corrected in response to a request from the individual, the organisation should be obliged to notify third parties, where practicable, that they have received the inaccurate information.

29. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) Code as a schedule to the Privacy Act (see recommendation 13). This will address the issue of intermediaries, and the issue of fees for access. (See also recommendations 13, 33 and 35.)

30. The Office will develop further guidance on the operation of NPP 6.1 on ‘serious threat to life or health', explaining that a serious threat to a therapeutic relationship could be a serious threat to a person's health. This will go some way towards addressing what appears to be a too narrow interpretation of NPP 6.1(b) by some practitioners.

31. The Office will develop guidance on fees for access to personal information.

32. The Office will develop guidance on the meaning of NPP 6.5 which requires than an individual ‘establish' that information is not accurate before the organisation need to take reasonable steps to correct it.

Recommendations: Transfer of health records

33. The Australian Government should consider adopting the Australian Health Ministers' Advisory Council (AHMAC) code as a schedule to the Privacy Act. This will address the issue of the transfer of health records to another health service provider. (See also recommendations 13, 29 and 35.)

34. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 11 in the AHMAC Code.

Recommendations: Health service ceases to operate

35. The Australian Government should consider adopting the AHMAC code as a schedule to the Privacy Act. This will address the issue of access to health records when a health service ceases to operate. (See also recommendations 13, 29 and 33.)

36. The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 10 in the AHMAC Code.

Recommendations: Complaints handling and compliance

Approach to compliance

37. The Office will maintain its current approach to compliance including the focus on attempting to conciliate complaints in the first instance as set out in Information Sheet 13. However, the Office will consider whether it might be appropriate in some circumstances to use its other powers earlier, such as the determination making power.

38. The Office will consider options for providing more feedback on systemic issues either in advice or guidance or in some form of regular update to stakeholders.

39. The Office will consider promoting privacy audits by private sector organisations, including by providing information on the value of auditing as evidence of compliance in the event of complaints and by developing and providing privacy audit training for organisations.

Review rights for complaint decisions

40. The Australian Government should consider amending the Privacy Act to give complainants and respondents a right to have the merits of complaints decisions made by the Privacy Commissioner reviewed.

Fair and transparent complaint processes and resolution

41. The Australian Government should consider amending National Privacy Principle 1.3 to require organisations to tell individuals how they can complain to the organisation; and that, if the complaint is not resolved, they can also complain to the Privacy Commissioner or (where relevant) the code adjudicator.

42. The Office will review its complaints handling processes and will consider the circumstances in which it might be appropriate to make greater use of the Commissioner's power to make determinations under section 52 of the Privacy Act.

43. The Office will also consider measures to increase the transparency of its complaints processes and complaint outcomes.

Additional powers

44. The Australian Government should consider amending the Privacy Act to:
    

    • expand the remedies available following a determination under section 52 to include giving the Privacy Commissioner power to require a respondent to take steps to prevent future harm arising from systemic issues

    • provide for enforceable remedies following own motion investigations where the Commissioner finds a breach of the NPPs

    • provide a power for the development of binding codes and/or binding guidelines in cases where there is a strong public interest, where more detailed guidance is warranted or complaints reveal recurrent breaches (see recommendation 7).

Resourcing implications and complaint handling

45. The Australian Government should consider the strong calls by a wide range of stakeholders for the Office to be adequately resourced to meet its complaint handling functions.

46. The Australian Government should consider amending the Privacy Act to give the Commissioner a further discretion not to investigate complaints where the harm to individuals is minimal and there is no public interest in pursuing the matter.

Recommendation: Approved privacy codes

47. The Office will review the Code Development Guidelines dealing with the processes relating to code approval with a view to simplifying them.

Recommendations: Business awareness

48. The Australian Government should consider the benefits of greater business and community awareness of privacy and specifically fund the Office to undertake a systematic and comprehensive education program to raise business awareness.

49. The Office will review existing information sheets and develop information sheets on key issues identified in submissions.

50. The Office will develop strategies for communication with stakeholders, including establishing a privacy contact officer network for private sector organisations.

Recommendations: Small business exemption

51. The Australian Government should consider retaining but modifying the small business exemption by amending the Privacy Act so that the definition of small business is to be expressed in terms of the ABS definition, currently 20 employees or fewer, rather than annual turnover.

52. The Attorney-General should consider using the power to prescribe under section 6(E) of the Privacy Act, the tenancy databases and telecommunications sectors including Internet Service Providers and Public Number Directory Producers as businesses to be covered by the Act. (See recommendations 9 and 15.)

