- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Review Issues Paper
The Office of the Privacy Commissioner has prepared this paper to assist individuals and organisations to prepare submissions to the review of the private sector provisions of the Privacy Act 1988 (Cth) (the Privacy Act). The Office can make this Issues Paper available in a range of formats on request. It is available on the Office''s web site at http://www.privacy.gov.au/law/reform/review/
Receipt of terms of reference 13 August 2004
Due date for submissions 22 December 2004
Final Report 31 March 2005
General information: Hotline Ph: 1300 363 992 TTY: 1800 620 241
Administrative matters: Chris Jefferis Ph: 02 9284 9800
Other matters: Robin McKenzie Ph: 02 9284 9800 Fax: 02 9284 9666
Postal address for submissions: GPO Box 5218, Sydney NSW 2001
There is no specified format for a submission. Submissions may range from a letter addressing one issue to a systematic analysis of the operation of the private sector provisions of the Privacy Act. Submissions will also be accepted in a range of styles of presentation and in electronic or hard copy form. Similarly, oral and audio submissions will be accepted, including using TTY.
Submissions received in electronic format will become publicly available documents and will be posted on the web site of the Office of the Privacy Commissioner unless submitters indicate to the Office they do not want their submission posted on the Office web site. Mark your submission as ''CONFIDENTIAL'' if you do not want it posted on the website. The web site and the final report will list the names of all those who made submissions. If you have marked your submission as confidential, but still want your name listed as having made a submission, make this clear on the submission. Otherwise, all that will appear in the list next to the submission number will be the word ''confidential''.
The suggested topics in the issues paper are presented only as a guide. Participants should not feel the need to address all the topics or be restricted to the issues which the topics raise.
Participants are encouraged to provide data, examples, case studies, or other evidence to support the arguments presented in their submission.
REVIEW OF THE PRIVATE SECTOR PROVISIONS OF THE PRIVACY ACT 1988
I, PHILIP RUDDOCK, Attorney-General of Australia, under section 27(1)(f) of the Privacy Act 1988, request that the Privacy Commissioner review the operation of the private sector provisions contained in the Privacy Amendment (Private Sector) Act 2000 and report on that review not later than 31 March 2005.
In undertaking the review, I ask that the Privacy Commissioner consider the degree to which the private sector provisions meet their objects, being:
- to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations; and
- to do so in a way that:
- meets international concerns and Australia's international obligations relating to privacy;
- recognises individuals' interests in protecting their privacy; and
- recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.
Recognising that certain aspects of the private sector provisions are currently, or have recently substantively been, the subject of separate review, the Privacy Commissioner exclude review of:
- genetic information;
- employee records;
- children's privacy; and
- electoral roll information, and the related exemption for political acts and practices.
Dated: 12 August 2004 Philip Ruddock Attorney-General
The Privacy Act was enacted in 1988. It provides for the Office of the Privacy Commissioner and a Privacy Commissioner and lists 11 principles governing the collection, use, storage, access to, maintenance and disclosure of an individual''s personal information. These Information Privacy Principles (IPPs) apply to personal information held by Australian Government agencies. Since 1994, the IPPs have also applied to Australian Capital Territory (ACT) agencies.
Tax file numbers and credit reporting
The Privacy Act also provides for the Commissioner to issue tax file number guidelines and to investigate acts or practices of tax file number recipients that breach these guidelines.
In 1990 the Privacy Act was amended to regulate the handling of credit reports and other credit worthiness information about individuals held by credit reporting agencies and credit providers.1
In February 1998, following extensive consultation, the then Privacy Commissioner issued the National Principles for the Fair Handling of Personal Information (the National Principles), compliance with which was voluntary.
This was partly in response to a directive on information privacy adopted in October 1995 by the European Parliament and the Council of the European Union (EU) which included a provision that personal data could not be transferred from an EU country to a non-EU country unless there was an adequate level of information privacy.
Privacy Amendment (Private Sector) Act 2000
In late 1998 the government announced its intention to legislate to support and strengthen privacy protection in the private sector. After widespread consultation the Privacy Amendment (Private Sector) Act 2000 was passed in December 2000 with a commencement date of 21 December 2001. It aimed to establish a single comprehensive national scheme governing the collection, holding, use, correction, disclosure and transfer of personal information by private sector organisations. It did so by means of the National Privacy Principles (NPPs) and provisions allowing organisations to adopt approved privacy codes.
The approach adopted by the legislation was co-regulation. This refers to a legislative framework within which self regulatory codes of practice can be given official recognition.2 The aim of the legislation was ''to encourage private sector organisations and industries which handle personal information to develop privacy codes of practice''.3 In the absence of a code, the NPPs would apply. This co-regulation aimed to ensure consistency and standardisation of personal information handling.4
Balancing rights and obligations
The legislation acknowledges that privacy is not an absolute right and that an individual''s right to protect his or her privacy must be balanced against a range of other community and business interests. These include the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently. The legislation seeks to achieve the appropriate balance by providing for, among other things, a number of exemptions from the legislative requirements, including most small businesses.
Key drivers for private sector provisions
The Explanatory Memorandum for the private sector provisions outlined concerns raised in consultations on the absence of privacy protection that self-regulation had not resolved. It said
''These concerns include
Another driver was the International Covenant on Civil and Political Rights (ICCPR), that Australia had ratified. This provides that individuals shall not be subjected to arbitrary or unlawful interference with their privacy and that they have the right to the protection of the law against such interference or attacks.6
Recent amendments to the legislation
Recent amendments to the legislation7 make it clear that the protection provided by NPP 9, which regulates transborder data flows, applies equally to the personal information of individuals who are Australian and those who are not. They remove the nationality and residency limitations on the power of the Privacy Commissioner to investigate complaints relating to the correction of personal information. They also give businesses and industries more flexibility in developing privacy codes by allowing the codes to cover otherwise exempt acts and practices where the authors of the code wish to do so.
The private sector provisions of the Privacy Act give individuals greater control over the way personal information about them is handled by private sector organisations than they would otherwise have. They regulate the way many private sector organisations collect, use, keep secure and disclose personal information.
Who is covered?
The provisions apply to organisations, including corporations and unincorporated associations, with an annual turnover of more than $3 million.
They also apply, regardless of annual turnover, to all private sector health service providers, to organisations that buy and sell information without the individual''s consent, and contracted Commonwealth service providers in relation to their contractual activities.8 Specified acts and practices of organisations are exempt from the operation of the Privacy Act. These include in general terms acts or practices:
- done by an individual other than in the course of the individual''s business, for example, in the course of his or her personal, family or household affairs9
- that are related to an employee record and directly related to the employment relationship10
- done in the course of journalism by a media organisation that is publicly committed to observing published privacy standards11 and
- done by a politician or political organisation, and their contractors, subcontractors and volunteers, in relation to electoral matters.12
What obligations are imposed?
In general terms, a private sector organisation covered by the Act must not do anything that breaches an approved code binding on it. If not bound by an approved code, it must not do anything that breaches an NPP.
National Privacy Principles
The NPPs govern the collection, use and disclosure, security, quality and access to and correction of personal information. They include principles applicable to the use and disclosure of personal information for specific purposes, including:
- direct marketing
- in the case of health information, research or statistical compilation or analysis relevant to public health or public safety
- protection of health and safety and
- law enforcement.
The general principle that a person should have access to information organisations hold about them includes exceptions, such as exceptions based on health and safety, law enforcement and national security. Special provisions apply to sensitive information, including information about an individual''s racial or ethnic origin, membership of political or professional or trade associations, religious beliefs and so on.13
The Act provides for the approval of privacy codes by the Commissioner. To be approved a code must:
- set out obligations that, overall, are at least the equivalent of all the obligations set out in the NPPs
- specify which organisations are bound by the code
- bind only organisations that consent to be bound and
- if the code includes procedures for dealing with complaints, the procedures must meet specified standards.
An individual may complain to the Commissioner about an interference with his or her privacy, unless an approved code applies and the code has its own code adjudicator. The Commissioner is required to investigate complaints, unless it is appropriate to exercise one of the discretions not to investigate, including for example, if the individual has not first complained to the organisation in question. If the complaint is upheld, the Commissioner may make a determination that the organisation should not repeat the conduct complained about.
The Review of the Privacy Act was foreshadowed by the former Attorney-General Mr Daryl Williams AM QC MP in his second reading speech for the Privacy Amendment (Private Sector) Act 2000. The Commissioner was asked to review the operation of the private sector provisions of the Act by the Attorney-General the Hon Philip Ruddock MP on 13 August 2004.
The Office will conduct the review within the terms of reference outlined by the Attorney-General. They are included at the beginning of this issues paper (at page 3) and provide for an assessment of the operation of the private sector provisions and a consideration of the extent to which the private sector provisions meet their objects.
These objects include creating a single comprehensive national scheme for the appropriate handling of individual''s personal information by organisations, in a way that:
- meets international concerns and obligations relating to privacy
- recognises individuals'' interests in protecting privacy and
- recognises important human rights and social interests that compete with privacy, including the general desirability of the free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.
The terms of reference exclude aspects of the private sector provisions from the review including
- genetic information
- employee records
- children''s privacy and
- electoral roll information and the related exemption of political organisations from the Privacy Act.
The terms of reference state that these areas are currently, or have recently been subject to processes of review.
The terms also mean that Part IIIA of the Privacy Act, which deals with credit reporting, is not to be reviewed. However the credit reporting provisions (along with other parts of the Privacy Act) could be relevant to the review in circumstances where it is considered that they have an impact on the operation of the private sector provisions.
There are a number of review processes operating in the current environment that touch on privacy in some way. For example, initiatives to develop a national health code (Australian Health Ministers'' Advisory Council (AHMAC) process) and the review of privacy protection for employee records are also underway at the moment. In developing its final report, the Office will take into account, where appropriate, the work being done in these areas.
To help inform the review work, including submissions to the review the Office conducted research into community attitudes towards privacy in April 2004. This complements research it conducted in July 2001 into attitudes towards privacy in the spheres of government, business and the community. This research can be found on the Office''s website at http://www.privacy.gov.au/materials#R. The results of the 2004 research are summarised at Appendix 1 and the full report is to be found on the Office''s web site at http://www.privacy.gov.au/aboutprivacy/attitudes/.
The terms of reference ask the Privacy Commissioner to consider the degree to which the private sector provisions meet their objects. The Office will use this framework for assessing the provisions. This involves considering the following issues.
- Do the provisions provide a comprehensive, national, consistent set of standards for privacy? Do they fit seamlessly into the Privacy Act? Do they relate effectively with other federal privacy provisions, the privacy laws of the States and Territories and other relevant federal law?
