Delivered at National Institute of Governance - Canberra and Committee for Economic Development of Australia - Melbourne

Malcolm Crompton Privacy Commissioner

• Introduction
• What is a regulator?
• Environmental scan
  • The law
  • Resources Available
  • Government expectations
  • Public expectations, including as expressed through media
  • Global environment
  • Market forces
  • Extent of technological change
• What are the marks of a good regulator?
• Economic impact
  • Social outcomes
  • Public accountability for resources
  • Independence, fairness, transparency and accountability in decision making
  • Active engagement in policy formation
  • Service provision
• Milestones and initiatives 1999-2004
  • Strategic plan - set approach to regulation
  • Private sector privacy provisions came into effect
  • 25th International conference of Commissioners
• How did the Office do against the measures?
  • Office performance against measures of economic impact
  • Office performance against measures of social impact
  • Public accountability for resources
  • Independence, fairness, transparency and accountability in decision making
  • Active engagement in policy formation
  • Ensure clear respect for the law by all parties
  • Service provision
• Glimpse of the future
  • Need to see the bigger picture
  • Range of strategies needed
  • Immediate pressing issues
• Endnotes

Introduction(1)

When I became Privacy Commissioner in April 1999, few people could have imagined the dramatic changes in the environment that have taken place by the end of my term. This is symptomatic of the times, and the tough environment, in which many regulators must operate.

The approach that the Office of the Privacy Commissioner has adopted to regulating in this environment was strategic and deliberate. It scanned the environment and then set its course. Having taken this course, it seems appropriate and timely to take stock of whether or not the Office's approach was successful.

The Office's approach to regulating privacy has caused some controversy. For example, has the Office been in the pocket of the big end of town or has it failed to act sufficiently strongly against organisations that breach provisions of the Act? Or has the Office in fact taken too tough a stance, as has been claimed elsewhere?(2)

This can partly be attributed to the mix of the light touch nature of the private sector legislation the Office was given to implement as well as the Office's particular approach to its implementation.

In order to achieve their aims, governments must be able to make decisions and give effect to their decisions. They are held to account for their decisions and actions and hold to account their agencies and other agents.

The last three decades in Australia have seen enormous focus on reform to improve performance and accountability of governments and their instrumentalities, starting with the Whitlam Government. Almost all of this reform has focussed on two sectors: policy formulation and decision making; and service delivery. Service delivery reform has included significantly increased reporting obligations and budget reform, specific reform packages and frameworks for government business enterprises and other service delivery bodies, privatisation, and outsourcing.(3)

With few exceptions, however, these reforms have paid little attention to the performance of a very important 'third sector' in the machinery of government. This third sector is the sector that regulates the activities of others but delivers little itself directly. Considerable analysis of the impact of regulation has been undertaken over the years, including by the Productivity Commission and its predecessors, but very little of the impact of the regulators. Yet this sector may even have equal or greater impact on daily lives than the other two sectors, in either social or economic terms. Arguably, exceptions to the lack of reform in this third sector are the administrative law reforms (Administrative Appeals Tribunal Act 1975, Ombudsman Act 1976, Administrative Decisions (Judicial Review) Act 1977andFreedom of Information Act 1982). The imminent report on the review into the corporate governance of Commonwealth statutory authorities and office holders, being undertaken by John Uhrig AC,(4) may also impact on the performance of regulators. This does not mean to say that specific regulatory bodies have not been subjected to reform at various times (for example a number of the transport regulatory bodies or the Financial System Inquiry chaired by Stan Wallis). However as a sector, public management reform has largely passed it by.

The purpose of this paper is to reflect on a possible framework for measuring the performance of a regulator, then assess the last five years of the Office of the Privacy Commissioner against it.

However this cannot be done without some understanding of the particular environment in which the Office found itself and the strategic path the Office chose to take in response to this environment. The paper gives examples of events and situations that have arisen during the last five years to discuss the Office's performance against the framework. Finally, having considered these measures and how the Office performed against them, the paper briefly discusses how the future might look for a privacy regulator seeking to promote a culture that respects privacy.

What is a regulator?

A preliminary question when considering these issues is that of what exactly is a regulator? The dictionary says that to regulate is to control, govern, or direct by rule or regulations, to subject to guidance or restrictions. These suggest that regulators would very often have rules or laws as background to their powers and functions which they use as a basis to guide, control, direct, or restrict behaviour. Using this as a guide, one might say that courts and tribunals are not regulators because they are arbiters rather than controllers or guiders. However, many regulators have powers that do, or have in the past, come very close to judicial powers. The Administrative Appeals Tribunal might be seen as something in between. On the other hand, we have people in the Department of Finance and Administration using a range of budgeting and other tools to control, or restrict spending and other behaviour. Are these regulators?

Rather than dwell too much on this question, all that is necessary is to note that it is a non-trivial question, and one that might be a worthy subject of more study. Such study would need to take into account what seem to be some common features that generally apply to regulators in Australia. From the statutes that establish regulators in Australia, these usually include:

• some level of statutory independence from government, for example, by providing that the regulator can only be dismissed in a very narrow range of circumstance and by limiting the extent to which the government can direct the activities of the regulator; 
• standard powers to conduct investigations, for example the power to demand evidence under oath, hold hearings, enter premises and seize documents, publish a report; 
• indemnity, full or partial, from legal action against decisions taken, reports written or comments made; 
• powers to arbitrate or make decisions, although because of the Brandy High Court decision,(5) at the Federal level at least, these cannot be binding.

In many instances, though, the source of funding is not independent, for example being set in annual government budgets or collected via industry levies at rates set by government. The US Federal Reserve is a noticeable exception because its source of funding is independent of Government.

Well known regulators established by the Australian Government include:

• Australian Competition and Consumer Commission
• Human Rights and Equal Opportunity Commission
• Australian Securities and Investments Commission
• Australian Prudential Regulation Authority
• Australian Communications Authority
• Australian Broadcasting Authority
• Civil Aviation Safety Authority
• Australian Maritime Safety Authority
• Many agricultural marketing bodies
• Office of Film and Literature Classification

Environmental scan

No regulator operates in a vacuum. Its ability to act and what those actions are will always be influenced by the environment in which it operates. A key argument in this paper is that it is not possible to measure the effectiveness of a regulator unless the range of environmental factors that can affect its operations is taken into account. This has been referred to as the 'authorising environment',(6) which includes both the formal sources of authority such as laws which establish the powers of regulators, and informal sources of authority, which are a wider set of influences which shape the regulator's capacity to exercise power. This is not to say that the regulator cannot influence this environment, and it may even be an important role for the regulator to do so.(7) However, there are some environmental factors over which a regulator may have very little control. Set out below are some of the factors which influence the capacity of a regulator to exercise power.

The law

Regulator powers

One key factor is the law with which the regulator works. Some regulators have very prescriptive laws, infringement of which can bring heavy criminal penalties. The law may have very extensive powers of investigation, search and seizure, auditing and monitoring. These days, there is a definite trend away from this approach to changing behaviour, especially if it impacts upon businesses.(8) This is partly a response to the difficulty of regulating behaviour in a varied rapidly changing economic and technological environment. Prescriptive law can also lead to a focus on form over substance rather than achievement of the law's actual objectives. It also reflects a desire to limit red tape applying to businesses.

The private sector provisions(9) of the Privacy Act 1988 are very much a creature of this trend. The legislation was heralded by the former Attorney-General as implementing 'the government's commitment to promote a light touch, co-regulatory approach to privacy protection'.(10) This light touch approach has manifested itself in the form of a principles based, rather than a prescriptive approach, to changing behaviour for the private sector at large. The core of this approach is set out in the National Privacy Principles in the Privacy Act combined with the provision for privacy codes to replace these principles if they are 'at least the equivalent'. It also meant that the Privacy Commissioner was given, in relation to most aspects of the private sector, no monitoring or audit powers, and limited powers of enforcement, even compared with earlier areas of coverage of the Act, including Australian Government agencies and the credit sector. Enforcement of the new private sector privacy provisions comes basically via a complaint based system with a power to conciliate or make a determination to resolve the complaint (including compensation but no power to impose fines) that can be enforced by taking the case to court if necessary.

Although there may be good reasons for a less prescriptive approach, this kind of legislative regime leaves regulators with substantial uncertainty and ambiguity as they go about implementing and enforcing the law especially in the early phases. In the case of privacy, where the right to privacy is neither unlimited nor absolute(11) this ambiguity is further increased and it means that that privacy regulators must go about their role

'knowing that to a greater or lesser degree what constitutes public value or 'good performance' in privacy protection is a contested notion. They must be conscious that there is not necessarily widespread understanding or agreement about ultimate goals and the appropriate scope of the regulator's authority.'(12)

Extent of independence provided for

A regulator may have a greater or lesser degree of independence depending on the provisions in its establishing law. A regulator will have a wider scope to act independently and without fear where its governing law has provisions that restrict the conditions under which the regulator can be removed and limit the extent to which external parties can direct its activities.

The Privacy Commissioner has a considerable level of independence, including:

• Protection from civil actions and against being sued etc, as set out in Part 5 of the Privacy Act;
• Very limited circumstances when a Minister or the Government can issue a direction to the Commissioner (eg to report to the Minister on certain investigations, audits etc under s.30,31 and 32 of the Act);
• Appointment for a fixed term of up to 7 years; strict limitations on when appointment can be terminated; remuneration fixed by the Remuneration Tribunal etc, as set out in Part 4, Division 1 of the Act (without performance pay or other incentives that might be used to attempt to persuade).

Developments in the legal framework across borders in Australia

For many years, there has been a trend of increasing cooperation between the Federal, State and Territory jurisdictions in many areas of public administration, ranging from the informal to the formal including formal referral of powers (usually 'to' the Federal level rather than 'from'). This can sometimes be a very slow process. The gradual reform of corporations law from the 1970s through varying cooperative schemes until the current Australian Securities and Investment Commission was formed is one of the classic examples of such change.