53. The Australian Government should consider amending the Privacy Act to remove the consent provisions (sections 6D(7) and 6D(8)).

Recommendations: Private sector contracting

54. The Australian Government should consider amending NPP 4 to impose an obligation on an organisation to ensure personal information it discloses to a contractor is protected.

55. The Australian Government should consider, in the context of the wider review of the Privacy Act, (see recommendation 1) whether there should be a distinction between data controllers and data operators.

56. The Office will amend the Guidelines to the National Privacy Principles to clarify that businesses that give personal information to contractors for the purpose of performing a function on their behalf should impose contractual obligations on the contractor to take reasonable steps to protect the information.

Recommendation: Due diligence

57. The Australian Government should consider amending the NPPs to take into account the practice of due diligence.

Recommendations: Media exemption

58. The Australian Government should consider amending the Privacy Act so that:

• the Australian Broadcasting Authority (ABA) and media bodies must consult with the Privacy Commissioner when developing codes that deal with privacy and

• the term ‘in the course of journalism' is defined and the term ‘media organisation' is clarified.

59. The Office will, in conjunction with the ABA , provide greater guidance to media organisations as to appropriate levels of privacy protection, especially in relation to health issues, and make organisations aware that the media exemption is not a blanket exemption.

Recommendations: Research

60. As part of a broader inquiry into the Privacy Act (see recommendation 1), the Australian Government should consider:
    

    • how to achieve greater consistency in regulating research activities under the Privacy Act

    • whether regulatory reform is needed to address the issue of de-identification in the context of research and the handling of health information

    • where the balance lies between the public interest in comprehensive research that provides overall benefits to the community, and the public interest in protecting individuals' privacy (including individuals having choices about the use of their information for such research purposes)

    • whether there is a need to amend NPP 2 to permit the use and disclosure of personal information for research that does not involve health information

    • undertaking further research and education work with the broader community to ensure that the balance between research and privacy accords with what the community expects and understands.

61. The Office will issue guidance in relation to NPP 2 to clarify that organisations can disclose health information for the management, funding and monitoring of a health service.

62. The Office will work with the National Health and Medical Research Council to simplify the reporting process for human research ethics committees under the section 95A guidelines.

Recommendations: Decision-making where capacity is impaired

63. The Australian Government should consider, in order to ensure that the Privacy Act does not prevent individuals with a decision-making disability from receiving a range of utilities and other services, amending NPP 2 to permit the disclosure of non-health information to a class of persons the same, or similar, to that described in NPP 2.5, where an organisation considers the disclosure to be necessary for the management of the person's affairs in a way that their financial or other interests are secured or safeguarded.

It would be appropriate to consider developing such an amendment in consultation with the Australian Guardianship and Administration Committee.

64. The Office will, in recognition that disclosures of health information under NPP 2 are appropriately permitted in law but may not occur in practice, develop further and more practical guidance.

Recommendation: Law enforcement

65. The Office will work with the law enforcement community, private sector bodies and community representatives to develop more practical guidance to assist private sector organisations to better understand their obligations under the Privacy Act in the context of law enforcement activities.

Recommendation: Private investigations

66. The Australian Government, through the Attorney-General, should consider requesting that the Standing Committee of Attorneys General (SCAG) consider the issues raised by the Australian Institute of Privacy Detectives as they are broader than the Privacy Act.

Recommendations: Alternative dispute resolution schemes

67. The Australian Government, in recognising the important role played by Alternative Dispute Resolution (ADR) schemes, and in an attempt to formalise advice already given by the Office, should consider:
    

    • amending NPP 2 to enable use and disclosure of personal information to ADR schemes in the course of handling disputes

    • amending NPP 10 to enable collection of sensitive information where it is necessary for the investigation and resolution of claims under an ADR scheme

    • defining the term ‘Alternative Dispute Resolution Scheme' for these purposes in the Act.

Recommendations: Large scale emergencies

68. Privacy laws should take a common sense approach. There needs to be an appropriate balance between the desirability of having a flow of information and protecting individual's right to privacy. In developing an exception to disclosure for cases of national emergencies, consideration should be given to the seriousness of the privacy breach versus that of protecting privacy.

In large scale emergencies, the consequences of disclosure should be compared to the consequences of non-disclosure. Consideration also needs to be given to the potential identity fraud that may occur during such a time, especially if disclosure is allowed to the media.