- Do the provisions operate in a way that assists Australian businesses to operate internationally? Are they adequate to ensure Australia fulfils its international obligations relating to privacy?
- Are individuals confident that their interests in protecting their privacy are recognised and that personal information that is collected, used, stored and disclosed by organisations is adequately protected? Are individuals aware of, and able to exercise, their rights?
- Do the provisions strike an appropriate balance between privacy and competing human rights and social interests, including free speech, medical research, national security, law enforcement and property rights? Is there a free flow of information? Is business aware of its obligations and able to comply with them while still achieving its objectives efficiently?
In introducing the private sector provisions of the Privacy Act, the Government intended to establish a single comprehensive national scheme for the protection of personal information by the private sector, by providing a ''â€¦national, consistent and clear set of standards to encourage and support good privacy practices''.16 However, the Government also made it clear that the intent was for any state and territory laws to continue to operate, so long as they were not directly inconsistent with the NPPs.17
This section discusses the developments in privacy regulation since this time, and also in other regulation that has an impact on privacy and raises the issue of, in the light of these developments, whether this vision for the new scheme has been realised.
This section also looks at how the private sector provisions fit into the existing provisions of the Privacy Act, and whether the private sector provisions interact well with these existing provisions.
Finally, this section looks at developments in technology and asks whether the private sector provisions have kept pace with the challenges to privacy that these developments raise.
State and Territory privacy regulation
The Australian Capital Territory, New South Wales, Victoria and the Northern Territory have privacy legislation that covers all or part of their own public sectors.18 Tasmania may also soon have such legislation. Other jurisdictions have administrative arrangements which seek to establish appropriate information handling practices. For example, Queensland has established two standards for privacy regulation in its public sector on an administrative basis.19 Each scheme is slightly different and so are the principles on which they are based.
In the area of privacy in the private sector, two States (in addition to the ACT which in 2001 already had law covering health service providers in the private sector) have enacted law which purports to regulate the handling of personal information both in their public sectors, and the private sector. Victoria has enacted the Health Records Act 2001and in NSW, the Health Records Information Privacy Act 2002 came into force on 1 September 2004.20 These Acts contain similar, though not identical principles to the NPPs. For example, the Victorian legislation has provisions regarding access to ''old'' personal health information which have no equivalent in the NPPs.21
The ongoing commitment of Health Ministers, through the Australian Health Ministers'' Advisory Council (AHMAC), to work toward a proposed National Health Privacy Code may offer one way of achieving national consistency for the handling of personal health information.22 Issues to be resolved include what is to be the final form of the code, how it will be implemented across jurisdictions and what complaint handling arrangements will exist (including remedies for individuals).
Other regulation with an impact on privacy
The Privacy Act operates alongside a number of other regulatory mechanisms. These mechanisms include Commonwealth legislation, State and Territory legislation, self-regulatory schemes with a legislative basis, and other self-regulatory schemes. In addition, many industries and sectors aim to adhere to generally accepted guidelines, principles, codes or other common standards, including Australian or international standards.
Regulatory mechanisms which include personal data protection obligations on organisations that may interact with the private sector provisions of the Privacy Act include the following.
Commonwealth statutory regulation
- Part 13 of the Telecommunications Act 1997 provides for the confidentiality of personal information and the contents of communications, including restrictions on how telecommunications carriers and carriage service providers may use and disclose certain personal information. Further, Part 6 of the Telecommunications Act 1997 provides for industry to develop voluntary industry codes, and for the Australian Communications Authority (ACA) to develop mandatory industry standards, which may deal with privacy.23
- The Telecommunications (Interception) Act 1979 has two key purposes. Its primary object is to protect the privacy of individuals who use the Australian telecommunications system by making it an offence to intercept communications. The second purpose of the Interception Act is to specify the circumstances in which it is lawful for interception to take place.
- The Spam Act 2003 (Spam Act) sets up a scheme for regulating commercial email and other types of commercial electronic messages. Under the Spam Act, unsolicited commercial electronic messages must not be sent, and there are restrictions on the use of address-harvesting software.
- Section 52 of the Trade Practices Act 1974 provides that a corporation shall not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive. This provision may inform the understanding of the particular NPPs, for example NPP 1.3, NPP 1.5, NPP 5.1, NPP 5.2, and NPP 6.7.
- Section 12DA of the Australian Securities and Investments Commission Act 2001 provides that person must not, in trade or commerce, engage in conduct in relation to financial services that is misleading or deceptive or is likely to mislead or deceive. This may also have an impact on the way financial services providers provide information in compliance with NPPs 1.3, 1.5, 5.1, 5.2 and 6.7.
- Other legislation that protects particular collections of personal information includes, for example
- The Corporations Act 2001 in relation to company shareholder registers24
- The Commonwealth Electoral Act 1918 in relation to electoral roll information25 and
- The Corporations Act 2001 in relation to disclosure obligations as they relate to the provision of financial product advice to retail clients.26
- The Australian Communications Authority (ACA) monitors the performance of telecommunications carriers and carriage service providers.
- The Telecommunications Industry Ombudsman (TIO) has jurisdiction to investigate complaints about a range of telecommunications issues, including printed and electronic White Pages, privacy and breaches of the Customer Service Guarantee and industry Codes of Practice.27
- The Australian Broadcasting Authority (ABA) may investigate complaints alleging a breach of broadcasting industry codes or practice. Several codes of practice include provisions expressly intended to protect individual privacy.28
- The primary responsibility of the Australian Competition and Consumer Commission (ACCC) is to ensure that individuals and businesses comply with the Commonwealth competition, fair trading and consumer protection laws.
- Australian Securities and Investments Commission (ASIC) enforces and regulates company and financial services laws to protect consumers, investors and creditors.
Industry self-regulatory codes
Examples of these include
- The Australian Communications Industry Forum (ACIF) develops a number of industry codes and guidelines for the telecommunications industry, some of which deal with matters that relate to the handling of personal information.
- Following the passage of the Spam Act, up to three industry self-regulatory codes relating to e-marketing activities are under development in relation to commercial messages. These codes may be submitted to the ACA for registration under Part 13 of the Telecommunications Act 1979 (Cth).
Common law obligations
Some common law obligations overlap with privacy obligations in the Privacy Act. These include:
- legal obligations of confidence (e.g. patient/doctor confidentiality and the banker''s duty of confidence) and
- legal professional privilege.
Legislation regulating surveillance activities
The Privacy Act does not specifically mention surveillance as a method of collection. However, generally the NPPs will apply to surveillance where it is conducted by an organisation to which the Privacy Act applies, and where the personal information obtained during the surveillance is collected in a record.
There may be many instances of surveillance activity in our society which do not necessarily fit these criteria and so would not be covered by the private sector provisions of the Privacy Act. For instance, surveillance could be undertaken by an individual, who is not acting as, or on behalf of, an organisation. In addition, the surveillance may occur in ''real time'' with no collection of personal information in a record (as may be the case with surveillance conducted via closed circuit television cameras for example).
Many of the States and Territories have enacted legislation which covers some aspects of surveillance, and which may apply to individuals or surveillance conducted without the collection of personal information in a record. In particular, a number of State Acts address issues involving the recording of telephone conversations, including:
- Listening Devices Act 1972 (SA)
- Listening Devices Act 1984 (NSW)
- Invasion of Privacy Act 1991 (QLD)
- Listening Devices Act 1991 (Tas)
- Listening Devices Act 1992 (ACT)
- Surveillance Devices Act 1998 (WA)
- Surveillance Devices Act 1999 (Vic)
- Surveillance Devices Act 2000 (NT)
Some of these Acts also incorporate provisions which apply restrictions to video surveillance.
The Workplace Video Surveillance Act 1998 (NSW) regulates covert workplace video surveillance by individuals and organisations in NSW.29 Generally, this type of surveillance is unlikely to be covered by the NPPs because of the employee records exemption.30
Regulation of Tenancy Databases
The NPPs apply to the activities of tenancy databases, for example, in relation to the accuracy of the information they hold and the requirement to give individuals access to their information. It may be, however, that more specific regulation is needed in this area.
For example, following amendments in April 2004, the Residential Tenancies Act 1994 (QLD) now contains guidelines for the use of tenancy databases by Queensland real estate agents. These guidelines incorporate listing criteria and dispute resolution processes. Further, the recent Property, Stock and Business Agents Amendment (Tenant Databases) Regulation 2004 (NSW) specifies rules of conduct for real estate agents in the use of tenancy databases. These new rules include limitations on the reasons for listing, and a requirement to notify individuals if they are listed. The joint Standing Committee of Attorneys-General/Ministerial Council on Consumer Affairs Working Party is looking at this issue.
There is clearly a wide range of regulation in the Commonwealth and States and Territories that either directly relates to privacy or, while not directly relating to privacy, overlaps with privacy related activities. This means that an organisation seeking to comply with privacy requirements must be aware of a wide range of legislation, regulators and in some cases, possibly conflicting requirements. It also potentially creates confusion for individuals who find that their privacy has been infringed.
Possible topics for submissions
It was intended that the NPPs would operate alongside the pre-existing provisions of the Act, such as the Information Privacy Principles (IPPs) regulating public sector agencies, and the provisions regulating credit reporting (largely contained in Part IIIA of the Act).
Interaction with the IPPs
The NPPs are similar to the IPPs and serve the same purpose of regulating the handling of ''personal information''. The definition of ''personal information'' is common to the IPPs and NPPs and reflects the overall focus of the Privacy Act as applying to information privacy (rather than, for example, other notions of privacy, such as bodily privacy).
There are, however, some differences between the NPPs and IPPs. For instance, the NPPs include specific provisions concerning the transfer of data overseas which the IPPs do not have (see NPP 9). The private sector provisions also provide a higher degree of protection to defined types of ''sensitive personal information'', including health information.
In some instances, an organisation could be covered by the IPPs and NPPs. This can arise in relation to Commonwealth contracting. The new private sector provisions (see section 95B) impose obligations on Commonwealth agencies when entering into contracts to provide services to or on behalf of the agency to include provisions to ensure that the contactor does not breach the Information Privacy Principles (IPPs) of the Privacy Act. Some of the NPPs also apply to the contractor if the IPPs do not have equivalent provision (eg NPPs 7-10) and if there are areas that the NPPs cover that are not in the contract and are not inconsistent with the contract. The contract is the primary source of obligation for the contractor. Depending on the clauses of the contract, if a contractor with a Commonwealth agency breaches any of these principles, or section 16F (which relates to direct marketing), it is a breach of privacy under section 13 the Privacy Act. This is so, even if the contractor is a small business operator that would otherwise be exempt from the Privacy Act. For more detail about how these provisions operate, see Information Sheet 14-2001 Privacy Obligations for Commonwealth Contracts and other information at http://www.privacy.gov.au/government/contractors/
Some of the IPPs that Agencies are required to provide for in their contracts do not translate well into the private sector, for example, IPP 5 which provides for agencies to tell the Commissioner annually about the kinds of records containing personal information they keep. It is not always clear whether a contractor falls within the definition of contracted service provider in section 6. For example, it may be difficult to determine if a private sector organisation receiving funding to provide a service to third parties is a contracted service provider. Also, a State or Territory authority providing services to a Commonwealth agency is not covered by these provisions.