One area where there this trend has become particularly apparent in recent years is in law enforcement, including in areas that support it. This has developed in a number of guises. CrimTrac, for example is an example of a body where much of the cross-border operating arrangements are established by an Inter-Governmental Agreement signed by all Australian police ministers.(13) The Australian Crime Commission, on the other hand, is established under the Australian Crime Commission Act 2002. The evidence to date suggests that more attention has sometimes been given to the establishment of these bodies and associated working arrangements than to ensuring that corresponding transparency and accountability arrangements are in place. A reasonable test of the latter might be that they are at least equivalent to the transparency and accountability obligations that would operate if such arrangements were contained within one jurisdiction. The recent Cross-Border Investigative Powers for Law Enforcement Report(14) prepared by the Joint Working Group on National Investigation Powers of the Standing Committee of Attorneys-General and Australasian Police Ministers Council, appears to have similar weaknesses, indicating that unchecked, the trend could continue. This trend poses major challenges for all regulators operating in this environment.

In the case of privacy, this weakness has recently been recognised. It was first made brought to light in the report of the Independent Review of Part 1D of the Crimes Act 1914 - Forensic Procedures.(15) That report raised major accountability and regulatory issues for privacy regulators whose legislation constrains their jurisdictional areas of operation to a particular State or Territories' agencies. As a consequence of this report, the Standing Committee of Attorneys-General has asked Australia's Federal and State Ombudsmen and Privacy Commissioners to report to them on how to redress the balance.

There are a number of other initiatives, for example, relating to increasing the integrity of identity documents, which involve both public and private sector organisations which will pose similar problems for achieving redress, transparency and accountability when things go wrong.

Resources Available

How the regulator is resourced is a significant environmental influence. In most instances as noted earlier, resources are provided by the budget which is driven by the law and public policy. However, regulators also must be aware that additional resources can be obtained in a number of ways. They may or may not come with 'strings attached' and may be brought under direct control or be available through indirect influence in a number of ways. For example, it may be possible to gain additional resources via a research grants body or for undertaking additional work in a particular area. Alternatively, it could include selling a component of its activities to outside sources, joining in partnership with other organisations to carry out activities, or persuading other organisations to use their own resources to carry out activities that promote the regulator's objectives.

Very importantly, though, the extent to which the regulator can act ethically and manage any potential conflicts of interests will have an impact on whether, and in what contexts it can draw upon these external resources. For any regulator, integrity has to be a make or break consideration under all circumstances if credibility as an independent body is to be maintained.

Government expectations

As was the case with the introduction of the new private sector provisions of the Privacy Act, Government can be explicit about its expectations of the way the regulator will discharge its functions. This can be legitimately expressed, for example, in actual provisions of the legislation, supporting documentation such as the Explanatory Memorandum and Second Reading Speeches or elsewhere. These expectations obviously impact on the environment of a regulator. It affects the strength of the law that the regulator must work with, and it strongly influences the level of financial support the regulator can attract. Especially where the regulator is working with a law that has ambiguity in the method of implementation and enforcement, government expectations also inevitably affect the extent to which the regulator is expected to operate at the more controversial ends of the spectrum of options, or whether it must adopt the more middle range of the options for implementation and enforcement.

Clearly, a regulator, at one level, can choose to adopt any of the range of options that its governing legislation will allow it to. However, a regulator seeking to be effective according to the measures outlined here, may need to consider whether a regulator that has unduly alienated key stakeholders, including government, is likely to be able to continue to influence its 'authorising environment' and achieve any realistic changes to the behaviour sought to be regulated.

In the case of implementing the new private sector privacy legislation, which has a great deal of ambiguity in the way it could be implemented and enforced, the Office made the strategic decision that it would take the course of providing a 'clear and balanced' approach to implementing and enforcing the new private sector provisions. The Office did this in the strong belief that this would be the most effective option. Its approach to compliance is consistent with this philosophy and was spelt out before the private sector privacy provisions came into effect, in Information Sheet 13-2001, The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act.(16)

Public expectations, including as expressed through media

Public expectations can and should also have an impact on the activities of a regulator. Despite the fact that regulation in a particular area is aimed at protecting or promoting the rights or welfare of the community, a regulator cannot necessarily assume that acting in particular way to enforce the law rigorously will necessarily get public support. A further complication is that research shows that there can be considerable difference between what members of the public claim to be their attitudes and the way they actually behave.(17)

In the case of privacy, which is very contextual and individualistic, this is a particular issue. What appears to be breach of privacy for one particular individual may be regarded as an essential activity for another individual. Inflexibly enforcing the law could result in privacy being seen as simply making life bureaucratically difficult, or even unsafe, for some people and could bring the law into disrepute. In this context degree of public support can be strongly influenced by the media. At the time the private sector privacy law in Australia came into effect, it was clear that the media in New Zealand had a significantly negative attitude to private sector privacy law in that country.(18) As a result, the privacy law was constantly being blamed for a whole range of adverse events that were in fact a result of other failures, including a failure of common sense and buck passing.

Local events, particularly those that capture extreme public attention can have a major impact on the degree of public support for the regulator's activities. Even where the regulator had considered that it was implementing best practice, it can find that expectations turn, as in the case of the NSW Health Care Complaints Commissioner which was using 'no blame' techniques to improve practice only to be strongly criticised to having not paid particular attention to naming those to blame.(19) This is also a constant dilemma in the work of bodies such as the Australian Council for Safety and Quality in Health Care.

Global environment

Global events and environments can also have a substantial impact on a whether a regulator can or cannot act in particular ways or to take up particular policy positions.

In the case of privacy, the stand out event was clearly 11 September 2001. In the aftermath of this event the balance between what was regarded as necessary to protect security and what was regarded as an acceptable trade off in terms of loss of privacy suddenly and dramatically shifted. Legislation was introduced, and passed, that even in the months before the event would have been regarded as beyond the pale in terms of privacy invasion. The Office quite properly had to respect the shift in perceptions about the appropriate balance that was caused by this tragedy. The Office was also duty bound to ensure that all sides of the argument were aired, consistent with its approach of projecting a clear and balanced voice in all circumstances, for example, in submissions on such legislation. This includes calling for a long term perspective and wherever possible seeking 'sunset' clauses to measures that compromise civil liberties in a way that may not be necessary when an emergency has passed.

These developments have also led to significant initiatives to improve international cross border data flows of personal information seeking to combat terrorism. This coincides with the increasing evidence of a growing problem with 'cyber-crime', including claims that some of it is used to finance terrorism. Responses have been bilateral and unilateral. The most notable unilateral initiative has been that of the USA in wanting to obtain a lot more information about incoming air passengers, to retain that data for very long periods, and use it and disclose it for seemingly unlimited purposes, including share it among government agencies. The international reaction has been strong, but has ended up in considerable concessions being made.(20) Australia has also legislated to facilitate the international exchange of personal information, between customs and other law enforcement bodies.(21)

On the other hand, there is no doubt that the Office's ability to be heard in relation to direct marketing and use of people's publicly available information has been considerably strengthened by the huge public response in the USA to the Federal Trade Commission's 'do not call register'.(22)

The move by the FTC to set up a do not call register has changed perceptions about what the community will tolerate. In the first 6 months of operation, over 55 million phone numbers have been registered with the do not call service, covering about a half of the adult population.(23) This demonstrates an enormous pent up demand for more government activity in this area. Although it is not altogether clear that telemarketing has reached so far beyond community tolerance in Australia, it has, I think, created an environment in which calls for stronger measures are likely to get a better hearing. It has opened the way for policy arguments for measures that give consumers greater control over their publicly available information, such as that in various telephone number directories, and greater transparency about what is done with it. The Australian Communications Authority has announced that it will be issuing a telecommunications industry standard that would clearly set out what customer information Integrated Public Number Database (IPND) can be used for and would ensure proper and authorised use of the data in the future. This reflects the ACA's conclusion that "consumer information [was] being used for purposes which the ACA believes are beyond the scope of current authorised uses and the expectations consumers have about how their personal information will be used".(24)

The fluctuating environment for the privacy regulator can also be seen in the rise and fall of the 'dot.com' industry. Early in my five year term, the dot.com industry was in full flight and very gung ho. It was causing major privacy concerns, leading the FTC to begin to call for privacy legislation in the USA.(25) In Australia, this concern was a factor in the government's move to introduce private sector privacy legislation.(26) However, even by the time the legislation came into effect in December 2001, the immediate threat to privacy from this source appeared at least in the public's eye to be much less in the face of the dot.com crash and a severely chastened industry. There was therefore much less support for the Office to respond so dramatically in this area.

Market forces

Market forces can have a considerable impact on the extent to which those regulated are willing or able to comply with the law. Where businesses feel that there is a competitive edge to be gained in complying with the law or a real competitive business risk, for example, to branding, if they do not comply, they are more likely to make an effort to comply, and comply well with a law. On the other hand, where competition is not a factor in a business's operations, particularly when combined with a low risk of the law being enforced against them, there is little incentive on a business to make any effort to comply conscientiously with the law.

In the case of privacy, a good example of where there no interest at all in compliance per se is businesses involved in spam. Poor branding image is not a concern. The only issue for these businesses is whether the act of spamming pays. Technological barriers have had some effect but not a lot. Failure to comply with the law has also had minimal impact on their operations - to date the risk of being caught has been very low. But can the combination of improved technology, stronger enforcement of stronger laws, public education and more direct economic measures combine to beat this scourge of the internet? Only if it actually reduces the payback ratio.(27)

Extent of technological change

Rapid technological change has had an impact on most areas of regulation, from the impact of converging communications and broadcasting technologies on media laws to the control of consumer access to pharmaceuticals via online merchants to the advent of online auction houses (eBay) and booksellers (Amazon).