The Australian Government should consider:

• amending NPP 2 to enable disclosure of personal information in times of national emergency to a ‘person responsible'

• extending the NPP 2.5 definition of ‘person responsible' to include a person nominated by the family to act on behalf of the family

• amending the Privacy Act to enable the Privacy Commissioner to make a Temporary Public Interest Determination without requiring an application from an organisation

• defining ‘National Emergency' as ‘incidents' determined by the Minister under section 23YUF of the Crimes Act 1914.

Recommendations: New technologies

69. The Australian Government should consider, in the context of a wider review of the Privacy Act (see recommendation 1) reviewing the National Privacy Principles and the definition of personal information to assess whether they remain relevant in the light of technological developments since the OECD principles were developed. This should ensure that the private sector provisions remain technologically neutral and relevant to protect data privacy in the main contexts in which information about people is currently collected, used and disclosed.

70. The Australian Government should consider initiating discussions through appropriate international forums about how to deal with major international jurisdictional issues arising from global reach of new technologies such as Voice over Internet Protocol (VoIP).

71. The Australian Government should consider developing specific enabling legislation to underpin any national electronic health records system. The legislation should be consistent with the National Health Privacy Code, but also include enhancing protections for matters such as the voluntariness of the system and limitations upon the uses of people's health records.

72. The Office will issue further guidance, consistent with the current law, on what is personal information which takes into account the fact that in the current environment it is more difficult to assume that any information about people cannot be connected.

73. The Office could use, if necessary, any new powers to develop binding codes (see recommendation 7) to deal with technologically specific situations.

Recommendation: NPP 1.3(d)

74. The Australian Government should consider amending NPP 1.3(d) to make clear that an organisation collecting personal information from an individual must take reasonable steps to notify them of likely disclosures generally, including to public sector agencies of the Australian Government, state or local governments, other bodies and private individuals.

Recommendation: Reasonable steps for NPP 1.3 and 1.5

75. The Australian Government should consider amending NPP 1.3 and NPP 1.5 to make clear that there are situations in which the reasonable steps an organisation might take to provide notice to an individual may equate to no steps.

Recommendation: NPP 1.5 – ‘Someone'

76. The Australian Government should consider amending NPP 1.5 to remove the term ‘someone', and to make clear that an organisation has an obligation to take reasonable steps to provide notice to an individual when collecting their personal information indirectly, from any source.

Recommendations: Primary purpose and health information

77. The Office will work with the health sector to develop further guidance about the operation of NPP 2 as it specifically relates to the issue of primary and secondary purpose in health care.

78. The Office will provide clearer guidance on the operation of NPP 2 to give more effective and practical assistance to demonstrate how the principle operates. This will take into account the range of relationships between health services and individuals, particularly where individuals agree to a holistic approach to the delivery of a health service.

Recommendation: NPP 3 – Data quality

79. The Office will provide further guidance to organisations about their obligations under NPP 3, particularly to ensure they take a proportional approach to complying with the principle. This will include guidance about organisations taking into account whether or not there are good privacy reasons for seeking to update an individual's personal information.

Recommendation: NPP 7 - Identifiers

80. The Australian Government should consider using the existing regulation-making mechanism under NPP 7 to address circumstances such as those identified by Centrelink regarding concessional entitlements.

Recommendations: NPP 10 – Public Interest Determinations

81. The Australian Government should consider amending NPP 10 to include an exception that mirrors the operation of Public Interest Determinations 9 and 9A.

82. The Australian Government should consider undertaking consultation on limited exceptions or variations to the collection of family, social and medical history information, particularly with regard to genetic information and the collection practices of the insurance industry.

Recommendations: NPP 10.2(b)

83. The Australian Government should consider amending NPP 10.2 to permit the collection of health information (under NPP 10.2(b)(i)) ‘as authorised by law' in addition to ‘as required by law'.

84. The Australian Government should consider amending NPP 10.2(b) (ii) to clarify the nature of the binding rules intended to be covered by this provision, particularly with regard to the substantive content of such rules.

Recommendations: Deceased persons

85. If the National Health Privacy Code is adopted into the Privacy Act (see recommendation 13), then protection for health information under these provisions would extend to deceased persons. Also, the Australian Government's response to the Australian Law Reform Commission and the Australian Health Ethics Committee's inquiry into the protection of human genetic information in Australia may have implications for the Privacy Act. In addition, the Australian Government should consider as part of a wider review (recommendation 1) whether the jurisdiction of the Privacy Act should be extended to cover the personal information of deceased persons.

---

1 Background

1.1 This Inquiry

Background to the review

The Review of the Privacy Act was foreshadowed by the former Attorney-General the Hon Daryl Williams AM QC MP in his second reading speech for the Privacy Amendment (Private Sector) Act 2000. The Commissioner was asked to review the operation of the private sector provisions of the Act by the Attorney-General, the Hon Philip Ruddock MP, on 13 August 2004.