Interaction with credit reporting provisions
The NPPs also operate in conjunction with the credit reporting provisions of the Privacy Act. These provisions, largely contained in Part IIIA, impose specific obligations on ''credit providers'' and ''credit reporting agencies'' in relation to their handling of consumer credit information. These ''credit providers'' and ''credit reporting agencies'' will also generally be ''organisations'' for the purposes of the private sector provisions. In some instances, it may be unclear how various provisions of the NPPs and Part IIIA interact. Relevantly, section 16A(3) of the Act states that the NPPs operate in addition to Part IIIA, and do not derogate from them.
Possible topics for submissions
The NPPs were intended to be technology neutral to ensure that they would remain relevant despite technological change.31
Since they were developed there have been some dramatic changes in technology that have had a considerable impact on the ways that personal information can be collected, tracked, connected and disclosed. For example, new mobile phone technology, and Radio Frequency Identification (RFID) technologies could become means of tracking the movements of individuals or subjecting them to covert surveillance. Other new technologies such as Electronic Number Mapping (ENUM) and Voice Over Internet Protocol (VOIP) are also leading to much greater connectivity. This enables a much greater number of organisations to have access to information about telephone numbers, including mobile phone numbers and related information. This may be unprotected by telecommunications legislation that has regulated telephone numbers in a more conventional environment. Much of this technology is available to, and used by, individuals as well as organisations.
Technology has also made it much easier to connect information, such as a telephone number, with an individual''s name or other contact information such as a postal or email address. Also, people can be more easily contacted, for example, by email, without the need for a name.
Such developments may raise a number of issues about the operation of the private sector provisions. For example, developments in new technology may mean that the current focus on identification as the basis for privacy protection is no longer adequate. It may be that privacy provisions should focus additionally on whether information creates an ability to contact a person, by whatever means whether their name is known or not. The accessibility of these new technologies may mean that individuals acting in their personal capacity may also be capable of invading individual privacy in ways that warrant further consideration.
In addition some telecommunications technology may be falling outside the ambit of existing telecommunications legislation and may therefore be left to be regulated by the private sector provisions of the Privacy Act, which may not be as privacy protective as the telecommunications specific legislation.
Possible topics for submissions
It was an object of the new private sector provisions to ensure that Australia is in a position to meet international obligations and concerns that Australia is not disadvantaged in the global information market. The provisions aimed to provide adequate privacy safeguards to facilitate further trade with the EU. In the absence of the new provisions, the Explanatory Memorandum stated ''there are serious questions surrounding the ability of Australia to meet the requirements for continued trade with EU members under the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data''.32
This section considers the private sector provisions from the international perspective. It discusses international developments since they came into effect, raises issues about whether the provisions have achieved their object of meeting international obligations and concerns, and whether they have facilitated international trade, particularly in the global information market.
Since the private sector provisions came into effect, the Australian Government has been in discussions with the European Commission (EC) about whether they can be regarded as adequate for the purposes of the European Directive. The Privacy Amendment Act 2004 (Cth) aims to clarify and increase protections for the protection of non-citizens. For example the amendments clarify that the extra-territorial application of NPP 9 (which governs transborder data flows) covers the personal information of non-citizens, as well as Australian citizens and permanent residents.The amendments allow the Office to investigate complaints from non-Australians in relation to access to, and correction of, their personal information. The 2004 amendments also enable organisations in Australia to sign up to a code that includes regulation of areas currently exempted from the private sector provisions, including for example, small business and acts and practices in relation to employee records.
The operation of NPP 9 is a crucial aspect of the global operation of the private sector provisions. NPP 9 outlines the circumstances in which an organisation can transfer personal information it holds to other countries. This principle is based on the restrictions on international transfers of personal information set out in the European Union Directive 95/46.
In the simplest terms, NPP 9 prevents an organisation from disclosing personal information to someone in a foreign country that is not subject to a comparable information privacy scheme, except where it has the individual's consent or some other circumstances apply including where
- the transfer is for the benefit of the individual and the organisation can show grounds for a belief that if it were practicable to obtain consent the individual would be likely to give it or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party.
NPP 9 does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned. Section 5B provides for the Privacy Act to operate extra-territorially in these circumstances.
A company transferring personal information overseas to a related company must comply with NPP 9.
It is not clear the extent to which organisations are trading freely with Europe or are having their commercial activities impeded by the private sector provisions in their current form. It is also not clear how easy or otherwise organisations are finding it to work with the provisions of NPP 9 when transferring information, or the extent to which they are complying with it .
Possible topics for submissions
One object of the private sector provisions is to establish a privacy scheme for the handling of personal information that recognises individuals'' interests in protecting their privacy. The provisions recognise those interests in a number of ways including by:
- requiring organisations, where reasonable, to give an individual information about their information handling practices so he or she can make a decision about whether or not to give their personal information
- requiring organisations to get an individual''s consent to collect or disclose in certain circumstances
- giving individuals the right to access information a business holds about them
- enabling individuals to complain to the Office if a business does not comply with the NPPs.
The provisions aimed to ensure that ''Australians can be confident that information held about them by private sector organisations will be stored, used and disclosed in a fair and appropriate way''.33
This section looks at whether individuals are aware of their privacy rights, confident that their rights are protected and are exercising those rights.
The private sector provisions also aim to ensure that individuals'' interests are balanced against other competing human rights and social interests. The issue of whether the private sector provisions have achieved their objects in a way that balances appropriately these interests is considered in the next section.
Individuals cannot best exercise their rights if they are not aware that they have them. Accordingly the Office has sought to give individuals as much information about privacy rights as possible through mediums such as the Office''s information hotline, its web site which includes all its publications as well as answers to Frequently Asked Questions, media comments, media releases, speeches, case notes, online complaint checker, multi-lingual web pages, guidelines, information sheets, brochures and the annual report.
Many individuals would also have received information about privacy from a number of organisations after the private sector provisions came into effect in the form of NPP 1.3 notices and privacy policies.
There is some evidence that awareness of privacy law has increased since the private sector provisions came into effect in 2001. For example, calls to the hotline and written inquiries have more than doubled, and complaints have increased six fold.34
Research the Office undertook in 2001 and 2004 indicates that there is a considerable increase in awareness of the existence of federal privacy laws since 2001 (60% 2004, 43% 2001). However, there appears to be only a small increase in knowledge in the community about privacy rights, and levels of knowledge remain low with only one in four individuals surveyed claiming to know an adequate amount or more.
Results show that 53% of individuals know that government agencies are covered by privacy law; 56% of individuals know that banks, insurance companies and other financial institutions are covered by privacy law, while 47% know there are some restrictions on charities, private schools and private hospital and other Non Government Organisations.
In circumstances where enforcement of an Act relies largely on complaints from individuals ensuring an awareness of privacy rights amongst the community is a central component of protecting individual''s privacy interests. Awareness also helps individuals to be privacy wise in their interactions with private sector organisations. From the Office research it appears that there may still be considerably more work to be done to improve the level of individual awareness both about the law, and about how to take action to ensure their rights are respected. It also appears that the information provision requirements of the private sector provisions, such as those provided for in NPP 1 and NPP 5 have not been fully effective in raising awareness of privacy rights.
Some recent global initiatives to develop a layered notice approach to privacy notices are relevant to this issue.35
Possible topics for submissions
Confidence that privacy is protected facilitates open and fluid engagements between the community and organisations. This was an underpinning rationale for the new private sector provisions particularly in relation to electronic commerce.
The community''s confidence that their rights are protected is likely to be limited by their awareness of these rights. As discussed in the previous section there is evidence that the community''s awareness of their privacy rights is not comprehensive.
In line with this, the results from the Office''s 2004 community attitudes survey conveys mixed messages about the community''s confidence that their rights are protected.
There is some evidence from this research that individuals have differing levels of trust in organisations in regard to their protection of personal information. Health service providers have the highest levels of trust (89%), followed by financial organisations (66%), government organisations (64), charities (54%), retailers (39%), market research organisations (35%), real estate (26%) and mail order companies (19%).
Individuals'' trust is lowest of all in internet companies (9%). These were intended to particularly benefit from the introduction of the private sector provisions.36 Trust in internet companies appears to remain unchanged since 2001. Six in ten respondents to the Office''s 2004 survey have more concerns about the security of their personal details than usual when using the internet and this level of concern has risen since the 2001 study.37
It is possible that a lack of awareness about privacy rights has prevented people from developing a clear and concrete sense of confidence that their privacy rights are protected. Members of the community appear to have conflicting perceptions about the extent to which their privacy is protected, particularly in the online environment. There may be a need for more awareness raising activity to improve this confidence. On the other hand, there may be other matters relating to the private sector provisions themselves that may be the reason why they have not achieved their goal of increasing confidence, particularly in the online environment.
Possible topics for submissions
The NPPs protect privacy by setting obligations for organisations, including telling individuals that information is being collected, and by giving individuals privacy rights, including the right to seek access to personal information held about them and correct it if it is wrong. Individuals may complain to the Privacy Commissioner if they think there may have been an interference with their privacy and they have not been able to resolve the issue with the organisation.38
Indications of whether individuals are able to exercise their rights include the extent to which they ask organisations to give them access (see issue for discussion below) and the level of complaints to the Commissioner.
Interactions with Office
The following statistics give a brief overview of the extent of complaints and enquiries to the Privacy Commissioner.39
Enquiries to Hotline
Complaints under section 36
The figures above include all complaints and enquiries to the Office. Office experience since 21 December 2001 is that NPP issues make up about 60% of the total numbers. In 2001 and early 2002 most calls to the hotline were from organisations about if and how they would need to comply with the new obligations. Now, the great majority of calls are from individuals concerned about their privacy. An analysis of complaints closed in 2003-2004 shows that 75% were closed within 1 month, 94% within 3 months and 99% within 6 months.
Who is interacting
Although it does not collect detailed demographic information, the Office receives complaints from individuals from a wide range of backgrounds. It has provided translation/interpreter assistance when requested. It has also recently translated the complaint information pages on its website into 11 languages other than English at www.privacy.gov.au. However, it seems likely that people from a non-English speaking background or of Aboriginal or Torres Strait descent are under represented. The Office plans to collect demographic information about complainants over the next three months and will then report on this.