Privacy issues are no less immune from these developments. In the last five years, technological developments have transformed the privacy environment. In 1999 spam was barely on the radar as a problem except for the e-literate cognoscenti. As just noted, it has now become such a scourge from both privacy and other points of view that it has warranted bringing a whole range of strong legal, technological and market forces to bear on it. Mobile phone technology including SMS messaging, capturing of pictures with a mobile phone then instantly sharing them globally, and the many devices which now report an individual's location including mobile phones, Global Positioning Systems, G-NAF were not yet in widespread use in Australia.

Now we are worried about individuals taking photos in changing rooms, people being marketed with products when they approach a relevant outlet, and parents being able to track down their errant teenagers at the drop of a hat. RFID chips were not on the horizon yet now manufacturers and developers of the chips are wearing the consequences of widespread outcry at the possibility that information about individuals' buying and other habits could be minutely collected and studied.(28) The expanded use of biometric technology was in its infancy. Now it is to be used routinely for many purposes, including for checking people entering and leaving the country in many nations of the world.(29) Gene technology and the very privacy of an individual's complete genetic makeup and disposition potentially are at risk from such details being put widely on display.(30) Significant further capacity has developed to collect and manage data sets as well as to analyse or 'data mine' such information. The movement of court records into the electronic and online environment is a significant example which has given rise to the dilemma of seeking to create greater transparency in court processes at the same time as manage the new privacy issues such greater accessibility creates.(31)

Allan Fels has similarly pointed out how the 'default' protection and 'practical obscurity' of clunky paper based systems is no longer universally present and how the new default position is becoming widespread sharing of private information, with protection only occurring if we elect to obtain it.

'Judgements about what constitutes appropriate regulatory intervention will very clearly shift over time as the technological environment shifts. Constant technological change means that 'best practice' for privacy regulators must change too. What is an effective approach this month, may well be redundant due to technological changes only one month later.' (32)

Finally and very significantly, these technological developments have meant that the movement of personal information is no longer limited by national boundaries, notwithstanding some brave attempts to do so, such as the so-called 'Great Firewall of China' that is aimed at restricting domestic access in that country to foreign websites. The increasingly 'porous' nature of national borders to personal information adds considerably to the difficulty in providing an enforceable, legislative basis for protecting privacy, as illustrated by the spam example discussed earlier.

In short, developments in technology may well be the most significant of all the environmental factors impacting on effective regulation of the data protection of personal information, a fundamental aspect of privacy. Was Scott McNealy right in early 1999 when he said that "you have zero privacy anyway -- get over it"?(33)

What are the marks of a good regulator?

As noted at the beginning of the paper, the performance of the regulator has not entered the mainstream of public management reform work in the same way as it has for the other sectors, policy/decision making and service delivery. Outside of academia(34), it would seem that not a lot of work has been done in Australia on how to measure whether or not a regulator has done a good job. The Productivity Commission is a notable exception.(35) However, the focus is often on the nature of the legal structures and the economic incentives they create as opposed to whether, within the bounds of the law and surrounding environment, the regulator itself has performed well or badly.

At the moment it appears that regulators are often measured by the political expediencies of the times, for example, by the amount of unwelcome noise received from key stakeholders. This noise may or may not have anything to do with the effectiveness and efficiency of the regulator. At a conference on privacy recently it was suggested that being a privacy commissioner is better done in the later stages of ones career. This is probably so in the case of many other regulators who nearly always find themselves between a rock and a hard place in carrying out their duties. It would seem useful in this environment to have some kind of agreed measures about what makes an ethical, effective and efficient regulator, as a buffer to these uncertain forces.

Failure to meet these kinds of tests has been brought home particularly to privacy regulators over the last year. The  Privacy Commissioner of Canada was forced to resign in disgrace over unethical behaviour. (36) The processes leading up to his resignation and the associated audits and inquiries are still having an enormous adverse impact on the ability of his successor to introduce private sector privacy legislation there.

At the highest level, in terms of 'what' a regulator might be aiming to achieve, it is often some notion of acting in the 'public interest'(37) or delivering 'public value' in the terms of the Fels paper.(38)

Just as important, though, is 'how' a regulator delivers. It must be ethical, effective and efficient. In that order of priority. This is by no means a new concept nor exclusive to regulators. For example, similar concepts are also clearly currently at the top of the minds of those concerned with corporate governance. The goal that James Hardie Corporation sets for itself in its Annual Report 2003 captures these ideas well, where they state that:

"We believe that the primary focus of good corporate governance should be clearly fixed upon the achievement of outstanding performance in an ethical manner where high quality outcomes are achieved and where integrity is clearly evident."

In discussing 'what is good regulation' (as opposed to 'a good regulator'), the Chairman of the Productivity Commission puts it this way:

Finally, it [regulation] needs to be administered by accountable bodies in a fair and consistent manner. Governance arrangements for regulators are clearly a big topic in their own right and currently under review at the Commonwealth level. Apart from the nature of reporting responsibilities (to a Minister or the Parliament) and the scope for judicial or administrative review, important features of good governance include clear statutory guidance, transparency of both process and judgement, and public accessibility.(39)

However, this statement of principle is not developed much further.

This part of the paper outlines the start of a framework to fill out how a regulator's performance might be tested for the extent to which it is ethical, effective and efficient. In outlining these measures, it should be noted that they should not be treated as a check list that each regulator must tick off to be given full marks. No regulator will be able to star on all of these, all of the time. Rather they can be seen as matters that regulators and those assessing their performance will need to balance against each other in a holistic way. For example, regulators might need to consider how to exercise independence, but in a way that will enable it to continue to engage with stakeholders in an effective way that still maintains integrity. In summary, it seems to be a matter of how well a regulator manages to keep the 'balls' (or measures) in the air (at varying heights) without dropping them all at once.

It is also worth reiterating that even with these measures, the beauty of the regulator will remain, to some extent, in the eye of the beholder and seen through the particular lens of interests that preoccupy that beholder.

Some measures are objective, for example, speed of response, some are subjective, for example, whether people consider their lives have improved. Regulators and those assessing their performance will therefore need to adopt a range of tools to evaluate their performance against the measures outlined below.

Finally, the difficulty of separating performance from the nature of the task as set in law and bounded by the real world environment should not be under-estimated. Clear thinking on the impact of the regulator separately from the impact of the regulation is essential.

Economic impact

The activities of a regulator always have the potential to have an impact on economic activity and economic outcomes. While much of the economic impact may be inherent in the law itself (ie the regulation), it is still important to see if it is possible to measure the additional impact, either way, of the performance of the regulator. It would certainly seem to be appropriate for regulators to be aware of this potential and take into account the macroeconomic and microeconomic effect of its activities and decisions.

The regulator should be aware that it may have an impact on the size of the economy (allocative impact) and it may also have an impact on the distribution of economic resources. The impacts may be direct or indirect, positive or negative, and intentional or unintentional. As noted earlier, assessing these impacts is therefore by no means a straight forward matter. For example, enforcement activity taken by a consumer protection regulator may have the direct impact of reducing the size of the economy by shutting out the more innovative who are also fly-by-night, poor quality operators or running scams. This is an intentional and desirable economic impact. An indirect consequence, however, could be that consumers enter into more transactions as a result because they are now confident that they can do so without being ripped off, thus contributing to economic growth.

A regulator helps to avoid the unintended consequences of its decisions by paying attention to the practical impact of its decisions. Decisions that do not take into account the way a particular sector or constituency works, and whether it is going to be able to implement the decision within the constraints under which it operates, are likely to have adverse economic consequences without necessarily achieving the goal sought.

Measures of economic impact Measures of a good regulator when evaluating economic impacts could be:

• Regulator has had a positive impact on the economy (either allocative or distributive);
• If the regulator has had a negative impact on the economy this is an intended consequence and is outweighed by either positive indirect economic outcomes, or positive social outcomes;
• The regulator has a process for assessing and evaluating economic impacts;
• Economic impacts are fairly distributed across the economic sectors;
• Economic efficiency costs, caused by organisations or individuals having to meet bureaucratic requirements are minimised;
• Decisions the regulator makes are practical, workable and able to be implemented by the constituency;
• Regulator sought to harness market forces rather than oppose them, either by finding explicit pricing models that provide incentives to appropriate behaviour, or by helping businesses and others see the business case behind complying with the regulation or even going beyond that.(40)

This paper does not develop this area much further in light of the considerable body of work on the economic impact of regulation, other than noting once again the need to separate the impact of the regulator from the impact of the regulation.

Benchmarking against regulators with similar functions in Australia or elsewhere may be a good source of comparison for measuring a regulator performance on these measures.

Social outcomes

Social outcomes are equally important. It is very hard to generalise given the range of objectives that different regulators are set. However, a few can be made. In particular, maximum impact is always desirable, so that even though a lot of the regulatory activity may be conducted on a case by case basis, the regulator should be looking for ways in which the rest of the community can learn (either what is the desired behaviour or that inappropriate behaviour will eventually be stopped and not worthwhile).

In particular, creation of a culture that respects the aims of the regulation will be far more effective than a culture limited to compliance with the law only to the extent that it can be, and is, enforced. This applies both to the individual citizen [whose own actions will always be a first defence] and to the individual organisation.

Measures of social impact Measures of a good regulator when evaluating social impacts could be:

• Regulator has a process for evaluating the social impacts of its activities;
• As a result of the regulator's activities, most people consider their lives have changed for the better;
• People are better able to exercise their rights in the relevant area;
• People are willing and able to protect their interests on their own behalf;
• People are more confident in the way they interact in the relevant area and less likely to be duped;
• If there are unintended negative social impacts, the extent to which these are outweighed by other benefits such as economic benefits;
• Social impacts are fairly distributed across the community;
• The activities of the regulator broadly reflect public opinion;
• Media have an informed and balanced approach to the area being regulated;
• Those regulated have changed their behaviour to comply with regulatory requirements;
• Those regulated see the benefits of changing their behaviour and would continue to do so regardless of the regulatory oversight (in the sense that the regulation should 'contain the seeds of its own destruction')(41).