Terms of Reference

The Office conducted the review within the terms of reference outlined by the Attorney-General. They are included in full at Appendix 1 of this report. They provide for an assessment of the operation of the private sector provisions and a consideration of the extent to which the private sector provisions meet their objects. These objects include creating a single comprehensive national scheme for the appropriate handling of an individual's personal information by organisations, in a way that:

• meets international concerns and obligations relating to privacy

• recognises individuals' interests in protecting privacy and

• recognises important human rights and social interests that compete with privacy, including the general desirability of the free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.

Matters not included in the review

The terms of reference exclude aspects of the private sector provisions from the review including:

• genetic information

• employee records

• children's privacy and

• electoral roll information and the related exemption of political organisations from the Privacy Act.

The terms of reference state that these areas are currently, or have recently been subject to processes of review.

The terms also mean that Part IIIA of the Privacy Act, which deals with credit reporting has not been reviewed. However the credit reporting provisions where relevant to the operation of the private sector provisions have been considered.

Other relevant privacy related reviews and processes

There are a number of processes underway that touch on privacy in some way. For example, initiatives to develop a national health code (Australian Health Ministers' Advisory Council (AHMAC) process) and the review of privacy protection for employee records. In developing the recommendations in this report, the Office has taken into account, where appropriate, the work being done in these areas.

Research

To help inform the review work, including submissions to the review, the Office conducted research into community attitudes towards privacy in April 2004. This complements research it conducted in July 2001 into attitudes towards privacy in the spheres of government, business and the community. This Community Attitudes Research can be found on the Office's website. The results of the 2004 research are summarised at Appendix 6 and the full report is to be found on the Office's web site.

Framework for assessing issues

The terms of reference ask the Privacy Commissioner to consider the degree to which the private sector provisions meet their objects. The Office used this framework for assessing the provisions. This involved considering the following issues.

1. Do the provisions provide a comprehensive, national, consistent set of standards for privacy? Do they fit seamlessly into the Privacy Act? Do they relate effectively with other federal privacy provisions, the privacy laws of the States and Territories and other relevant federal law?

2. Do the provisions operate in a way that assists Australian businesses to operate internationally? Are they adequate to ensure Australia fulfils its international obligations relating to privacy?

3. Are individuals confident that their interests in protecting their privacy are recognised and that personal information that is collected, used, stored and disclosed by organisations is adequately protected? Are individuals aware of, and able to exercise, their rights?

4. Do the provisions strike an appropriate balance between privacy and competing human rights and social interests, including free speech, medical research, national security, law enforcement and property rights? Is there a free flow of information? Is business aware of its obligations and able to comply with them while still achieving its objectives efficiently?

Conduct of the review- overview of consultation

The Privacy Commissioner received the terms of reference from the Attorney-General on the 13 August 2004. The review of the private sector provisions was completed by 31 March 2005. The Privacy Commissioner encouraged widespread public participation in the review through a number of measures. The Office:

• made three media releases in August, September and October advertising the review, asking organisations and individuals to give their views about the operation of the private sector provisions and informing the public about key dates in the conduct of the review

• contacted stakeholders listed on the Office's contacts database and network list via e-mail about the review requesting submissions and promoting the public consultation forums. The Office made follow up phone calls to stakeholders preceding their local public consultation forum.

• circulated an e-mail notification about the review through relevant industry and government networks

• gave a number of presentations to industry forums and national conferences

• conducted a number of private meetings with stakeholders at their request regarding the review and the operation of the private sector provisions of the Act.

The Commissioner appointed a steering committee to assist with and advise on the conduct of the review. The Steering Committee members were:

• Charles Britton , Senior Policy Officer, Information Technology and Communications, Australian Consumers' Association

• Peter Coroneos , Chief Executive Officer, Internet Industry Association

• Ian Gilbert , Director of Retail Regulatory Policy, Australian Bankers' Association

• Graeme Innes , Deputy Discrimination Commissioner, Human Rights and Equal Opportunity Commission

• John O'Brien , Senior Lecturer in Industrial Relations and Organisational Behaviour, University of New South Wales

• Joan Sheedy , Assistant Secretary, Information Law Branch, Attorney General's Department.

The Steering Committee met on five separate occasions throughout the process to discuss the conduct of the review.