Awareness of Office
Community attitudes research the Office conducted in May 2004 found that only 7% of respondents would report misuse of their personal information by an organisation to the Office of the Privacy Commissioner.41
Approach to complaint handling
The Office''s approach to complaint handling is based on the Commissioner''s power to investigate and if appropriate conciliate complaints.42 The Commissioner may close complaints on the basis of a decision, for example that there is no breach or, following conciliation, that the matter has been adequately dealt with. Alternatively the Commissioner may close complaints by determination. A determination is enforceable through the Federal Court or the Federal Magistrates Court on application by the Commissioner or the complainant. In this circumstance the Court can hear the merits of the case and may make a fresh decision.
To date the Office has focussed on resolving complaints by conciliation between the parties rather than the more formal determination process.43 The aim is to provide timelier, lower cost, satisfactory outcomes for individuals. The Office publishes statistics about complaints and prepares de-identified case notes.
Rights of review
The Privacy Act provides that a person may apply to the Federal Administrative Appeals Tribunal (AAT) for review of the Commissioner''s decision
- about whether or not to make a determination that a complainant is or is not entitled to compensation (s 61(1)) and
- to refuse to approve, or revoke an approval of guidelines issued by the NHMRC or other prescribed authority for the purposes of the NPPs (section 95A(7)).
In reviewing the decision the AAT conducts a merits review. This means that the tribunal reconsiders the Commissioner''s decision to determine whether it was the ''correct or preferable decision''. Having reconsidered the Commissioner''s decision the AAT can either, affirm the Commissioner''s initial decision, remit matters to the Commissioner for further consideration, or set it aside and make its own decision.
A person who is ''aggrieved'' by a decision made or proposed to be made by the Commissioner under the Privacy Act may also be entitled to seek review of that decision by the Federal Court or Federal Magistrates Court under the Administrative Decisions (Judicial Review) Act 1977 (Cth) (ADJR Act). Only ''administrative decisions'' made by the Commissioner under the Privacy Act are reviewable under the ADJR Act. An example of an administrative decision made under the Privacy Act able to be reviewed by a court under the ADJR Act is the decision by the Commissioner to close a complaint under one of the provisions of section 41(1)(a)-(f).
Review of a decision by a court under the ADJR Act is limited to reviewing the legality of the decision. Grounds for review under the ADJR Act include a breach of the rules of natural justice or excess of power. Where the court finds an error of law the matter will be remitted back to the Commissioner for reconsideration according to law.
Although the parties to a complaint to have the right to have certain administrative decisions of the Commissioner reviewed as outlined above, there is no right for aggrieved complainants or respondents to have the merits of a Commissioner''s determination under section 52 reviewed by a court. The only way a case can be heard afresh by a court is if an organisation refuses to comply with a determination against it and the Commissioner or the complainant seeks to enforce the determination in court. As long as an organisation complies with a determination, a complainant that does not agree with a determination cannot seek to have the case heard afresh by a court.
The fact that the Office does not collect demographic information may limit its ability to assess which sections of the community are having trouble exercising their rights and which have had their privacy breached. Lack of awareness of the Office as the complaint handler for privacy breaches is possibly a concern. Those that do complain may find that they have to wait a considerable period before the Office can handle their complaints due to the volume of complaints since the private sector provisions came into effect. There may be concerns that the complaints process lacks transparency because the confidential nature of conciliation settlements means that the nature of breaches, and the Office''s view about the application of the NPPs, is hidden from public scrutiny.44
It may be argued that individuals'' ability to exercise their rights is impeded by the Office''s focus on conciliation in handling complaints. Individuals may not be in a position to negotiate their interests effectively in this process. In the absence of understanding the basis on which cases have been decided or resolved in the past, they may be negotiating in a vacuum. On the other hand, conciliation can be a fast and cost effective way of handling complaints which meets the needs of individuals making complaints. It could be argued that this appears to have worked well for most complainants to the Office.
The fact that there is no right of review of the substance of a Commissioner''s determination could be a matter of concern. Respondents have the possibility of having a case hear afresh by refusing to comply with a determination and waiting for the Commissioner to seek to have the case enforced in court. However, this strategy is not available to an aggrieved complainant.
Possible topics for submissions
Law and policy
The NPPs reflect the policy that an individual should generally know what personal information an organisation has about him or her and how it intends to use it. Whether the information is collected from the individual or from a third party, the organisation should ''take reasonable steps'' to tell the individual, among other things, the purposes for which the information was collected, to whom the organisation usually discloses such information and the consequences of not providing it. Generally speaking, the organisation cannot use or disclose the information for a purpose other than that for which it was collected (a secondary purpose) unless
- the secondary purpose is related (or directly related if the information is sensitive information) to the primary purpose and the individual would reasonably expect the organisation to use it for such a purpose or
- the individual has consented to the use or disclosure.
The individual has a right to access and, if necessary, correct personal information an organisation holds and the organisation must tell him or her of the right to access the information and its contact details.
The private sector provisions provide for situations where an individual gives information to an organisation directly, for example, by filling out an organisation''s form, or telling a member of staff the information who then writes it down. They also provide for where an organisation collects personal information indirectly.
Personal information is collected indirectly when it is collected not from the individual the information is about, but from another source. This may be another organisation, for example, when
- it buys a list
- has information cleansed against another database
- an individual gives information about a third party to an organisation (eg for life insurance, medical check, during market research)
- a real estate agent discloses information to a tenancy database
- a contractor collects information from an organisation to carry out its contract eg call centre, (possibly under a corporate brand that means the person may not know they are dealing with a contractor)
- or the information may be publicly available, for example, in a newspaper or telephone directory or on a web site.45
When an organisation collects personal information indirectly it may be more difficult to ensure the individual is aware of the matters listed in NPP 1.3 and so in some cases it may be ''reasonable'' to make less effort to give people NPP 1.3 information, or even to do nothing at all.
If an individual is not informed of the information an organisation holds, and the use intended to make of it, it could be argued that he or she has lost the control over personal information the NPPs intended individuals should generally have as a means of privacy protection. Information provided to one organisation for a specific purpose (compulsorily, in the case of some publicly available information) may be used by another organisation for a completely different purpose without the individual''s knowledge and the collecting organisation would not be in breach of the Privacy Act even if the disclosure was unlawful. In the absence of individuals having such knowledge, there may be other ways to provide some protection for individuals'' personal information that does not create an undue burden on business.
The NPPs do not specifically require organisations to get an individual''s consent to collect personal information. The exception to this is that an organisation must, generally speaking, get an individual''s consent to collect sensitive information. An organisation can use and disclose personal information without getting an individual''s consent as long as the use or disclosure is for the main purpose of collection, or related (or directly related in the case of sensitive information) to the main purpose of collection and within the individual''s reasonable expectations. Generally speaking, the NPPs only require an organisation to get an individual''s consent for uses and disclosures of personal information that are for unrelated secondary purposes.46
Bundled consent refers to organisations bundling together consent to a wide range of uses and disclosures of personal information without giving individuals an opportunity to choose which uses and disclosures they agree to and which they do not. The consent is often sought as part of the terms and conditions of a service. This appears to occur in a number of ways:
- Bundling a wide variety of uses and disclosures. This arises when an organisation does not distinguish between giving notice of uses and disclosures for which they do not need consent and seeking consent for other uses and disclosures. It also arises when an organisation seeks consent for multiple uses and disclosures without giving the individual the opportunity to consent to some but not to others.
- Vague statements of how the information will be used or disclosed. This arises when an organisation seeks consent for uses and disclosures using vague statements of how, with the consent of the individual, the information will be used and disclosed, for example, ''we may disclose the information to x y'' and ''z or services may not be provided'' if the individual does not agree.
- Denial of services for failure to provide personal information. This arises if an organisation states or implies that it will not provide, or continue to provide, a service unless the individual consents to specified uses and disclosures of personal information.
The privacy protections in the NPPs rely to a considerable extent on individuals knowing what is happening to their personal information and being able to make decisions about whether or not to give an organisation personal information, and whether or not to agree to use or disclosure for particular purposes. Some of the ways that the NPPs are being applied outlined above may mean that in some cases, individuals do not have this control. On the other hand, there may be good business reasons for the NPPs to be applied in this way. There may be ways that privacy protections for individuals can be improved without unduly burdening business.
Possible topics for submissions
When introducing the private sector provisions, the Government recognised that ''â€¦Australians consider their personal health information to be particularly sensitive and that they expect that it will be handled fairly and appropriately by those who come into contact with it.'' 47 One element of fair and appropriate handling of health information is that the individual retains a right to access information that a health service provider has about them. This right may be difficult to exercise when a health service provider ceases to operate or where the individual elects to change to another provider. Under common law, the provider generally retains ownership of the medical records,48 however, this should not reduce individuals'' rights to access their health information.
Health services ceasing to operate
The Office has become aware of a number of cases where individuals have not been able to gain access to their own health information due to their health provider ceasing to operate. This may happen in circumstance where, for example, a practitioner retires, dies or the practice ceases to provide services. In such cases, the individual''s right of access under NPP 6 is difficult to guarantee. In some jurisdictions, specific legislative provision is made for ''abandoned'' records to be retained by a central body, such as a medical registration board. For example, in Queensland, section 260 of Medical Practitioners Regulation Act 2001 says that the Board may take possession of records it considers abandoned.49 In NSW, the Medical Practice Regulations 2003 imposes some obligations on how medical practitioners should handle health records in the event of a disposal of a practice.50
Such circumstances also raise difficulties for NPP 4, as abandoned records may not be afforded an adequate level of storage and security.
Individuals requesting the transfer of health records
The NPPs do not regulate the transfer of medical records if an individual chooses to change to another health service provider. An individual may exercise general access rights to their health information, though it is not an obligation on the provider to transfer this information in full to another provider. Other regulation may require health providers to do certain things though. For example, the Victorian Health Records Act 2001 requires that if an individual asks, then a health service provider must provide ''a copy or written summary of the individual''s health information'' to another health provider.51 Some professional bodies have noted that health providers should accord with good clinical practice and any relevant codes of ethics to ensure that a new practitioner receives adequate information to treat the patient.
Possible topics for submissions
An important element of giving individuals control over their personal information is to give them a right to ask an organisation to see any personal information it holds about them and to correct the information if it is wrong.52
The Office has found that failure to provide access is a commonly received complaint, particularly in the health area.