Pursuing these kinds of social outcomes will usually require a range of educational and promotional initiatives, engagement in policy debates and engagement with the media. The ease with which a regulator can pursue the social outcomes expected of it may depend to some extent on the legislation under which it is operating and the expectations this creates. However, these are all very important primary tools of the regulator. Indeed, they may be the most important means of achieving regulatory goals. Arguably, therefore, they should be pursued whether or not there is direct power in the regulator's statute.(42)

In the absence of more direct measures of social impact, measures of output of such educational and promotional material may provide some indication of the level of effort being pursued by the regulator to achieve social goals.

Again, benchmarking against similar regulators in Australia or elsewhere may be a good way to test regulator performance according to these measures. Community surveys may be another.

Public accountability for resources

Like most organisations, regulators very rarely have unlimited resources at their disposal. By and large, resources made available to regulators are set by government, so they will never be able to do all the kinds of activities that might be desirable for a regulator to carry out to achieve optimal outcomes in the area regulated. It is therefore unreasonable to measure the performance of a regulator on the basis of whether it has carried out all the activities that a regulator should do, without also considering the quantum of resources it has had at its disposal.

However, while the base level of resources is set externally, regulators may have at least some capacity to source additional resources from elsewhere. In doing so regulators must act ethically and should be fully aware of the potential conflicts of interest and other pitfalls that can arise out of this kind of strategy. These, however, are not insuperable, and this paper will discuss below the strategies the Office adopted to address these.

In the final analysis, though, like most government agencies, a regulator is accountable for how the resources available have been allocated, ensuring that they have been used efficiently and ensuring wide public understanding of the implications of the level of resources allocated to it. If it discharges these accountabilities well, it should not otherwise be held accountable for the level of resources allocated to it - that is an accountability of the government.

Measures for accountability of resources Measures used to assess accountability for the use of resources are therefore unsurprising and could include:

• Regulator has a strategic plan that prioritises and focuses its activities;
• The plan and the rationale behind the plan is widely known;
• Regulator has adhered to this plan;
• Regulator can account for how it has allocated and spent its resources against its plan;
• Regulator has evaluated its plan;
• Regulator has met all the usual obligations of financial management spelt out in the Financial Management and Accountability Act, the Audit Act;
• Regulator has evidence that the resources are being used efficiently;
• Regulator has explored means of increasing the pool of resources available to it;
• Regulator has policies and procedures in place to ensure that the process for raising and using such additional resources is transparent, ethical and far above any implications that this source of funds could compromise its independence;
• Regulator has made sure that all interested parties, including the government, the media and the public are aware of the implications of budget allocations.

Probably the only difference for regulators, compared with many (especially budget funded agencies), is the degree of emphasis on demonstrating that its independence has not been compromised in raising and allocating resources.

Independence, fairness, transparency and accountability in decision making

It is very important that a regulator acts fairly and in the public interest. It is the ultimate, make or break test of the performance of the regulator and is why tests of 'ethical' performance by the regulator precedes tests of 'effectiveness' and 'efficiency'.

There are a number of aspects to ensuring and measuring performance in this area. Acting in a transparent, principled and consistent way is key.

Policy decision making

Transparency in policy making involves having an open process for development which includes participation by stakeholders in developing the decision making policy if the regulator has discretionary powers, providing information about the reasoning behind the development of policy and then widely distributing the policy and the rationale behind this. Tests such as these apply to the Privacy Commissioner, for example, in regard to the processes to be followed for approving codes that replace the National Privacy Principles under s.18BB of the Privacy Act or Public Interest Determinations under Part VI of the Act that exempt a particular act or practice from meeting the requirements of one or more privacy principle.

Fairness in policy making includes listening to all the relevant stakeholders and then carefully reaching decisions on the basis of accepted criteria which consider all aspects that go into determining the public interest.

Similar considerations apply to circumstances where a regulator develops guidelines and information materials that may have an impact on the way its constituency operates, particularly in cases where the law is principle based rather than prescriptive.

Measures for independence, fairness, transparency and accountability in policy decision making

Measures for determining a regulator's performance in independence, fair, transparent and accountable decision making could include:

• Regulator has recognised and publicly respected processes to enable public participation in policy development processes;
• Participation in such processes takes into account those groups less easy to reach in public consultation processes;
• Decisions made based on the full range of criteria that go towards determining the public interest;(43)
• Decisions have broad acceptance among key stakeholders;
• The regulator has processes for making its policy and other decisions widely known and easily available, if necessary for years on end.

Approach to law enforcement

If it is a goal for regulators to ensure that those regulated comply with the law, or change their behaviour, then regulators should also make decisions in ways that facilitate understanding and learning. An important key to this is for the regulator to make decisions in a predictable and consistent way. It is only if those regulated know where they stand that they will be able to, and be prepared to, spend significant time and resources to actually change behaviour. Those regulated are much less likely to act if they cannot be reasonably sure that what they do will be compliant with the law, or adequately addresses the risk of non-compliance.

Measures for independence, fairness and accountability in approach to law enforcement:

• Regulator has a well publicised and understood policy on how it will go about implementing and enforcing the law;
• Regulator adheres to this policy;
• Regulator has evidence on the levels of non-compliance;
• Regulator has evidence of the effect of the policy on understanding and learning in the wider community;
• Regulator does not change the policy unless it is planned and well thought out and then the reasons for the change and the new policy are well publicised.

Complaints handling

In the case of a complaints handling mechanism, it should be possible for the community and complainants to be aware of the process the regulator follows, and the regulator should follow the rule of natural justice. It should make efforts to publish the outcome of, and reasoning behind, the cases it handles and keep and public statistics about these things. Publishing case notes for some or all cases decided, for example, is an important way of achieving transparency when cases are not aired through the court process.

Where a complaints handling mechanism is based on Alternative Disputes Resolution techniques, maintaining fairness and transparency while meeting the objectives of an ADR approach is more complex. A balance has to be struck between ensuring resolutions are as transparent as possible and fall within an acceptable outcome range on the one hand, and encouraging the parties to reach a mutually acceptable settlement without being too bogged down in technical details about precedent and other comparisons. This is an argument for being discreet and publishing only extracts of a limited number of de-identified cases.

Measures for independence, fairness, transparency and accountability in complaints handling

A lot of thought has been given over the years to ensuring that a complaints handling body meets criteria such as these. This work has been summarised into the 1997 Benchmarks for Industry-Based Customer Dispute Resolution Schemes.(44)

Measures for determining a regulator's performance in independent, fair, transparent and accountable complaints handling processes could include:

• Regulator ensures that the community, and in particular complainants, can easily find out about the process it follows when handling complaints;
• Regulator has effective processes to ensure that it handles complaints in an impartial fashion;
• When operating as an alternative dispute resolution body adopts best practice standards in dispute resolution;
• Regulator administers complaint handling role in accordance with the administrative law framework and in particular complies with the rules of natural justice when handling complaints;
• Regulator has processes to deal with any power imbalances between the parties when investigating and conciliating complaints;
• Regulator is as open as possible about the outcomes of the complaints it handles and the reasoning behind the decisions it makes about resolving complaints;
• Regulator regularly benchmarks complaint outcomes, including compensation agreed between the parties or specified in a formal decision of the regulator, against those of similar complaints handlers;
• Regulator has mechanisms for monitoring its complaints case loads and processes for independence, fairness, efficiency, consistency with other equivalent complaints handlers, and for trends in complaints that might indicate privacy issues that might be addressed at a systemic level;
• Regulator selects staff with relevant skills and experience and provides training and support for its staff.

Active engagement in policy formation

On one view, it might said that the regulator should simply enforce the law that governs the area it is regulating and that it is the role of other bodies to develop the policy that under pins the law and the way it is implemented. However, particularly in areas where the law underpinning the regulation is principle based, light touch, or best practice based, this view is hard to sustain. Few other bodies are going to have the detailed day to day knowledge of the area to be regulated to make workable decisions in this area. In fact it could be argued that the regulator is best placed to engage in policy debate about the area regulated and is a key way that a regulator can be effective.(45) In doing so it is important that such engagement is undertaken with a clear and balanced voice that is not unduly influenced by any particular stakeholder perspective.

Measures of active engagement with policy debate: Measures of active engagement with policy debate could include:

• Regulator engages with the media and with government policy development as issues arise;
• Regulator has successfully influenced policy outcomes;
• Regulator views are regularly sought by key stakeholders and regulator is seen as expert in regulated area.

Ensure clear respect for the law by all parties

A law that is seen to have little impact or is not acted upon is not going to be held in respect. This may present problems for some regulators, as it has been observed that:

'. . . it is common for legislators to pass 'symbolic' laws. In reaction to developments in society, emerging pressure points and influence from lobby groups, parliaments do sometimes pass laws to ensure that they are seen to be 'getting something done'. It is surprisingly common how often they are subsequently prepared to allow these laws to be sidelined and not vigorously enforced. The influence of lobby groups or budget constraints are major factors here. Politicians feel more comfortable if these laws are not enforced too strongly.(46)

It could be argued that the best way to ensure that respect for the law is maintained is to enforce the law rigorously and publicly.(47) However, this may not necessarily maintain respect for the law and may have unintended consequences that impact on other aspects of a regulator's performance. There may be other ways to ensure respect for the law. This may mean ensuring that the law is influential without actually going out and publicly punishing anyone who flouts the law.

Measures of respect for the law:

• The law is held in respect by the community, for example as found by survey;
• Media sentiment does not imply disrespect;
• Audits, sample surveys and other evaluation techniques indicate general compliance with the law;
• The law is not falling into disrepute because it is being applied mindlessly, especially when there is regulator discretion in its application (avoiding 'the law is an ass' criticisms).

Service provision

Where regulators provide services, be they complaints handling, a phone inquiry line or otherwise, it remains essential that the regulator provide efficient, responsive and transparent services.