The Commissioner also reconvened the core consultative group which had been formed by the Attorney-General in 1998 to advise on the development of the private sector provisions. The group, reconvened by the Commissioner and renamed the Review Reference Group, consisted of approximately 40 representatives from consumers groups, industry and government who have been affected by the operation of the Act. Approximately half of the reconvened group were part of the original group that advised on the introduction of the private sector provisions. The Review Reference Group was consulted regarding the conduct of the review, the issues contained in the issues paper, and the options for reform. The list of members is available at Appendix 2.

Issues Paper

To assist stakeholders to make submissions the Commissioner released an issues paper on 27 October 2004.

The issues paper sought to provide a framework for assessing the extent to which the private sector provisions met their objectives as defined in the terms of reference. The issues paper closely followed the terms of reference and sought to help stakeholders assess whether the provisions meet international concerns and Australia 's obligations relating to privacy. It raised issues about whether the legislation provides appropriate protection of individuals' privacy while allowing a balance to be struck with competing human rights and social interests including the desirability of a free flow of information and the right of business to achieve its objectives efficiently.

Consultation Meetings

The Office organised consultation meetings in all of the capital cities during 2004. Meetings were held in:

• Adelaide on 4 November

• Perth on 11 November

• Hobart on 17 November

• Melbourne on 18 November

• Sydney on 22 November

• Darwin on 25 November

• Brisbane on 30 November

• Canberra on 8 December

There were also health forums held in Perth on 11 November, Melbourne on 18 November and Darwin on 25 November. In addition, a telecommunications forum was convened in Melbourne on 19 November 2004.

At each meeting the Commissioner or a representative of the Office led the discussion using a presentation which can be found on the Office's website.

The consultation forums were attended by a wide range of participants from diverse industry sectors including the finance sector, direct marketing, credit reporting, debt collection, law firms, law societies, telecommunications, retail, real estate, fundraising and the health sector including, doctors, researchers and pharmacists, and the community sector including consumer and public interest advocates, community legal and tenancy advice centres and union representatives.

Issues raised in theses forums have been incorporated throughout this report.

Written Submissions

The Commissioner encouraged stakeholders to make written submissions to aid the Review. In all the Review received 136 written submissions (see Appendix 3) ranging in length and style from individuals, organisations, industry bodies, advocacy groups and government agencies. Of these, 20 submissions requested to remain confidential. These submissions can be found on the Office's website.

Structure of report

The structure of this Report reflects the Terms of Reference received from the Attorney-General.

Chapter 1 gives background to the inquiry and an overview of the private sector provisions of the Privacy Act.

Chapter 2 examines the degree to which the private sector provisions establish national consistency in the way private sector organisations collect, hold, use, correct, disclose and transfer personal information.

Chapter 3 considers how adequately the private sector provisions meet international concerns and Australia 's international obligations relating to privacy.

Chapter 4 considers the effectiveness of the private sector provisions in protecting individuals' rights to privacy.

Chapter 5 considers the effectiveness of the private sector provisions in enforcing individual rights to privacy.

Chapter 6 considers how effectively the private sector provisions balance an individual's right to privacy with other competing social interests such as business efficiency and the desirability of a free flow of information.

Chapter 7 considers other social interests that compete with privacy and whether the private sector provisions have achieved the appropriate balance.

Chapter 8 looks at developments in new technologies.

Chapter 9 looks at whether any NPPs not addressed elsewhere in the report may need to be amended to create greater certainty in their interpretation.

Chapter 10 covers other issues that arise in relation to the private sector provisions.

1.2 Private Sector Provisions of the Privacy Act

History of Commonwealth Privacy Legislation

Commonwealth agencies

The Privacy Act was enacted in 1988. It provides for the Office of the Privacy Commissioner and a Privacy Commissioner and lists 11 principles governing the collection, use, storage, access to, maintenance and disclosure of an individual's personal information. These Information Privacy Principles (IPPs) apply to personal information held by Australian Government agencies. Since 1994, the IPPs have also applied to Australian Capital Territory (ACT) agencies.

Tax file numbers and credit reporting

The Privacy Act also provides for the Commissioner to issue tax file number guidelines and to investigate acts or practices of tax file number recipients that breach these guidelines.

In 1990, the Privacy Act was amended to regulate the handling of credit reports and other credit worthiness information about individuals held by credit reporting agencies and credit providers 5.

Private sector

Voluntary principles

In February 1998, following extensive consultation, the Privacy Commissioner issued the National Principles for the Fair Handling of Personal Information (the National Principles), compliance with which was voluntary. This was partly in response to a directive on information privacy adopted in October 1995 by the European Parliament and the Council of the European Union (EU) which included a provision that personal data could not be transferred from an EU country to a non-EU country unless there was an adequate level of information privacy.