Possible topics for submissions
The private sector provisions of the Privacy Act implemented what the then Attorney-General called a ''light touch'' approach to privacy protection. They established a co-regulatory regime which was intended to be responsive to both business and consumer needs.53 In the case of business, this was achieved by the development of high level principles rather than prescriptive rules and by providing for organisations and industries to develop their own privacy codes. Further the legislation included a number of exemptions, including for employee records, on the ground they could be better dealt with under the workplace relations legislation,54 and for most small businesses.
In addition, the inclusion of a specific provision for direct marketing aimed to acknowledge the commercial practice of direct marketing while also recognising that individuals may be unwilling recipients of direct marketing activity. A part of the light touch approach was to rely on complaints as the main enforcement mechanism for the provisions.
The legislation also was recognised as being of benefit for business, for example, by encouraging consumers to engage in electronic commerce, and raise consumer confidence in business generally.
This section looks at these provisions and the approach the Office took to compliance and raises the issue of whether these provisions and the Office''s approach strike the right balance between business and consumer needs. It also looks at whether the provisions have been successful in minimising the compliance burden on business, including small business.
Issues relating to the impact of the private sector provisions on business are also to be found in the section ''A single, comprehensive nationally consistent scheme'' (see p 13) and ''International issues and obligations'' (see p 22).
The NPPs are high level, non-prescriptive principles, aimed at giving business the flexibility to adapt them to their own particular business and to be technology neutral. On the other hand, this could be said to have made it more difficult for business to be aware of the obligations and how to implement them in practice.
A survey of business attitudes towards, and knowledge of, the private sector provisions the Office carried out in June 2001 indicated that Australian business had ''demonstrated a positive attitude to its impending responsibilities. However, this is matched by a low level of understanding of what exactly those responsibilities are''.55 To address this, the Office''s compliance strategy has included an emphasis on providing advice, assistance and information to help business understand its responsibilities. The Office''s hotline, website, publications, speeches, information sheets and brochures have been key mediums through which the Office has sought to provide advice and raise awareness of privacy obligations with business. This has included providing special material targeted at small business http://www.privacy.gov.au/business/small/.
It has also included case notes setting out some examples of how the Office deals with complaints in particular circumstances.
There have been very few court cases clarifying how the NPPs apply in specific circumstances.56
Anecdotal evidence and the increasing presence of privacy policies on web pages and in business correspondence, indicate that the Office has had a measure of success in raising business awareness of their obligations. However, the Office is also aware through the media of a number of ''privacy furphies'' or myths, about privacy which illustrate that there may be a substantial level of misunderstanding about privacy obligations present in some parts of the private sector or among front line staff. The Office''s Frequently Asked Questions are a response to awareness of a number of these.57
The private sector provisions of the Privacy Act are principle based regulations. Accordingly, they are less amenable to specific direction on how to comply with them. One issue for the review could be whether the benefits of having high level principles in terms of flexibility and technological neutrality offset problems for some business caused by the lack of prescriptive direction about how to adhere practically to the principles. On the other hand, the guidelines the Office prepared on the operation of the NPPs may have been sufficient for most businesses.
Interpretations of laws and regulations by the courts often generate a body of practical information about how to adhere to regulation, plugging the gap between principles and practice. Precedents and cases give concrete examples of good practice and bad practice. However, the Office has not had the need to make many determinations and there have been few judicial decisions made on the private sector provisions. This may be an issue of particular importance to legal organisations who as a result of this have little case law to inform organisations about their obligations and the suitability of their practices. On the other hand, it could indicate that the NPPs are working well.
An issue that may need to be considered is the Office''s role in promoting awareness. Ways of bridging this gap between principles and practice may need to be looked at including ways of giving organisations the expertise to self audit.
Possible topics for submissions
Compliance with the legislation certainly involves costs for organisations. There were the initial costs of revamping systems and of training staff. There are the ongoing costs of complying with obligations to inform individuals from whom personal information has been collected and of seeking consent for use and disclosure of the information for secondary purposes. Providing access to information, or deciding not to, and correcting it, or giving reasons why not, may also involve cost.
The downside of a light touch approach is that there may be a lack of certainty, another kind of cost. For very small businesses subject to the legislation the relative costs may be significant. Some businesses, for example, health businesses in Victoria and New South Wales, must also comply with overlapping, and possibly conflicting, State legislation. Particular problems arise when businesses are bought and sold. It may be difficult to determine how the NPPs apply to the disclosure of personal information in the course of due diligence. Depending on the nature of the business being sold, due diligence may involve disclosure of personal information about key employees or even sensitive information, for example, health information, about employees or clients.
Possible topics for submissions
Law provides for industry and organisation codes
A key feature of the private sector provisions of the Privacy Act is the ability of organisations and industries to develop their own codes. In his second reading speech, the then Attorney-General stated that the aim of the legislation was ''to encourage private sector organisations and industries . . . to develop privacy codes of practice.''58 In order to approve a privacy code, the Privacy Commissioner must be satisfied, among other things, that the code incorporates all the NPPs or sets out obligations that, ''overall are at least the equivalent'' of all the NPPs.59 This has been interpreted to mean that the code must include each obligation and must be consistent with the NPPs.
Although at the time the legislation was implemented there was an expectation that codes would play a major role in the new privacy scheme, there have been very few applications for code approval and only three codes have been approved. There are a number of possible reasons for this, including
- the length of time and cost to develop a code
- the interpretation of ''overall . . . equivalent'' that has been adopted
- administering a code has costs
- an adequate complaints handling scheme is difficult to establish and maintain
- general satisfaction with the NPPs and
- the proliferation of industry codes (dealing with issues other than privacy), with which organisations have to comply, developed by industry bodies.60
On the other hand, there are reasons why an industry or organisation might want an approved privacy code. Approval may have the effect of branding an industry or organisation, or distinguishing it from a similar, perhaps less reputable, industry. As new industries develop on the back of new technology, approval of a code may give them credence it might otherwise take years to achieve. An industry may need to be bound by an approved code to meet European Union (EU) adequacy requirements, necessary if it wants to trade with EU countries.
The approval process has been criticised as lacking in transparency. Having approved a code, the Commissioner does not publish reasons for doing so. It could be argued that he or she approves the code because it satisfies the provisions of the Privacy Act and that is sufficient.
Furthermore, given how long the process has taken to date, it may be a long time after the consultation that the code is finally approved. As a result, a question may arise as to whether or not the consultation was adequate.
Possible topics for submissions
A ''small business operator'' is exempt from the operation of the private sector provisions of the Privacy Act. A small business is one that does not have an annual turnover of more than $3 million and is not related to a business that has such a turnover. Some small businesses, however, must comply with the provisions. These are small businesses that
- provide health services to people and hold health information about them
- trade in personal information, for example, by buying or selling names and addresses for inclusion on a data base
- are contracted to provide a service to the Commonwealth.
However, not every small business that trades in personal information must comply. If an organisation whose turnover is $3 million or less sells personal information with the person''s consent it may do so without bringing itself under the Privacy Act. The law also allows for the Government to prescribe small business operators or acts or practices of small business operators bringing them within the operation of the Act. Finally, a small business may voluntarily opt in to be covered by the provisions. Currently 127 small businesses have opted in to coverage.
Reason for small business exemption
There are two main rationales for the small business exemption. First, it is based on the premise that not all small private sector organisations pose the same risk to privacy and that many small businesses do not have significant holdings of personal information.61 On this basis it was considered that there is no real need for small business to be covered and to do so would not justify the costs involved. Secondly, it reflects the premise that the right to privacy is not an absolute right and must be balanced against the need to avoid imposing unnecessary costs on small business.62
Does the small business exemption exempt only those businesses that do not pose a privacy risk?
Personal information bought and sold by organisations for inclusion on a data base should be protected by the Privacy Act. In some cases however it may not be protected where a small business is collecting it, because the person whose information it is gives his or her consent. Some argue, however, that the consent may not be real in some cases, for example, where refusing consent would result in real inconvenience or lack of access to housing or other basic services. Small businesses may hold significant personal information including sensitive information, for example, internet service providers.
Do consumers have enough information to have confidence in businesses they deal with?
One of the main justifications of the private sector provisions was to give consumers confidence in Australian business practices.63 It was believed that Australian consumers would be reluctant to participate in electronic commerce unless they were confident the personal information they supplied was protected. It may be possible that the small business exemption undermines this object. For example, the exemption is complex and many people would find it hard to determine whether or not a particular business is a small business and, if so, whether or not the legislation applies. Secondly, many internet based businesses are not large and the $3 million cut off point may well put them outside the operation of the Privacy Act.
Does the exemption avoid unnecessary costs on business?
Another justification for the small business exemption is the need to avoid unnecessary costs on small business.64 Some costs arise for a small business that is a respondent to a complaint in that it must first establish it is a small business before the complaint can be dismissed on the basis of the exemption. An exempt business may miss out on the potential benefits privacy legislation brings such as increased consumer confidence, especially in relation to online trading. Also, the small business exemption is complex. This makes it hard for small businesses to work out whether the Privacy Act applies to them or not. This could mean that to avoid risk, small businesses are complying even where the Privacy Act may not apply to them.
Possible topics for submissions
The private sector provisions of the Privacy Act provide for the collection, use and disclosure of personal information for direct marketing in some circumstances.
An organisation may collect personal information from an individual for the primary purpose of direct marketing and use and disclose (including selling it) it for that purpose. It may acquire personal information from another organisation for the primary purpose of direct marketing and use and disclose it for that purpose.65
If an organisation has collected information for a purpose that is not direct marketing, and wishes to use or disclose it for direct marketing purposes, it can do so without the individual''s consent if the direct marketing is related to the purpose for which the information was collected in the first place (and directly related in the case of sensitive information) and the person from whom it was collected would reasonably expect the organisation that collected it to use or disclose it for direct marketing.66
An organisation can only use personal information for direct marketing that is unrelated to the primary purpose or not within the reasonable expectations of the individual, if
- the person from whom the information was collected has consented to the use or disclosure of the information for direct marketing or
- (if the information is not sensitive information) it is impracticable to get consent before using the information
- the direct marketing organisation gives the individual the opportunity to opt out of receiving material (at no cost)
- the individual has not already asked the organisation not send material
- in every communication the organisation draws the individual''s attention to the fact that he or she may opt out of receiving further material; and
- each communication includes the relevant contact details of the organisation (including electronic contact details if the material was sent by electronic means).67
This provision does not apply to disclosure to another organisation for the unrelated and unexpected purpose of direct marketing. In this case, the organisation would need the individual''s consent.
The direct marketing provisions of the Privacy Act are intended to strike a balance between the business interests of organisations involved in direct marketing and the privacy interests of consumers affected by the activity. The legislation acknowledges the commercial practice of direct marketing and the related activity of acquiring personal information about individuals to enable organisations to market their products effectively and efficiently. It also recognises the privacy interests of individuals who may find themselves the unwilling recipients of direct marketing material.