Measures of efficient and good service provision:

• Regulator has a Service Charter(48) which covers various service level response measures;
• Regulator has ways of measuring effectiveness of service provision and customer satisfaction with this;
• Regulator complies with the Service Charter, including by publishing performance results regularly;
• Service is accessible to disadvantaged groups;
• Regulator reviews services on a regular basis and revises approach as a result.

Milestones and initiatives 1999-2004

Strategic plan - set approach to regulation

When I started my term as Privacy Commissioner in 1999, one of the first major activities the Office undertook was to develop a new strategic plan. This was essential to ensuring that the Office successfully carried out the major task ahead of implementing new private sector legislation. The Office developed its first strategic plan with key environmental factors in mind. As outlined above, at the time, these were:

• proposed legislation that was likely to leave considerable ambiguity about what is actually required to protect privacy and how to approach enforcement;
• government expectations about how the new private sector legislation was to be implemented and enforced;
• the relatively small size of the Office with new national responsibilities;
• a complex picture of public expectations;
• a rapidly changing technological environment.

The Strategic Plan 2000(49) had a number of key features that responded to these factors.

Creating a culture that respects privacy

The Strategic Plan 2000 set the Office clear purpose to promote an Australian culture that respects privacy. This reflected an Office ambition to achieve an outcome that encompasses but goes beyond enforcement of the law. This was consistent with the range of functions set out in s.27 of the Privacy Act which, in summary, include input to policy making and public education in addition to its compliance functions. It aimed to achieve change to people's lives by changing the whole culture in which organisations and individuals operate. A community that has a culture that respects privacy is a community that understands and accepts the values that underpin privacy and can apply them flexibly to the situation rather than one that formulaically applies the privacy law regardless of the circumstances. This is very important given that privacy is very much defined by the context. Such a community will adhere to such values whether or not there is a regulator around to enforce the law. This latter is particularly valuable in the case of an Office that has limited resources. In any case, there was a clear expectation on the part of the Government that the new private sector privacy scheme should be light touch and implemented in a way that reflects this.(50) Taking steps to create understanding of the value of privacy of itself involves wherever possible taking a carrot rather than a more heavy handed stick approach to achieving change in the privacy area.

In this way, this approach also sets out to harness market forces to the maximum extent rather than oppose them. A community that expects and demands its services be provided in a way that respects privacy will react positively to organisations that meet this demand. As I stated in the introduction to the plan:

'My Office is keen to work with others to develop privacy platforms and solutions that give the Australian community confidence in their use of new technologies.'

Partners in developing and promoting privacy solutions

The strategic plan reflected the clear expectation that the private sector scheme should be 'light touch' rather than heavy handed regulation by aiming to ensure that the Office would be known as 'partners in developing and promoting privacy solutions'. It indicated the Office intention to work with business and other stakeholders to get privacy right rather than punishing organisations when they get it wrong. By referring to solutions, it also reflects the very contextual and dynamic nature of privacy, the complex factors involved in implementing privacy and the need to think creatively and practically about how best to implement privacy in the particular circumstances. What is right in one circumstance will not necessarily be right in other circumstances. It also signalled the Office's intention to take a participatory approach to developing policy.

This aspect of the strategic plan also reflected the resources likely to be available to the Office to implement the scheme. In the end, it received approximately $1.4 million in additional annual funding, on top of its existing budget of $2.1 million, to implement the new private sector regime nationally. It was therefore essential that the Office target its resources very carefully and adopt strategies that might widen the pool of resources by seeking partners in carrying out its work. The strategic plan also reflected this partnership approach by seeking as an operational focus to 'develop a network or partners and information to ensure that privacy solutions are delivered in all parts of the community'. In addition, one of its key focuses was to develop a network of influence across the community, including by establishing 'a network of people and organisations ready to support implementation of privacy solutions.(51) Using all these strategies the Office sought to achieve maximum influence and outcomes from its limited resources.

A clear and balanced voice on privacy principles

Given the principles based nature of the proposed regulation, there was a real risk that businesses and other organisations would be left with a great deal of uncertainty about what they should do to implement privacy and how to ensure that they comply with the principles. The strategic plan acknowledges this risk by setting a goal of providing a clear voice on the principles. This signalled the Office intention to present a considered and unambiguous view when providing guidance. In seeking to have a balanced voice, the strategic plan was acknowledging the fact that the right to privacy is not an absolute right. The Office undertook to develop positions that respect personal privacy while taking reasonable account of broader community interests that may conflict with privacy principles.

A comprehensive understanding of current community perceptions of privacy

The Office was aware that it would not be possible to create a culture that respected privacy if it did not have a base line understanding of what current community perceptions of privacy. This was likely to be complex. As a result, the strategic plan includes as a key result area, a need to have a comprehensive understanding of current community perceptions of privacy.(52)

Risk-management framework

In seeking to focus its efforts within its limited resources the Office also sought to adopt a 'risk management framework'. Using this framework was intended to harness the Office's skills and experience (and those of the Office's counterparts overseas) to identify the areas in Australian society that generate the most pressing privacy issues and allocating the Office's resources to where they could do the most good.

Private sector privacy provisions came into effect

New law

On 21 December 2001 the private sector provisions of the Privacy Act came into effect. Key features of the legislation were:

• Extending coverage of the Privacy Act to many private sector organisations beyond credit reporting;
• National Privacy Principles (NPPs);
• A staged application of the legislation, first to larger businesses and all private sector health services, and a year later to those small high privacy risk businesses that the Act applied to;
• Exemptions for other small businesses, political parties, acts and practices of media organisations and for employment related activities;
• Strengthening of the direction that the Commissioner have: '. . . due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way;'(53)
• Limited powers of enforcement: a complaints based system, the possibility of own motion investigations with no audit power and the power to require compensation but not fines.
• Determinations to be enforced in the federal Court;
• Provisions for a unique kind of co-regulation in which industry organisations or whole industrial sectors can develop their own codes which the Commissioner can approve if, overall, they are at least equivalent to the NPPs;
• Provisions for organisations to opt-in if they choose to do so;
• New provisions governing Commonwealth Agency outsourcing;

This generated a need for extensive guidance on how the new provisions were to work and who they would and would not apply to.

Baseline community research

Between February and June 2001, using qualitative and quantitative research, the Office investigated the current understanding, behaviours and attitudes of individuals, businesses and federal government agencies in Australia towards privacy, and sought to identify emerging trends. This research has helped the Office to take a highly focussed approach to issues and communications management to ensure all Australians and organisations are aware of their new privacy rights and responsibilities. This research will also be able to be used as a benchmark against which to compare future research results and to inform policy making and service provision.

A reference committee consisting of key stakeholders, sponsors and members of the Office was established to provide broad guidance for the project. The committee provided feedback and broad direction and was given the opportunity to guide the research tools and examine both the interim reports and the final reports.

For the community research, the methodology included six focus groups and a national CATI survey (Computer Assisted Telephone Interview) of more than 1500 Australian adults; fourteen in depth interviews and five hundred and sixty telephone interviews for the business research; and four focus groups and eighty five self-completion questionnaires for the government research.

For the Privacy and Business and Privacy and Government components of the project, the Office sought sponsorship from both the private and the public sector in the form of partnership agreements. Assistance with resources was provided by four major contributors (Privacy Partners): Pricewaterhouse Coopers, the Australian Information Industry Association, Freehills and Centrelink, and a lower level Privacy Project Sponsor, the Australian Taxation Office. Support from these organisations meant that the Office was able to take a far more thorough look at the attitudes and behaviours of those organisations responsible for meeting the requirements of the Privacy Act. The partnerships were developed against a strict set of published criteria, the Office Partnerships Policy.(54)

The results of all the surveys are available on the Research page of the Office website.(55) The results of the Privacy and the Community Survey reflected a strong desire among the community to gain control over how their personal information was used. However, there remained a fairly low level of understanding about privacy and the existence of our Office, including how one could go about protecting privacy.

The Privacy and Business Survey results indicated that businesses were generally very receptive to the introduction of the new private sector laws appreciating that the new legislation would deliver benefits to both business and their customers. However, at the time of the survey very few organisations appeared to be well enough prepared for the commencement of the legislation in December 2001. These findings indicate that further education and promotional activities directed towards the private sector were required. In the Privacy and Government Survey, Privacy Contact Officers (PCOs) generally rated their 'knowledge and understanding of the Privacy Act' as good. In contrast most operational managers said that their privacy knowledge 'could be better'. Not all PCOs, in the groups, and relatively few of the operational managers, were aware of changes to the Privacy Act that were about to come into effect in December 2001 bringing the private sector within the ambit of the Act and the Office. Other surveys suggested similar conclusions.(56)

More complaints than expected

The additional funding of $1.4 million received by the Office for the additional workload expected from the extension of the Privacy Act's jurisdiction to the private sector was decided before the legislation was finalised. The estimates were not revised in light of the Act as subsequently passed. For example, these estimates do not reflect the greater complexity of the Act as passed. Much more significantly, the estimates significantly underestimated the actual volume of work created through complaints and enquiries.

The additional funding provided for the private sector provisions, when allocated against the Commissioner's functions under the new provisions, provided for only enough resources to handle an increase in complaints by 120 per annum. In fact the Office received a huge increase in complaints which has now stabilised at around 100 complaints per month. In the 2002-2003 financial year the Office received 1,090 complaints and for this financial year, if extrapolated the Office will receive 1,181 complaints.

This huge, nearly six-fold increase in complaints has been the dominating influence on the Office in its ability to perform over the last two and a half years.

Related activity in terms of phone and written inquiries also increased significantly more than for which funding was provided, increasing some 21/2 and 31/2 respectively.(57)

As the scale of the new levels of complaints and inquiries became clear during 2002, the Office took decisive action to prevent the backlog of complaints continuing to grow. In particular, resources were moved from the Policy/advising Section in the Office into the Compliance Section. Despite this reallocation of resources, as at the beginning of March 2004, the Office currently had some 450 complaints to investigate. Moreover, of these, nearly half are waiting to be actively investigated and may have to wait for up to a year for the investigation to begin. Without a further injection of funds this situation has the potential of bringing the legislation and the Government's policy objectives into disrepute.