Privacy Amendment (Private Sector) Act 2000

In late 1998, the Government announced its intention to legislate to support and strengthen privacy protection in the private sector. After widespread consultation the Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 with a commencement date of 21 December 2001. It aimed to establish a single comprehensive national scheme governing the collection, holding, use, correction, disclosure and transfer of personal information by private sector organisations. It did so by means of the National Privacy Principles (NPPs) and provisions allowing organisations to adopt approved privacy codes.

Co-regulation

The approach adopted by the legislation was one of co-regulation. This refers to a legislative framework within which self regulatory codes of practice can be given official recognition 6. The aim of the legislation was ‘to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice' 7. In the absence of a code, the NPPs would apply. This co-regulation aimed to ensure consistency and standardisation of personal information handling 8.

Balancing rights and obligations

The legislation acknowledges that privacy is not an absolute right and that an individual's right to protect his or her privacy must be balanced against a range of other community and business interests. These include the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently. The legislation seeks to achieve the appropriate balance by providing for, among other things, a number of exemptions from the legislative requirements, including most small businesses.

Key drivers for private sector provisions

The Explanatory Memorandum for the private sector provisions outlined concerns raised in consultations on the absence of privacy protection that self-regulation had not resolved. It said:

‘These concerns include

• the potential for barriers to international trade for business

• the lack of protection afforded to the consumer

• the effects on the take-up of electronic commerce resulting from lack of protection to consumers

• the lack of comprehensive coverage of business

• the possibility that some States and Territories will impose stricter controls, which may result in inconsistencies between jurisdictions' 9.

Another factor underpinning the legislation was the International Covenant on Civil and Political Rights (ICCPR) that Australia had ratified. This provides that individuals shall not be subjected to arbitrary or unlawful interference with their privacy and that they have the right to the protection of the law against such interference or attacks 10.

2004 amendments to the legislation

Amendments to the legislation in April 2004 11 make it clear that the protection provided by NPP 9, which regulates transborder data flows, applies equally to the personal information of individuals who are Australian and those who are not. They remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information. They also give businesses and industries more flexibility in developing privacy codes by allowing the codes to cover otherwise exempt acts and practices where the authors of the code wish to do so.

What do the Private Sector Provisions cover?

Purpose

The private sector provisions of the Privacy Act give individuals control over the way personal information about them is handled by private sector organisations. They regulate the way many private sector organisations collect, use, keep secure and disclose personal information. They also give individuals a right to know what information an organisation holds about them and a right to correct it if it is wrong.

Who is covered?

The provisions apply to organisations, including corporations and unincorporated associations, with an annual turnover of more than $3 million.

hey also apply, regardless of annual turnover, to all private sector health service providers, to organisations that buy and sell information without the individual's consent, and contracted Commonwealth service providers in relation to their contractual activities 12. Specified acts and practices of organisations are exempt from the operation of the Privacy Act. These include in general terms acts or practices:

• done by an individual other than in the course of the individual's business, for example, in the course of his or her personal, family or household affairs 13

• that are related to an employee record and directly related to the employment relationship 14

• done in the course of journalism by a media organisation that is publicly committed to observing published privacy standards 15 and

• done by a politician or political organisation, and their contractors, subcontractors and volunteers, in relation to electoral matters 16.

What obligations are imposed?

In general terms, a private sector organisation covered by the Act must not do anything that breaches an approved code binding on it. If not bound by an approved code, it must not do anything that breaches an NPP.

National Privacy Principles

The NPPs govern the collection, use and disclosure, security, quality and access to and correction of personal information. They include principles applicable to the use and disclosure of personal information for specific purposes, including:

• direct marketing

• in the case of health information, research or statistical compilation or analysis relevant to public health or public safety

• protection of health and safety and

• law enforcement.

The general principle that a person should have access to information organisations hold about them includes exceptions, such as exceptions based on health and safety, law enforcement and national security. Special provisions apply to sensitive information, including information about an individual's racial or ethnic origin, membership of political or professional or trade associations, religious beliefs and so on. Generally speaking, a higher level of protection is afforded sensitive information than personal information.

Advice and guidance

The Office plays an active role in raising awareness about individuals' privacy rights and in addressing providing advice to business about its obligations. It provides information by way of its information hotline and its web site. The web site contains all the Office's publications, answers to Frequently Asked Questions, media comments, media releases, speeches, case notes, an online complaint checker, multi-lingual web pages, guidelines, information sheets, brochures and the annual report. Members of the Office also make speeches and presentations at a range of events.