The provisions provide some protection for individuals whose personal information is collected for one purpose (the primary purpose) and then used for direct marketing purposes (a secondary purpose) without their consent. They do not provide the same protection for information collected for the primary purpose of direct marketing, whether collected directly from the individual or from a third party. Organisations are not required to give an individual the chance to opt out on each communication in these circumstances. This may be a gap particularly where an organisation collects information from a third party for the primary purpose of direct marketing, for example, when it buys a list. In these circumstances, the individual may not necessarily know the organisation has collected his or her information, (for example, if taking a limited or no step to tell an individual is reasonable for the purposes of NPP 1.5) and may not have had the chance to agree or not as to whether the information should be used or disclosed for direct marketing. On the other hand, some individuals may know and agree. This would be the case, for example, if the organisation that originally collected the personal information from the individual has made it clear that it would disclose the information for these purposes to this kind of organisation and the individual was given the chance to agree at that point.
Even where an organisation collects the information directly from an individual it may not be entirely clear to an individual for what purpose information is being collected. His or her understanding of the purpose may be quite different from that of the organisation collecting the information. For example, in the case of an entry to a competition, the organisation may consider that collecting personal information is for the main purpose of marketing other material to an individual. On the other hand, the individual may think that the main purpose is to enable them to receive a prize if they win. Any information about the purpose in any case, could be buried in very small print which the individual is unlikely to read. Certainly an individual is unlikely to draw a distinction between a primary and secondary purpose and to understand the consequences of the distinction.
Possible topics for submissions
There are a number of ways that the private sector provisions sought to implement a light touch approach to the enforcement of privacy obligations. For example, the provisions rely on complaints from individuals as the main way of having individual rights enforced. The Commissioner does not have an audit power in relation to the private sector, although he or she has a power to conduct own motion investigations68 if it becomes aware of a possible breach and it can audit an organisation if invited by the organisation to do so. The Commissioner cannot fine an organisation that breaches privacy provisions (although it can award compensation). He or she cannot enforce any directions they might seek to give in relation to its findings after an own motion investigation.
Office approach to compliance
In the spirit of the provisions, the Office also took a particular approach to compliance. This was reflected partially in the Office''s strategic plan of the time which set a clear purpose of promoting an Australian culture that respects privacy. This was consistent with the range of functions set out in section 27 of the Privacy Act which, in summary, includes input to policy making and public education in addition to its compliance functions. This approach is based on the conclusion that the most efficient way to regulate privacy is to embed a respect for privacy into an organisation''s culture (which includes encouraging an awareness of rights and a sense of the value of privacy) so that recourse to the regulator''s enforcement powers are often unnecessary. It also recognised that privacy is context dependent and a community that is informed about the values that underpin privacy can apply them more flexibly to the situation, preventing privacy problems from arising, rather than just relying on ''end of pipe'' legalistic solutions.
In line with this, the Office''s approach to compliance has emphasised providing advice, assistance and information to organisations.69
In general, the Office has taken an educative approach to private sector complaint handling and own motion investigations; it has aimed to work with individuals and organisations to resolve issues and improve practice. To date there has been limited or no use of the more formal enforcement powers - complaint determinations or injunctions - or the use of public ''naming'' and ''shaming''. This is in part because the Office has generally been able to resolve issues cooperatively. There are clearly privacy practices of concern, for example in relation to risk management databases, health records and internet security. In these cases the Office is continuing to work with the organisations or industry sectors to address issues. One effect of the law and the Office approach has been that enforcement may be less publicly visible in the privacy sphere than with some other regulatory schemes.
However, the Office has committed itself to actively pursuing breaches of the Privacy Act and taking care to ensure that breaches are remedied and complainants'' concerns are addressed, including through compensation where that is necessary.
The Office has identified complaint handling as a priority in the context of increasing complaints stemming from the introduction of the private sector provisions. The Office diverted resources from other areas of responsibility including auditing of Commonwealth agencies, towards complaint handling on the rationale that increasing complaint backlogs had the potential to undermine the operation of the Act.
Extent of complying with obligations
The level and nature of enquiries and complaints to the Office give some indication of the level of compliance with the NPPs.
The Commissioner''s annual reports contain detailed information about the nature of enquiries and complaints received by the Office. The reports are available at http://www.privacy.gov.au/materials. A few key statistics relevant to compliance with the NPPs are noted below.
There have been some consistent trends in aspects of the NPPs and industry sectors that most often appear in complaints. In particular, complaints about the NPPs have tended to cluster around the following industry sectors: finance and investment (17%); health service providers (14%); telecommunications (9%); insurance (6%); and landlords and real estate agents (6%).
Calls to the privacy Hotline are most frequently about possible improper use and disclosure of personal information. Concerns about collection practices and access to personal information, including charges for access, are also common. These concerns are mirrored in the nature of complaints to the Office. In 2003 - 2004, 44% of private sector complaints were about use and disclosures, 15% were about collection and 14% were about access.
While disclosure of personal information was the most frequently complained about act or practice, access was the most frequent issue where a breach of the NPPs was found. Thirty three percent of breaches found were in relation to requests for access to personal information; close to half the respondents were in the health sector. Disclosure of personal information was the next most common breach (19%). Data quality (12%) and data security (10%) issues occurred with similar frequency in relation to complaints received and complaints where breaches were found.
The Office''s experience in working with the private sector both in providing advice and when they have been respondents to complaints has been generally positive. Most organisations appear to have familiarised themselves with the NPPs, developed privacy policies, privacy notices on forms and taken other steps. Anecdotally, the widespread appearance of privacy notices was the most concrete sign that a new privacy regime had commenced. It may be, however, that a concern for privacy has not yet been built more deeply into compliance thinking. For example, it is not clear whether most organisations
- consider privacy when developing products or systems
- consider and review how personal information is protected
- track how personal information is being used and disclosed or
- have in place complaint handling systems.
Another issue is whether the unexpected increase in the number of complaints and a delay in which the Office can handle some of them has a significant impact on complainants and organisations; for example the organisation may have considered the matter to have been closed because they have not heard from the Office and, the paper trail becomes older and more difficult to retrieve, or poor practices continue for longer.
The Act provides quite strong powers to investigate complaints and to provide enforceable remedies through the Courts. However, the remedies for formal determination under section 52 focus on redress of loss or damage, including injury to feelings or humiliation, to the individual concerned. The Commissioner cannot impose punitive measures and can only address systemic issues that gave rise to a privacy complaint if it would be reasonable to redress loss or damage suffered by the complainant. 70 This is in contrast to complaints settled by agreement between the parties, or on the basis of a decision by the Commissioner that the matter has been ''adequately dealt with'', which often includes agreement to implement systemic remedies such as staff training or systems or procedural change. One way of addressing this might be to give the Commissioner additional powers, for example, to ask organisations to commit to an undertaking that would be enforceable in the courts, or to issue a standard or binding code.71
In addition to investigating complaints the Privacy Act provides for the Commissioner to investigate possible interferences with privacy without a complaint, that is on his or her ''own motion'', if desirable. However, there is no enforcement mechanism for own motion investigations into the practices of private sector organisations.72 If the Commissioner finds a breach, he or she can only seek to persuade the organisation to change its practices. The Commissioner or any other person may seek an injunction to stop actions, or to require actions, in relation to possible breaches of privacy.73 In addition, while organisations may invite the Commissioner to conduct an audit of its activities, the Commissioner has no power to proactively audit organisations'' compliance with the NPPs.
Possible topics for submissions
Many private sector organisations use contractors to carry out some of their functions or activities that involve the handling of personal information. They may be handing personal information over to contractors that are exempt from coverage of the Privacy Act because they are small business operators.
Sometimes the information given to contractors is sensitive information, such as health information. Unlike the IPPs, there is no clear obligation in the NPPs which would require organisations to ensure that their contractors only use the personal information given to them for the purposes for which it is given and keep it secure. Some organisations, although they are using contractors for core services, such as telephone contact with customers, or to provide transaction cards, seek to have such contractors identify themselves to customers as operating under the corporate brand. The Privacy Act does not make any specific provision for contractors to be regarded as acting as agents for the organisation they are providing services for.74 Therefore when an organisation gives personal information to a contractor, it is generally speaking regarded as a separate entity, and so the organisation is ''disclosing'' information to the contractor, and the contractor is ''collecting'' the personal information.
Because the Privacy Act does not provide specifically for the circumstances where an organisation discloses information to a contractor that is exempt from coverage of the Privacy Act, an individual''s personal information may lose the protection of the Privacy Act. Because the exempt business would in most circumstances be regarded as a separate entity, the contracting organisation would not be in breach of the Privacy Act if its contractor mishandled the personal information. Where personal information is sensitive information, the contractor needs the consent of each individual to collect the individual''s personal information from the contracting organisation. There may be concerns that the Privacy Act would require a contractor operating under a corporate branding to identify itself, under NPP 1.3 as being a separate organisation, or to require such a contractor to get the consent of the individual to disclose sensitive information to the contracting organisation on whose behalf it has collected the information.
Possible topics for submissions
The private sector provisions of the Privacy Act reflect the premise that privacy is not an absolute right and must be balanced against other important social interests that compete with privacy. The objects clause spells this out. It states that a national privacy scheme was to be established in a way that ''recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.'' The Privacy Act also requires the Commissioner to have regard to these competing rights and social interests in the performance of his or her functions and the exercise of his or her powers under the Act (section 29).
One of the competing social interests identified in the Privacy Act is the free flow of information. One of the ways the legislation promotes the free flow of information is to exempt the acts and practices of media organisations in the course of journalism from the application of the provisions.75 This exemption applies where such media organisation is publicly committed to observe published standards that deal with privacy in the context of the activities of a media organisation.
The wording of the exemption is very broad and undefined. The exemption is very unspecific about the level of the standards to which a media organisation must commit itself. There is no requirement in the exemption that there be a means of enforcing any such standards. The definition of media organisation is very broad and includes activities involving the dissemination of ''information''. Taken at face value, this could include the activities of a wide range of organisations that publish personal information on the internet in a context that could have a major impact on the lives of individuals. However, to qualify for the exemption the activity must be ''in the course of journalism'' and this may narrow the exemption''s breadth. So far, the meanings of ''media organisation'' and ''in the course of journalism'' are untested in the courts. On the other hand, the Office has received very few inquiries or complaints involving media organisations or journalistic activities and it may be that the exemption as currently formulated strikes the right balance between privacy interests and the free flow of information.