The reallocation of resources has obviously reduced significantly the capacity of the Office to provide advice and assistance to organisations implementing the new legislation. The call for this advice vastly exceeds the Office's ability to meet it.

Review of private sector provisions

In his second reading speech the then Attorney-General, the Honourable Daryl Williams MP, noted the 'unique' approach taken in the new legislation and said

' . . . I believe that it would be extremely useful to have a report on the operations of the legislation in due course to ensure that it is achieving all our goals. I will ask the Privacy Commissioner to conduct a formal review of the operation of the legislation and of all the exemptions, in consultation with key stakeholders after it has been in operation for two years.(58)

In the light of this proposed review, the Office worked to set the ground work for this review. It was keen to know not only how well the legislation was working, but also how effective its strategies for implementing the privacy sector provisions had been. It wanted to know if it had achieved the outcomes sought and the impact of new privacy provisions and the method of regulation have had on these. The surveys conducted in 2001 provide part of the baseline data for such a review, along with the complaints and inquiries statistics.

As at March 2004, the review had not commenced. The new Attorney-General, the Honourable Philip Ruddock MP, has advised that the he will take up the terms of reference for such a review with the incoming Privacy Commissioner, once that appointment has been made.

25th International conference of Commissioners

The Office convened the 25th International Conference of Data Protection and Privacy Commissioners at the Sydney Convention and Exhibition Centre, Darling Harbour in Sydney from 10-12 September 2003.(59) This was the first time that the Office had hosted the conference for over a decade. The conference is held annually, usually in the Northern Hemisphere. Over 400 people attended the conference.

Hosting the conference is not a direct contributor to the strategic objectives and obligations set down for the Office in either its establishing law or its strategic plan, but at the very minimum it is a 'good neighbour' obligation in the international privacy community. More to the point, such gatherings have the potential to contribute indirectly, over the longer term to these objectives by:

• enhancing domestic awareness of privacy issues;
• developing cooperative responses to the potentially debilitating impact on the effectiveness of domestic privacy regulation from the increasingly free flow of personal information across borders;
• exchanging views on emerging technologies and practices.

The Office set out to maximise the benefits of the Conference domestically as well as internationally through the following strategies:

• setting the theme of the Conference around "Practical Privacy for People, Government and Business", to complement recent conferences which had favoured a closer focus on the principles of privacy and theoretical development of the topic;
• encouraging a very successful series of satellite events ranging from a film festival to meetings with specific technology focuses such as biometrics etc;(60)
• sponsoring a conference resolution aimed specifically at improving notice to consumers about organisational privacy policies, to help strengthen the ability of consumers to make better informed privacy decisions;(61)
• through this and other resolutions,(62) assisting commissioners become a much stronger collective voice in the years to come in developing appropriate regulatory responses to globalisation in much the same way that other global groupings of regulators have already done (two notable examples being the Basle Committee on Banking Supervision or the International Consumer Protection and Enforcement Network, www.icpen.org);
• promoting the Conference in the popular media;
• ensuring the Conference paid for itself through sponsorships, conference fees etc.

By these measures, the conference was extremely successful with the exception of the media profile, which was disappointing. However, given the indirect nature of its contribution to the measures espoused in this paper, the conference is not further assessed here other than to note that it required a top management focus in the second year of operation of the private sector privacy legislation. As such, it had the potential to impact upon the quality of response to domestic responsibilities.

How did the Office do against the measures?

The Office is expecting to rely considerably on the proposed review of the private sector provisions of the Privacy Act to assess the effectiveness of the Office as a regulator.

Had the Office the money and the time, it would have instituted a greater range of research strategies to gain a much richer insight into the necessary information, including business surveys. At this stage, the most it can do is carry out another community attitudes survey, which is a continuation of a survey the Office carried out in 2001 just before the new private sector provisions came into effect.(63) This should enable at least some comparison of community attitudes to, and awareness of, privacy and the Office, and to assess whether or not there has been a shift in the ability of people to act to protect their own interests in this area.

Taking this, and other matters, into account, the assessment presented here is necessarily limited in a number of ways. For example, it is also too early in the operation of the private sector provisions of the Privacy Act to get reliable results on many of the measures outlined here. It also suffers from the most obvious bias that a regulator is 'marking his own homework'. Nevertheless, it would seem worthwhile to make a start.

Office performance against measures of economic impact

Measuring economic impacts is not an area of expertise for the Office. For this reason as well, this paper is not able to provide detailed, evidence based, or technical information about its performance in this area. However, there are some limited observations about the Office's performance that could usefully be made about some of these measures.

The regulator has a process for assessing and evaluating economic impacts

The Office does not have a process for assessing and evaluating its economic impacts. It does have some base line information about impact on businesses through the 2001 Privacy and Business Survey Baseline Community Research described earlier. The survey included questions on what impact businesses thought the new privacy law was having on the way they do business. The Office could build on this in future years by gaining comparative data. It is expecting that this might be done as part of the proposed two year review of the private sector provisions of the Privacy Act when it takes place.(64)

Economic efficiency costs, caused by organisations or individuals having to meet bureaucratic requirements are minimised

Some wild claims have been made by some economic sectors of the job losses, for example, that would occur as a result of a particular interpretation of the private sector privacy law. Some of these have had very little analytical backing. Even if there had been some analytical support, they provided no more justification to letting existing practices continue than similar claims would justify the continuing spam explosion or the avoidance of economic losses to the organised crime industry by letting it continue in business. The focus of the regulator has to be to ensure economic losses are minimised if a law requires a change of practice. For example, it should support a less economically costly alternative that still meets the will of the parliament as expressed in the legislation.

Other economic measures

• Regulator has had a positive impact on the economy (either allocative or distributive);
• If the regulator has had a negative impact on the economy this is an intended consequence and is outweighed by either positive indirect economic outcomes, or positive social outcomes;
• Economic impacts are fairly distributed across the economic sectors;
• Decisions the regulator makes are practical, workable and able to be implemented by the constituency;
• Regulator sought to harness market forces rather than oppose them, either by finding explicit pricing models that provide incentives to appropriate behaviour, or by helping businesses and others see the business case behind complying with the regulation or even going beyond that.

Although the Office does not have processes to measure its performance against these remaining measures of economic impact, it has, nonetheless taken conscious steps aimed at meeting them.

Apart from the many other reasons for considering economic impact, it was an obvious consideration for the Office since one of the underlying rationales for the private sector provisions of the Privacy Act was to remove impediments to e-Commerce resulting from community lack of confidence about the way personal information was handled in the online world. Also, s.29(a) of the Privacy Act requires the Office to take into account the right of business to achieve their objectives in an efficient way.

In any case, in implementing the private sector provisions of the Privacy Act, the Office sought to harness market forces and benefit the economy by engaging in a communications program that sought to bring home the message that good privacy practice is good business. It regularly used the slogan 'good privacy - good business' in its brochures, banners, presentations and other material. It emphasised a number of aspects. On the upside, the Office outlined the opportunity that good privacy presents for building trust and keeping customers, with examples where possible. This was backed up by the Office's community attitudes research that showed the importance that the community places on privacy when interacting with a business.(65) On the business risk downside, it highlighted the damage in the marketplace that poor privacy practice can bring. It backed this up by using two key examples of companies that suffered major share price damage due to failure to implement good privacy practices, one of which was Harts Australasia, a financial service organisation. That company's share price plummeted by some 50% in the time that the Office was investigating an alleged dumping of confidential files in North Sydney and then established had indeed been a breach of privacy.(66) Finally it also warned of the 'sovereign risk' relating to the kind of regulation in place. If business did not respond well to the current 'light touch' legislative regime, it would run the risk that, after the legislation had been reviewed in two years time, it would have strengthened by its own actions all the arguments for a less 'light touch' regulatory regime.

Examples are now constantly emerging of the economic risks of not getting privacy right. A very current example is outlined in a recent article about the banking sector, which indicates that inadequate security and other privacy protective measures are putting internet banking at risk.(67)

The Office also has considerable anecdotal evidence that the measures businesses have had to take to ensure they are compliant with the Privacy Act has resulted in considerable improvements in information management overall, including customer relations management. The Office is aware for example, that some tens of millions of dollars have been spent on building processes to comply with privacy requirements. However, taking into account the improvements in information and customer relations management, this expenditure is seen by some as being not just capital expenditure, but rather also, business building.(68)

Another reason for the private sector amendments to the Privacy Act was to ensure that there would be a nationally consistent approach to privacy. At the time States were seeking to take their own steps to regulate privacy in the private sector, which would have resulted in duplications and inefficiencies for businesses with national operations. The Office has championed the need for a nationally consistent approach in a number of forums, including in the area of health privacy.(69)

The Office has also always sought to place an emphasis on 'practical privacy' in other ways. In developing guidelines and giving policy advice it seeks to arrive at solutions that provide real privacy outcomes, but also take into account industry practice and are workable.

The Office's Guidelines on Privacy in the Private Health Sector,(70) which it prepared in the lead up to the commencement of the new private sector provisions in the Privacy Act, provide a particular example of practical privacy in operation. Implementing the NPPs in the health services sector posed particularly complex and sensitive problems. Health service providers were very concerned to ensure that their provision of health care to individuals was not unduly impeded by cumbersome procedures for getting client consent for every collection, use or disclosure of personal information in which they engaged. They were also concerned that it might increase the length of each consultation. The sector was also already subject to professional obligations of confidentiality which appeared to have general acceptance. The Office worked intensively with stakeholders to reach an approach in its guidelines that was workable for health services providers but at the same time built in the necessary protections where they were likely to be needed. No part of these Guidelines reflects this more than the guidance given on Use and Disclosure(71) which was debated over many months with stakeholders during 2001. Indeed, the resulting general Tip for Compliance on Use and Disclosure is disarmingly simple when it suggests that health service providers should assess:

'Is there alignment between the health service provider's intentions and expectations for the use and disclosure of the information and those of the individual? If uncertain, the health service provider should check with the individual.'