Approved Codes

The Act provides for the approval of privacy codes by the Commissioner. To be approved a code must:

• set out obligations that, overall, are at least the equivalent of all the obligations set out in the NPPs

• specify which organisations are bound by the code

• bind only organisations that consent to be bound and

• if the code includes procedures for dealing with complaints, the procedures must meet specified standards.

In addition, members of the public must have been given adequate opportunity to comment on a draft of the code 17. The Commissioner must keep a register of approved privacy codes 18.

Complaints

An individual may complain to the Commissioner about an interference with his or her privacy, unless an approved code applies and the code has its own code adjudicator. The Commissioner is required to investigate complaints, unless it is appropriate to exercise one of the discretions not to investigate, including for example, if the individual has not first complained to the organisation in question. If the complaint is upheld, the Commissioner may make a determination that the organisation should not repeat the conduct complained about.

---

2 National Consistency

2.1 National consistency overall

National consistency was goal of legislation

In introducing the private sector provisions of the Privacy Act, the then Attorney-General, the Hon Daryl Williams AM QC MP, noted that although some Australian businesses had already established privacy codes of practice this was not being done consistently. By contrast, the private sector amendments provide ‘a national, consistent and clear set of standards to encourage and support good privacy practices'. It was the Government's intention:

‘to establish a single national comprehensive scheme for the protection of personal information by the private sector. However, state and territory laws would continue to operate to the extent that they are not directly inconsistent with the terms of the bill' 19.

Issues

The issues paper suggested a number of topics for submissions related to national consistency. It asked:

• whether national consistency was important and whether or not it was being achieved

• about areas of overlap, including overlap between the private sector provisions and other laws or regulatory schemes and jurisdictional overlap

• about lack of clarity as a possible issue and

• about areas that are unregulated or under-regulated by the private sector provisions or other laws, and areas that are over-regulated.

The issues paper also suggested a number of topics for submission focussed on the Privacy Act itself. It asked about:

• issues arising from differences between the NPPs and IPPs

• the workability of the Australian Government contractor provisions, especially for contractors that would otherwise be exempt as a small business, and whether they could be improved

• the interaction between the private sector provisions and the other provisions of the Act, and between the NPPs and Part IIIA of the Act and

• how the identified issues could be addressed.

Finally, the issues paper addressed the issue of new developments in technology. This is addressed in Chapter 8.

Other law impacting on privacy

Other provisions of the Privacy Act

Public and private sector provisions integrated

The private sector provisions were enacted as an amendment to the existing Privacy Act 1988. It was intended that the NPPs would operate alongside the pre-existing provisions of the Act, including the IPPs, which apply to public sector agencies, and the provisions regulating credit reporting (largely contained in Part IIIA of the Act). Although the NPPs are similar to the IPPs, there are differences. Unlike the IPPs, the NPPs include specific provisions about the transfer of data overseas (NPP 9), and the NPPs provide more protection to defined types of ‘sensitive personal information', including health information. The NPPs and the IPPs are included at Appendices 4 and 5 respectively.

Interaction of private sector provisions with other provisions

There are circumstances when an organisation might be subject to both the NPPs and the IPPs. An Australian Government contractor, for example, may be bound to comply with the NPPs, and will also be bound by contract to comply with the IPPs. Some government enterprises are, for the purposes of the Privacy Act, both an ‘agency' (in relation to their non-commercial activities) and an ‘organisation' (in relation to their commercial activities). Similarly, credit providers and credit reporting agencies will generally be an ‘organisation' for the purposes of the private sector provisions and will be bound by the NPPs as well as the provisions of Part IIIA of the Act which impose specific obligations on them.

Other Commonwealth legislation

Overview

A number of pieces of Commonwealth legislation impose obligations on organisations that may have an impact on how those organisations comply with their obligations under the Privacy Act. This legislation is administered by various Australian Government agencies.

Misleading and deceptive conduct

Section 52 of the Trade Practices Act 1974 , administered by the Australian Competition and Consumer Commission (ACCC), provides that a corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive, or is likely to mislead or deceive. This may influence the way in which an organisation complies with NPP obligations such as making people aware it has collected their personal information, openness and giving reasons for denying access or refusing to correct personal information. A similar provision in the Australian Securities and Investments Commission Act 2001 (ASIC Act), administered by the Australian Securities and Investments Commission (ASIC), section 12D, applies to financial services.

Telecommunications

The Telecommunications Act 1997 , administered by the Australian Communications Authority (ACA), includes provisions relating to privacy. The Telecommunications (Interception) Act 1979 makes it an offence to intercept communications and specifies the circumstances in which interception may lawfully take place. The Spam Act 2003 establishes a scheme for regulating commercial email and other types of commercial electronic messages. This is discussed in more detail later in this chapter at 2.3.