Possible topics for submissions
Other human rights and social interests recognised in the legislation include the promotion of medical research and the effective planning and delivery of health services. To this end, the legislation provides that where information is collected for research purposes, it must be collected with consent or, if this is not practicable, in accordance with strict safeguards. Researchers must take reasonable steps to de-identify personal information before the results of research can be disclosed.76 Other measures include provisions permitting health service providers to disclose health information about an individual to a responsible person where the individual is incapable of communicating, or unable to communicate consent (NPP 2.4). These provisions balance a more strict approach to the handling of sensitive information (including health information), provided for in other parts of the NPPs. This includes providing that, with some social interest exceptions, an organisation must not collect sensitive information (including health information) unless the individual has consented.
It is important that privacy provisions operate without inappropriately impacting on the delivery of health services to individuals, or inappropriately placing barriers in the way of health research that is clearly in the interests of individuals and society generally. It is important that people caring for those who are unable to make decisions for themselves, including those with mental illness have access to the information they need to carry out appropriate care. On the other hand, it is important even where an individual''s ability to give consent is impaired, that personal information about them is not disclosed more extensively than necessary, and that such individuals have as much control as they are capable of exercising. There may be concerns that the access provisions of the NPPs (for example, NPP 6) do not provide an appropriate balance between privacy and the welfare of individuals with a mental illness or psychiatric disability.
Possible topics for submissions
Issues have been raised with the Office over the last three years about the importance of the private sector provisions working with a number of other social interests not yet raised in this issues paper including:
- the need to ensure that people with disabilities and people with impaired decision making ability and their carers are able to interact as seamlessly as appropriate and possible with private sector organisations including banks
- the need to have effective law enforcement procedures
- the need to maintain national security
- the right of Aboriginal and Torres Strait Islanders, and people from diverse cultural backgrounds to have their values taken into account
- the need to ensure that children at risk are properly protected and that information flows relating to this are not inappropriately impeded
- copyright and other intellectual property concerns.
Possible topics for submissions
This issues paper has highlighted some areas about the NPPs on which submitters may wish to comment. However, there may be other issues in relation to the NPPs that deserve attention. The NPPs regulate the flow of personal information into, within and out of organisations.
- Collection - NPPs 1 and 10 regulate organisations'' activities when they collect personal information. NPP 1 sets out the manner in which organisations must collect information including the information they must give individuals. NPP 8 requires organisations to allow individuals to interact anonymously if it is lawful and practicable. NPP 10 requires that organisations (with some exceptions) only collect sensitive information with consent.
- Use and disclosure - NPP 2 regulates the way organisations use and disclose personal information once it is collected and places limits on extent to which organisations can use and disclose information for purposes other than the main purpose for which it was collected. NPP 9 specifies the circumstances in which an organisation can transfer information overseas. NPP 7 prevents (with some exceptions) organisations from adopting, using or disclosing Commonwealth Government identifiers such as the Medicare number and passport number.
- Information handling - NPPs 3 - 6 regulate other aspects of the way organisations handle personal information, including ensuring that organisations keep personal information accurate and up-to-date and kept it securely. Organisations must have a policy for the way they handle personal information and be able to tell a person about it if they ask. In addition, they must (with some exceptions) tell a person what information they hold about them if they ask and correct the information if it is wrong.
The NPPS can be found at http://www.privacy.gov.au/materials/types/infosheets/view/6583
Possible topics for submissions
When considering the operations of the private sector provisions there may be a number of factors that could affect the effectiveness of the provisions in meeting their objects. Provisions may or may not be effective depending on:
- the way the provisions have been drafted - whether they are clear and easy to understand and implement
- the way the Office implemented the provisions and the way it enforces them
- the advice provided by the Office particularly in the guidelines, FAQs and information sheets
- the value people attribute to privacy; whether people care about it enough to seek to enforce it or whether there are barriers to their acting
- the value businesses attribute to privacy; whether or not they see it as good for business and
- the effect of social and technological change, in particular, the speed of change, and the changed security environment.
In discussing an area on which you wish to comment, it would be valuable if you could also indicate whether any of these or other factors have contributed to the issue.
Participants should not feel limited to the issues raised here. This issues paper is intendeds a stimulus to submissions only. Any other issues raised relevant to the terms of reference, which this issues paper may have omitted are welcomed.
This involves an organisation giving an individual information about themselves held by the organisation. Giving access may include allowing an individual to inspect personal information or giving a copy of it to them.
Asia Pacific Economic Cooperation (APEC)
The APEC was established in 1989 and is the primary vehicle for promoting open trade and practical economic cooperation.
Australian Communications Authority (ACA)
The Commonwealth regulatory authority for telecommunications and radio communications, established under the Australian Communications Authority Act 1997.
Australian Communications Industry Forum (ACIF)
Industry forum established in May 1997 as a communications industry self-regulatory body. The ACIF is responsible for developing standards, codes of practice and service specifications.
Australian Competition and Consumer Commission (ACCC)
The Commonwealth regulatory body with responsibilities derived from the Trade Practices Act 1974, responsible for regulation of competition in the communications industry.
Australian Health Ministers Advisory Council (AHMAC)
AHMAC considers matters relating to the coordination of health services across the nation.
Australian Securities and Investments Commission (ASIC)
ASIC enforces and regulates company and financial services laws to protect consumers, investors and creditors.
Bodily privacy means the protection of the physical selves against invasive procedures.
Contracted Commonwealth service provider
Contracted Commonwealth service provider is an organisation that is a party to a contract, or a subcontractor to such a contract, to provide services to the Commonwealth, or a to a Commonwealth agency (section 6)
Co-regulation usually refers to the situation where industry develops and administers its own codes of regulation and government provides legislative backing to enable the code to be enforced.
In general terms an organisation discloses personal information when it releases information to others outside the organisation. It does not include giving individuals information about themselves (this is ''access'' see above).
Electronic Number Mapping (ENUM)
ENUM is a communications protocol that links the public switched telephone network (PSTN) with the Internet by translating telephone numbers into a format that can be used by the Internet.
Employee records exemption
The acts and practices of employers that are related to an employee record and directly related to the employment relationship are exempt from coverage of the Privacy Act. (See section 6 for the definition of an employee record and section 7B(3) for the exemption).
European Commission (EC)
The Commission is the politically independent institution that represents and upholds the interests of the European Union as a whole. It is a central institution within the EU and it proposes legislation, policies and programmes of action and it is responsible for implementing the decisions of Parliament and the Council.
International Covenant on Civil and Political Rights (ICCPR)
The International Covenant on Civil and Political Rights is a United Nations treaty based on the Universal Declaration of Human Rights. It is monitored by the Human Rights Committee, a group of 18 experts who meet three times a year to consider periodic reports submitted by member States on their compliance with the treaty. The International Covenant on Civil and Political Rights currently has 149 States party to it.
Office of the Privacy Commissioner (the Office)
The Office of the Privacy Commissioner is an independent Office which has responsibilities under the federal Privacy Act 1988 (Cth).
The NPPs apply to businesses and bodies that fall within the definition of ''organisation'' in section 6C of the Privacy Act. Section 6C says that ''organisation'' means: an individual; or a body corporate; or a partnership; or any other unincorporated association; or a trust; that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.
Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (Section 6).
Proposed National Health Privacy Code
At the request of Health Ministers, the National Health Privacy Working Group was set up in 2000 to oversee the development of a national framework for health privacy.
The proposed National Health Privacy Code (dated August 2003) is the result of this framework that aims to:
- safeguard the health privacy and dignity of all individuals
- achieve national consistency in health privacy protection - across jurisdictions and between the public and private sectors and
- take into account changes in the way personal health information is handled as a result of technological change.
Radio Frequency Identification (RFID)
Radio Frequency Identification or Radio Frequency Identification tag(s) uses wireless technology to transmit product serial numbers from tags to a scanner, without human intervention. It is regarded as a likely successor to barcode inventory tracking systems.
Self-regulation is generally characterised by industry formulating rules and codes of conduct, with industry solely responsible for enforcement. In some cases, governments may also be involved in a limited way, by providing advisory information etc.
Sensitive information is a subset of personal information. It means information or opinion about an individual''s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information about an individual (Section 6).
Small Business Operator
A small business is defined in section 6D of the Privacy Act as business with an annual turnover of $3 million or less. Small business operators are exempt from the Privacy Act. Not all small businesses are small business operators. For example, some small businesses, such as health service providers, Commonwealth contractors in relation to their contractual activities, and small businesses that trade in personal information (with some exceptions) are covered by the Privacy Act.
Telecommunications Industry Ombudsman (TIO)
The Telecommunications Industry Ombudsman is an independent alternative dispute resolution scheme for small business and residential consumers in Australia who have a complaint about their telephone or Internet service.
A Tenancy Database holds personal information relating to alleged defaults and defaults on tenancy agreements, including failures to pay rent or damage to property.
In general terms, use of personal information refers to the handling of personal information within an organisation including ''the inclusion of information in a publication''.
Voice Over Internet Protocol (VOIP)
Voice over Internet Protocol, is another way of saying IP Telephony. It involves the transmission of telephone calls over a data network like the Internet. In other words, VOIP can send voice, fax and other information over the Internet, rather than through the (PSTN) or regular telephone network.
This survey was conducted by Roy Morgan Research in May 2004. The objectives of the research were to:
- Identify current privacy behaviour
- Identify community expectations about privacy
- Identify perceptions and beliefs about appropriate levels of privacy
- Gauge levels of knowledge about privacy
- Gauge levels of knowledge about privacy laws and the OFPC
- Find any shifts in these perceptions to get information about the impact of the Office''s activities or the Privacy Act
- The number of respondents who say they have adequate knowledge has increased from 2001 (18%) to 26% in 2004.
- But levels are still low - only one in four people surveyed claimed adequate knowledge of privacy rights. 38% of people know very little or nothing about their privacy rights, although this figure has decreased from 52% in 2001.
- In the 2001 study, 52% of the younger respondents (18-24) claimed to know very little about their rights. By 2004, this had reduced to 36%, which is not significantly different to the rest of the population 18+.
- 53% of respondents knew that government agencies are covered by privacy law though 26% of people thought that they were not and 21% of respondents did not know.
- 56% of people know that banks, insurance companies and other financial institutions are covered by privacy law (while 29% think not and 14% do not know)
- 47% of respondents knew that there are some restrictions on charities, private schools and private hospital and other NGOs (while 32% think not 21% did not know)
- Males have higher level of knowledge about the coverage of government departments by the Privacy Act.
- Respondents with more education were more likely to have higher level of knowledge about the coverage of the Privacy Act.
This research indicates that there is still a great deal of misunderstanding amongst half the population about privacy laws.
- There has been little change in awareness of Federal Privacy Commissioner between 2001 (36%) and 2004 (34%).