Other very complex areas where the Office has sought and achieved practical outcomes are in the areas of privacy and publicly available personal information,(72) medical indemnity insurance, property valuation, due diligence and buying and selling businesses,(73) and in providing guidance on what are reasonable steps for making individuals aware of collection of personal information under NPPs 1.3 and 1.5.(74) These were all situations in which failure to take a practical approach would have brought many businesses either to a grinding halt or buried them and their consumers under a hail of paper or cumbersome processes that could have been economically disastrous and enraged consumers at the same time. There are, however, limits to the extent to which taking a practical approach can resolve differences. There were some circumstances in which industry practice butted head on with the principles but the Office did not consider that a Public Interest Determination to relax the principles was justified.(75) In such circumstances, the only possible approach is for these issues to be considered as part of the proposed two year review of the Privacy Act. Some of these issues included those relating to private investigators and mental health.

Office performance against measures of social impact

As with the economic outcomes, it is too early to gauge many of the possible social impacts of the Office's activities as regulator of the privacy in the private sector. Nevertheless, there are some indicators.

Regulator has a process for evaluating the social impacts of its activities

Through both its first and second strategic plans, the Office has a number of systems in place that it could use to evaluate the social impacts of the new private sector legislation and of the Office's activities as regulator of these provisions.

As noted earlier, between February and June 2001, using qualitative and quantitative research, the Office investigated the current understanding, behaviours and attitudes of individuals, businesses and federal government agencies in Australia towards privacy, and sought to identify emerging trends. This research can be used as a benchmark against which to compare future research results and to inform policy making and service provision. In particular, it will be able to inform the two year review on a number of the kinds of measures outlined below including the other measures nominated in this paper such as:

• As a result of the regulator's activities, most people consider their lives have changed for the better
• People are more confident in the way they interact in the relevant area and less likely to be duped

People are better able to exercise their rights in the relevant area

Clearly, the private sector provisions themselves have given people more rights in this area than they had before. For example, they now have the right to ask organisations to see what personal information they hold about them, and correct it if it is wrong. They also now have an avenue for complaint that they did not have before. However, the performance of the Office on this measure is less than optimal because of the long wait that complainants experience before the Office can act on their complaints. The reasons for this long complaints queue include the fact that the Office received more complaints than expected, as described earlier.

People are willing and able to protect their interests on their own behalf

The Office has clear evidence that considerable numbers of people are willing and able to approach this Office to protect their own interests on their own behalf. As noted earlier under the heading More complaints than expected, numbers of people making complaints to the Office have gone from some 200 per year in 2000-2001 to a likely (on current trend) six-fold increase of 1,200 per year in this financial year. Hotline inquiries have nearly trebled from around 8,000 per year to over 20,000 per year, and written inquiries have also nearly trebled from around 900 to around 2,200 per year.

In addition, the 2001 Privacy and the Community Survey has set the ground work for future comparative data on this measure, by including a number of questions that focus on aspects such as the extent to which people protect themselves on the internet.(76)

If there are unintended negative social impacts, the extent to which these are outweighed by other benefits such as economic benefits

There were a number of occasions during the Office's implementation of the new private sector provisions, when claims have been made about the negative social impacts of the legislation and the Office's activities.

One common claim was that concerns about privacy are impeding couples who wish to get access to each other's bank accounts. This is not an unintended consequence of the legislation, rather it is very much an intended consequence of the requirements of the NPPs that consent be given to such arrangements (eg NPP 2.1(b)). In fact, it is more likely that this move by the banks, to obtain better evidence and records of consents for shared access to an account, reflect the fact that the Act had sent the financial institutions a wake up call. They needed to tighten practices that they should have tightened anyway, especially in an era of increasing concern about identity fraud.

Another, more difficult problem has been identified in the mental health area. Some service providers are concerned that the Privacy Act is preventing them from providing adequate care to people with a mental illness, for example entitling patients to access their medical record at a time when it might impede further treatment. The Office has sought to work with the sector to find practical ways, within the scope of the NPPs as they currently stand, to alleviate this concern. However, ultimately it is a matter that may need to be considered as part of the proposed two year review.

Social impacts are fairly distributed across the community

In the course of implementing the private sector provisions it became clear that the Office's activities could have differential impacts on parts of the community. For example, during its consultation on an information sheet on privacy and publicly available personal information(77) concerns were raised that reducing access to publicly available information might restrict the ability of charities to raise funds and hence result in less support being available for work with the disadvantaged sectors of the community. This is a matter that other law makers have taken into account in developing privacy policy. For example, in the US, the Do Not Call register(78) provisions do not apply to charities. In any event, the Office was not, in fact, proposing to reduce access to such information in the way feared.

The activities of the regulator broadly reflect public opinion

One of the reasons behind the 2001 survey work was to gain a better understanding of public attitudes on a range of privacy issues. The Office used the information gained in a number of ways to inform its policy positions. For example, the Office stated publicly on a number of occasions that there was a need to review the use of public register information and particular the Electoral Roll.(79) This reflected responses to a survey question on the use of Electoral Roll information which showed that 70% of those surveyed thought that the Electoral Roll should not be used for marketing purposes. The fact that the community was roughly divided(80) on the question of whether the telephone directory information should be accessed for marketing purposes was also fed into the Office's policy development thinking.

Media have an informed and balanced approach to the area being regulatedThe Office has adopted a number of strategies to keep the media informed about the Office's approach to privacy and is open and transparent in its operations with the media. The Office regularly reports on calls, complaints and issues raised with the Staff.(81) The Office runs a list serve for the media which has more than 1,500 members and which it uses to keep members informed of the latest developments and initiatives regarding the Office.(82)

The Office's approach has always been to work with the media to help them understand privacy and to develop more accurate and interesting stories about privacy. The Office's view has been that communicating with the community through the media is vital if the Office is to succeed in promoting an Australian culture that respects privacy.

The Office has a policy of, as far as possible responding promptly to all media requests for interviews. It monitors press coverage in the privacy area and takes steps if it considers that media coverage is unbalanced or not informed. For example, the Office has developed responses to 'privacy furphies' and published them to its media networks and on the Office website. It has also developed frequently asked questions.(83) The Office has also, from time to time written articles for media outlets about privacy issues in the areas of security, technology and media. 

Those regulated have changed their behaviour to comply with regulatory requirementsThose regulated see the benefits of changing their behaviour and would continue to do so regardless of the regulatory oversight (in the sense that the regulation should 'contain the seeds of its own destruction')There is considerable evidence that many organisations have at least taken steps to be seen to be complying with the Privacy Act. Most people would be aware that at about the time the legislation came into effect at the end of 2001, they received a deluge of privacy notices with their bills and other documents. They would also be aware of an increasing number of occasions, particularly in the health sector where they are required to sign a consent form relating to the handling of their personal information. Those using the internet started to see a button saying 'Privacy' on many more website home pages. They would also be aware of increasing occasions where businesses use privacy as a reason for not disclosing information in certain circumstances. Unfortunately, it appears that these excuses are not soundly based and have the potential to undermine the reputation of the Privacy Act. Scrutiny of the media suggests that privacy is increasingly a topic for discussion and consideration in business matters, both from a business opportunity point of view and from a compliance point of view. Most professional organisations appear now to be aware of privacy as a business issue, and judging by the varied requests for the Office to give presentations these are wide ranging, and include organisations operating in industries where one would not necessarily expect privacy to be top of mind.

It is not yet clear how deeply privacy considerations are embedded into business practice nor how deeply privacy is embedded into the spirit of private organisations. It is not yet clear that businesses have sufficiently embraced the idea that good privacy is good business to change their behaviour fundamentally to align with the spirit rather than just the letter of the law. An early demonstration of this was the kind of privacy notices that many companies, particularly in the financial sector, were issuing. This became known within the Office, and then publicly, as the 'bundled consent' approach. There are a number of features of this approach, but in essence it involved organisations aiming, in one document, to gain all the consents they needed in order to continue the information handling practices they had always carried on. In most cases, the consumer was faced with the choice of either consenting to all the practices in one hit, or not at all. In others, consenting was a condition of receiving the service. The Office regards this as a bellwether issue as consent is one of the underpinning protections of the privacy regime. It is clearly an issue that should be closely examined during the proposed two year review.

On the other hand, other organisations, some quite small, have taken the spirit of privacy deeply into their thinking and have sought very detailed advice from the Office about how to implement privacy. Well over 100 businesses(84) have sought to opt-in to being covered by the Privacy Act. There are signs also that some of the larger organisations are also taking a broader interest in privacy. This has been demonstrated by interest shown by some business in adopting means of better communicating privacy information such as the 'condensed notice' approach endorsed by Privacy Commissioners at the 25th International Conference of Data Protection and Privacy Commissioners in Sydney in September 2003.(85)

The Office has received anecdotal advice from some quarters that deeper implementation of privacy is unlikely until such time as the Office adopts a stronger and more public approach to enforcing the law. They say that business has now reached a level of comfort with the law, and are satisfied that they have the appropriate levels of risk management in place. Although this advice has often come from quarters that may have a business interest in other businesses being concerned about privacy compliance and needing expert assistance to achieving compliance, this is comment that is worthy of consideration and note. It should certainly be a matter for consideration in the proposed two year review of the legislation. It may be that while the low profile partnership strategy the Office has adopted has been effective in implementing privacy to this point, it is now time to adopt a different strategy to achieve greater levels of behaviour change. It maybe the case that, even apart from the regulatory risk, the market down-sides of non-compliance will not be fully recognised and acted upon by business unless the Office adopts a stronger and more public approach to non-compliance. Some sting may be necessary even to promote cultures!