Other

Other relevant Commonwealth legislation includes the Corporations Act 2001 , which limits use or disclosure of information on company shareholder registers (section 177), and the Commonwealth Electoral Act 1918 , which regulates access to, and use and disclosure of, electoral roll information. The Australian Broadcasting Authority (ABA) may investigate complaints alleging a breach of broadcasting industry codes, some of which include provisions intended to protect individual privacy, or practice 20.

State and territory legislation

New South Wales , Victoria , the Australian Capital Territory and the Northern Territory have privacy legislation that covers all or part of their own public sectors. In Tasmania , similar legislation commences on 1 July 2005. Other jurisdictions have administrative arrangements which seek to establish appropriate information handling practices. Queensland has established two standards for privacy regulation in its public sector on an administrative basis. In South Australia , an administrative instruction applies to government agencies and a Code of Fair Information Practice, based on the NPPs, applies to all personal information handled by the Department of Human Services and its agencies. The Western Australian public sector does not currently have a legislative privacy regime.

Each jurisdiction's scheme is slightly different and so are the principles on which they are based. In addition, New South Wales and Victoria have health privacy legislation that regulates the handling of personal information in their public sectors and the private sector. They contain similar, though not identical, principles to the NPPs. The Australian Capital Territory has legislation, that predated the NPPs, covering health service providers in the public and private sector. The Australian Health Ministers' Advisory Council (AHMAC) is currently working towards a National Health Privacy Code, which may be one way of achieving national consistency for the handling of personal health information.

Other law

Other obligations overlap with responsibilities imposed on organisations by the Privacy Act. They include:

• legal obligations of confidence (for example, patient/doctor confidentiality and the banker's duty of confidence) and

• legal professional privilege.

Self regulatory mechanisms

A number of industry organisations developed their own codes.

Telecommunications. The Australian Communications Industry Forum (ACIF) has developed a number of industry codes and guidelines, some of which deal with matters relating to the handling of personal information.

Direct Marketing. The Australian Direct Marketing Association (ADMA) has developed a model code, which includes the NPPs and a reference to the NPP Guidelines. It enforces the code against its members.

E-marketing. Following passage of the Spam Act, the Australian eMarketing Code of Practice was registered under Part 6 of the Telecommunications Act.

Submissions favour national consistency

Submissions overwhelmingly support the goal of national consistency. Business generally, and the finance and retail industries in particular, think that national consistency is important.

Members of the Australian Finance Conference (63) support the Government's object of achieving a single comprehensive scheme for handling personal information and it continues to remain important for them. It remains relevant and important to the Australian Bankers' Association (70). It is ‘essential' for the financial planning industry says the Financial Planning Association (85). In the view of the Australian Association of Permanent Building Societies (91), it is ‘imperative' for there to be a single nationally consistent scheme.

The charity sector agrees. Fundraising Institute Australia Ltd (52) argues that national consistency is important in ensuring compliance and reports that its members advise that consistency would improve their capacity to undertake their work as fundraisers.

Consumers also agree. The Consumers' Federation of Australia (65), for example, says national consistency is essential for privacy protection for consumers in Australia . The Australian Consumers' Association (15):

‘endorses the goal of a single, comprehensive, nationally consistent scheme for privacy protection in Australia . Such consistency makes the task of compliance by industry easier and cheaper. It facilitates education.'

On the other hand, in stakeholder forums, consumer groups made the point that they do not want national consistency at the cost of reducing privacy protection to the lowest common denominator.

The health sector, including the private hospital sector, professional organisations and public sector bodies like the Health Services Commissioner, Victoria (27), say there should be nationally consistent health standards. The Royal District Nursing Service (78) says national consistency is ‘vital'.

Objective has not been achieved

Despite the almost universal support for consistency, the objective has not been achieved in the view of very many submissions. Business and consumers agree that the objective has not been met. The Australian Consumers' Association (15), the National Health and Medical Research Council (32), Promina (34), the Consumers' Federation of Australia (65) and the Australian Health Insurance Association Ltd (76), for example, all agree the objective has not been achieved.

The Australian Chamber of Commerce and Industry (22) says there is a general trend towards ‘fragmentation', which has ‘adverse consequences in terms of magnified compliance burdens, administrative duplication and overlap between the separate regimes'.

Submissions from business and consumer organisations describe an emergence of a ‘patchwork' of federal and state and territory legislation, driven by, according to the Consumers Fe