- Males have a higher awareness (40%) than females (28%).
- The lowest levels of awareness are among 18 - 24 year olds (26%)
- BUT only 7% of respondents would report the misuse of information to the Federal or State Privacy Commissioner. 19% of respondents said they would report it to the ombudsman, 15% would report it to the organisation involved, 13% would report it to the Police, 10% would report it to the local consumer affairs office and 8% of respondents said that they would report it to their local or state MP
- However, there has been a steady increase in awareness about the Federal privacy Commissioner from 1994 where 2% reported that they would report misuse of personal information to the Office to 2001 where the figure rose to 5% to 2004 where it hit 7%.
These figures indicate that even if respondents know about the Office, they do not know what the Office''s role is.
Levels of trust have increased in some organisations between 2001 and 2004 including:
- Health service providers
- Financial organisations
- Market research companies
- Government organisations
- Real estate agents
BUT not internet sales companies
Overall, health service providers are the most trusted organisations, followed by financial organisations, government organisations, charities, retailers, market research orgs, real estate with the last being internet organisations.
There has been little change in mean levels of trustworthiness between 2001 and 2004.
- Still high levels of people (approximately 90-95%) regard the following as invasions of privacy:
- Business gets hold of personal information
- Business monitors internet activity without permission
- Business uses personal info for alternate purpose
- Business asks for irrelevant personal info
- But asking for ID is not regarded by most as an invasion of privacy.
- 38% of respondents reported that there had been an increase in incidence of asking for ID, while the majority 56% claimed it was about the same and 4% claimed there was a decrease.
The studies in 2001 and 2004 show reluctance to provide similar kinds of personal information including:
- Financial information - bank accounts/ income information is by far and away the most sensitive information which people are reticent to disclose
- Contact details - especially phone number
- Health information
Reasons for reluctance include an increase in concern about crime and a desire to avoid being sent unsolicited material.
Compared with the 2001 survey the 2004 research indicated mixed results about awareness of privacy issues. Respondents in 2004 were more likely to leave information off forms, but less likely to refuse to deal with an organisation.
The number of people totally who totally disagreed with use of the Electoral Roll for marketing has increased by 7% from 70% to 77%.
The number of people who totally disagree with use of white pages has stayed the same (46%). The number of people who agree has increased from 42% to 44%.
- If and when the information will be passed on
- What information will be kept.
Unique identifier for ID purposes and to access government services on the internet
- 53% of people were in favour of a unique identifier for these purposes, though 41% of people were against this idea
- Males favoured the idea of a government identifier more than women
- Respondents on higher incomes were more in favour of a government identifier than respondents on lower income.
Circumstances under which government departments should be able to share information
- The majority of respondents agree that government departments should be able to share information, but only in some circumstances
- Only 9% of people said that departments should be able to share information under any circumstances, while 24% of people said not under any circumstances.
- Males (11%) were more likely agree to sharing under any circumstances than women (8%)
- People on lower incomes, more likely to say that government departments should not share information under any circumstances (27%)
- People over 50 (13%) were more likely to agree to sharing under any circumstances, than younger people (4%).
Purposes for which government departments should be able to share information most often cited were (in order of frequency) to
- Prevent crime
- Update information
- Improve efficiency - lowest.
Attitudes towards Doctors discussing medial details with other health professionals without consent if they thought that it would assist treatment
- Slight increase in people being comfortable with doctors discussing health info with other doctors if would help health outcome from 53% in to 2001 to 60% in 2004
- Males are more likely to be comfortable with this than females
- Older people are more likely to be comfortable with this than younger people
- Respondents with less education were more likely to assent to this than people with higher education.
Attitudes towards a health number to enable the government to better track the use of Health Services
- 57% of respondents agreed to a health number to track services including 28% who strongly agreed.
- 36% of people disagree with this idea while 4% are undecided.
- Males, young people and older people are more likely to agree,
Slightly more people agree with the idea of a health number (57%) than a government number (53%).
Inclusion in health database
- 64% of people think inclusion should be voluntary compared to 66% in 2001
- 32% of people think that inclusion should be a matter of course (compared to 28% in 2001)
- Males (35%), and older people (37%) were more likely to think inclusion should be a matter of course
Permission for use of de-identified health information for Research
- 64% of people think that permission should be sought
- 33% of respondents think that permission is not necessary
- Females (68%) were more likely to think that permissions should be sought than males (59%)
- 18 - 24 most likely to think permission should be sought (71%)
- People with less education were more likely to think that permission should be sought.
Respondent views were polarized on the issue of reading Work emails
- One quarter (23%) of respondents think employers should be able to read emails
- One third (34%) think employers should not have this right.
Males (26%) more likely to agree with employers reading work emails than females (19%) and respondents over 35 (25%) years of age were more likely to agree with this than 18-34 year olds (16%).
Views on employers using surveillance equipment and monitoring devices that track what employees type are similar with roughly one quarter agreeing with the use of these surveillance techniques and one third disagreeing.
There was more concern about the monitoring of telephone conversations by employers
- Only 5% of people thought it was acceptable for employers to do this whenever they choose though 35% of people agreed with it for quality of service purposes.
- 59% of respondents said that employee drug test should only be conducted when it is necessary to ensure safety.
65% of respondents use the internet once a week or more (up from 51% in 2001)
The level of concern about security of personal information when dealing over the internet has risen since 2001 from 57% to 62% in 2004
More people are reading privacy policies in 2004 (67%) than in 2001 (55%)
- The people who said they had adequate amount of privacy knowledge are more likely to read privacy policies.
Other findings from the survey about online behaviour include that:
- 3 in 10 give false information online. Younger people are more likely to do this than older people.
- 80% of people regularly update antivirus software
- 49% use a firewall
- 48% have at some stage rejected cookies
- 47% use spam filter
- 38% use temporary email accounts
- 28% use software to protect anonymity.
Legislation and related documents
Privacy Act 1988 (accessible at http://scaleplus.law.gov.au/html/pasteact/0/157/top.htm)
Part 111A of the Privacy Act (credit reporting provisions) (accessible at http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s18c.html)
Private sector provisions of the Privacy Act (accessible at http://www.privacy.gov.au/law/act/)
National Privacy Principles http://www.privacy.gov.au/materials/types/infosheets/view/6583
Second reading speech (accessible at
Explanatory Memorandum (accessible at http://scaleplus.law.gov.au
Guidelines to the National Privacy Principles (September 2001) (accessible at http://www.privacy.gov.au/materials/types/guidelines/view/6582)
Guidelines on Privacy Code Development (September 2001) (accessible at http://www.privacy.gov.au/materials/types/guidelines/view/6482)
A Guide for Directors. Privacy and Boards: What You Don''t Know Can Hurt You (May 2004) (accessible at http://www.privacy.gov.au/materials)
Register of approved privacy codes (accessible at http://www.privacy.gov.au/business/codes/#1)
Information Sheet 11 2001 -- Privacy codes (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6543)
Information Sheet 13 2001 - The Federal Privacy Commissioner''s approach to promoting compliance with the Privacy Act (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6545)
Information Sheet 14 2001 -- Privacy obligations for Commonwealth contracts (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6546)
Information Sheet 16 2002 -- Application of key NPPs to due diligence and completion when buying and selling a business (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6546
Information Sheet 17 2003 -- Privacy and personal information that is publicly available (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6549)
Information sheet 18 2003 -- Taking reasonable steps to make individuals aware that personal information about them is being collected (accessible at http://www.privacy.gov.au/materials/types/infosheets/view/6550)
A complete list of information sheets can be found at http://www.privacy.gov.au/materials/types/infosheets?sortby=32
A snapshot of the Privacy Act for small business (December 2002) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6052)
A privacy checklist for small business (December 2002) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6053)
A guide to privacy for small business (December 2002) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6051)
My Health, My Privacy, My Choice - A consumer''s guide to health and privacy information (November 2002) (accessible at http://www.privacy.gov.au/materials)
Health Information and the Privacy Act 1988 - A Short Guide for the Private Health Sector (January 2002) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6522)
Some Privacy Issues for Pharmacists (December 2001) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6519)
Some Privacy Issues for Doctors (December 2001) (accessible at http://www.privacy.gov.au/materials/types/brochures/view/6518)
Guidelines on Privacy in the Private Health Sector (November 2002) (accessible at http://www.privacy.gov.au/law/other/medical/#1)
Medical research - Section 95 of the Privacy Act 1988 (accessible at http://www.privacy.gov.au/law/other/medical/#2)
Medical Research - Section 95A of the Privacy Act 1988 (accessible at http://www.privacy.gov.au/law/other/medical/)
Attitude surveys - Office of the Privacy Commissioner
Community attitudes towards privacy 2004 (June 2004) (accessible at http://www.privacy.gov.au/aboutprivacy/attitudes/)
Business attitudes towards privacy in Australia (July 2001) (accessible at http://privacy.gov.au/materials/types/research/view/6613)
Community attitudes towards privacy in Australia (July 2001) (accessible at http://privacy.gov.au/materials/types/research/view/6614)
Government attitudes towards privacy in Australia (July 2001) (accessible at http://privacy.gov.au/materials/types/research/view/6619)
Health Records Information Privacy Act 2002 (NSW) (accessible at http://www.health.nsw.gov.au/csd/llsb/HealthRecordsPrivacy/index.html)
Health Records Act 2001 (Vic) (accessible at http://www.austlii.edu.au/au/legis/vic/consol_act/hra2001144/)
Health Records (Privacy and Access) Act 1997 (ACT) (accessible at http://www.austlii.edu.au/au/legis/act/consol_act/hraaa1997291/
Information Privacy Act 2000 (Vic) (accessible at http://www.austlii.edu.au/au/legis/vic/consol_act/ipa2000231/
Information Act 2002 (NT).(accessible at http://notes.nt.gov.au/dcm/legislat/legislat.nsf/d989974724db65b1482561cf0017cbd2/306b17e5e75d2ff069256e99001ba1fb)
- Privacy and Personal Information Protection Act 1998 (NSW), Information Privacy Act 2000 (Vic), Health Records (Privacy and Acce ss) Act 1997 (ACT), Information Act 2002 (NT).
- http://esvc000636.wic004u.server-web.com/resolution.asp and 2004 conference in Poland: http://26konferencja.giodo.gov.pl/data/resources/AbramsM_pres.pdf
- http://www.privacy.gov.au/materials, include these and other statistics about complaints and enquiries.
- Information Sheet 17-2003 Privacy and Personal Information that is Publicly Available at http://www.privacy.gov.au/materials
- Seven Network (Operations) Limited v Media Entertainment and Arts Alliance  FCA 637;and Kadian v Richards  NSWSC 382 (22 June 2004)