Public accountability for resources

Regulator has a strategic plan that prioritises and focuses its activitiesThe plan and the rationale behind the plan is widely knownRegulator has adhered to this planRegulator can account for how it has allocated and spent its resources against its planRegulator has evaluated its plan

As outlined earlier under the heading Strategic plan - set approach to regulation, the Office developed a strategic plan in 2000. It has also subsequently developed a second strategic plan. The Strategic Plan 2000, which spelled out the rationale behind it, was published in an attractive format, launched at a very well attended function, posted on the Office's website, and distributed in hard copy with more than 10,000 kits distributed at the various functions at which the Office was represented. The Office developed detailed project plans for each of the Key Result Areas and progress against the plan was fine tuned and monitored. By the time of the 2002 Annual Report, the Office was able to report continued adherence to the strategic plan and that it had largely delivered the Key Result Areas.(86)

The Office has not otherwise formally evaluated the Strategic Plan 2000. However, in the course of developing its second strategic plan (Strategic Plan 2003), the Office did consider the appropriateness and effectiveness of the earlier plan. Evaluating the Strategic Plan 2000 could appropriately form part of the proposed two year review of the Privacy Act.

The Strategic Plan 2003(87) was launched at a quieter level, but again a system for monitoring progress against Key Result Areas is in place.

Regulator has met all the usual obligations of financial management spelt out in the Financial Management and Accountability Act 1997, the Audit Act

The Office has met its obligations in this area. Since it was commenced as a separate agency under the Privacy Amendment (Office of the Privacy Commissioner) Act 2000 on 1 July 2000, the Office has received unqualified audit reports and operates very closely within its allocated budget.

 Regulator has evidence that the resources are being used efficiently

The Office has undertaken activities particularly in the complaints area to establish whether its complaints process could be improved. The Office commissioned a small external review of complaint handling within the Office.(88) The purpose of this exercise was to identify areas for possible improvement, in accordance with best practice principles, with a view to ensuring that the Office was well situated to deal with the additional obligations of the Privacy Amendment (Private Sector) Act 2000.

The review focused on understanding and assessing processes and procedures for handling complaints from receipt to finalisation.

Key principles of complaint handling systems were derived from the 1999 complaint handling benchmark project undertaken by the Human Rights and Equal Opportunities Commission (HREOC), assessment of overseas complaint handling processes, Australian complaint handling standards (AS4269)(89) and benchmarks for Industry-Based Customer Dispute Resolution Schemes (1997)(90). These sources indicate that an efficient and effective complaint handling service can be described as one which is accessible, fair, responsive, accountable and result focused.

The external review produced 31 recommendations. In line with the key principles the recommendations focused on producing clear, purposeful and accountable complaint handling procedures, which provide fair outcomes. The review made recommendations on complaint assessment, investigation and complaint resolution procedures, and a number of general comments. These recommendations focused on clarifying the procedures in each of these areas for both compliance workers, complainants and respondents and developing a prioritisation system in complaint assessments to identify urgent cases and matters which can be resolved quickly. A number of recommendations focused on developing more detailed timeframes in the complaint handling system to ensure adequate progression of cases.

The office implemented almost all of the recommendations of the review. Many of these recommendations informed the design of an electronic Complaint Management System (CMS), which the offices now uses as a central administrative aid to manage complaints.

Regulator has explored means of increasing the pool of resources available to itRegulator has policies and procedures in place to ensure that the process for raising and using such additional resources is transparent, ethical and far above any implications that this source of funds could compromise its independence

Increasing the pool of resources available has formed part of the Office thinking from early in the term of the Commissioner as evidenced by the partnership and networking approaches outlined in the Strategic Plan 2000.

As described earlier under the heading Baseline Community Research, in 2001 the Office took partnerships one step further to support joint ventures and joint funding arrangements. The Office paid particular attention to doing all that it could to avoid even perceptions of conflict of interest or loss of independence or integrity. The published partnership policy(91) took into account a number of factors including parameters set by the Australian National Audit Office and the NSW Independent Committee Against Corruption. The policy established a risk assessment framework and a process for assessing and managing partnership opportunities.

The Policy was first applied when finding partners and a sponsor for the Privacy and Business and Privacy and Government components of the 2001 survey research. The Office also received sponsorship from Centrelink, HREOC, Attorney General's Department, AAMI and PricewaterhouseCoopers Legal to host the 25th International Conference of Data Protection and Privacy Commissioners in September 2003 in Sydney.

The Office has a number of other arrangements other than direct monetary sponsorship which serve to increase the offices pool of resources. These include:

Privacy Connections: Networking for Privacy Solutions The Office has worked to develop a well established network of people and organisations ready to support implementation of privacy solutions. The Privacy Connections Network, launched in April 2000, now has over 1,700 members.(92) In months leading up to and following December 2001, and the introduction of the National Privacy Principles, the Office assisted organisations with their preparations and implementation of procedures to comply with the NPPs through provision of information, seminars and networking opportunities to members. More recently it has used the network to circulate draft publications for comment.

Privacy Contact Officer Network The Office facilitates a network of Privacy Contact Officers (PCOs) drawn from each federal and ACT government agency.(93) The network is designed to ensure that agencies have a central point of contact for privacy issues within that agency. The Office provides a secretariat role to the network assisting with arranging meetings, distribution of information, development of resource material and keeping a centralised record of PCOs.

Health Leaders Forum In 2001-2002, the Office established an informal Health Leader's Forum, membership comprising acknowledged leaders in the health sector. The forum has provided very useful advice to the Commissioner on a range of issues including the Guidelines to Privacy in the Private Health Sector, the Public Interest Determinations on Family Histories,(94) privacy and genetics, transfer of information between medical practices and in debating issues such as the draft code being developed by the Australian Health Ministers Advisory Committee. The forum has also helped all its members exchange views in educational and other resources material for complying with the Privacy Act.

Privacy Agencies of New Zealand and Australia The Privacy Agencies of New Zealand and Australia group (PANZA) continues to provide a focus for international discussion and development on privacy issues.

Through PANZA the office has been involved in a number of international forums on privacy.

Federal Privacy Handbook The Office has a cooperative arrangement with CCH Publishers to develop, maintain and distribute the Federal Privacy Handbook. CCH covers all the costs of publishing and distributing the handbook and the Office provides the Intellectual Property. The Handbook is a comprehensive loose-leaf guide to federal privacy law and practice, and is generally updated twice a year by the Office.

Memoranda of Understanding The Office has key MOU's with HREOC, Attorney General's Department, Australian Competition and Consumer Commission, ACT Government, Department of Health and Ageing, Centrelink and Australian Customs Service. Each serves a different purpose. Those with Health, Customs, Centrelink and the ACT Government make additional funding available to the Office on an agreed workplan basis. The MOU with HREOC is a financial and human resources common services agreement. The others document agreed strategies to implement more effective working relationships.

Joint Publications The Office developed Information Sheet 16-2002: Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business in collaboration with the Law Council of Australia.(95) The information sheet aims to ensure that the privacy of individuals is protected during due diligence and completion of a sale of a business at the same time as enabling the commercially sensitive process to go ahead in a timely an efficient manner.

The Office is presently developing a joint publication with the Australian Institute of Company Directors called "Privacy and Board Directors: What You Don't Know Can Hurt You". This publication aims to provide an easy guide to help company Directors implement efficient and responsible privacy procedures that will add value to their organisations and contribute to the creation of an Australian culture which respects privacy.

The Office has significantly advised on the preparation of other publications funded by other organisations for example, the publications produced by the Royal College of General Practitioners and the Australian Medical Association, which were funded by the Department of Health and Ageing, and a publication prepared by the Mental Health Coalition (forthcoming).

The Office might be said to have pushed the boundaries in this area. However, at the same time it was acutely aware of the risks associated with this approach. The Office considers that it has been able to push these boundaries successfully without compromising its integrity. An indication of the integrity of the Office's approach in widening its pool of resources could be said to be that the Office has received no adverse comment on its sponsorships and partnerships from any sector.

Resources developed by other organisations Many organisations developed their own materials including the Pharmacy Guild and Pharmaceutical Society, the Royal Australian College of General Practitioners, the Australian Medical Association, the Australian Direct Marketing Association, the Market Research Society of Australia, the Internet Industry Association, the Australian Information Industry Association, the Real Estate Institute and the Association for Independent Schools.

Where possible, the Office provided informal input to the preparation of these documents. The result of this effort was specialised advice to particular industries or professions which was beyond the Office's ability to provide directly. This approach often had the added advantage of providing these sectors with advice that they saw as more credible than from a 'new comer regulator'.

Regulator has made sure that all interested parties, including the government, the media and the public are aware of the implications of budget allocations

From the point at which it became aware that the complaints load was placing major strains on its resources the Office has consistently and publicly made the stakeholders aware of the implications for the Office, in direct advice to the Attorney-General's Department, the Attorney-General, parliamentary committees and to the media. It made it clear what were the issues, the Office's priorities; how it was shifting resources to ensure it at least dealt with the areas of priority and the impacts of such shifts.

Independence, fairness, transparency and accountability in decision making

Policy decision making

• Regulator has recognised and publicly respected processes to enable public participation in policy development processes
• Participation in such processes takes into account those groups less easy to reach in public consultation processes
• Decisions made based on the full range of criteria that go towards determining the public interest
• Decisions have broad acceptance among key stakeholders
• The regulator has processes for making its policy and other decisions widely known and easily available, if necessary for years on end

This area has been a major priority for the Office. It took extensive action to ensure that it met these measures. This effort has had a number of spin offs. It ensured that private sector organisations became aware of, engaged with, and took ownership of, the privacy issues and the privacy solutions developed and raised the profile of the Office.

The Office's key activities in this area occurred during the development of three major sets of guidelines, and accompanying information sheets aimed at assisting business generally and in separate work, the health sector.(96) The Office saw these as playing a fundamental role in implementing the Private Sector provisions of the Privacy Act. Even more important was the consultative process in their development. This increased the level of ownership, improved the quality of the product and because they were controversial, significantly raised levels of awareness in the business community.

The resulting publications were the Guidelines to the National Privacy Principles, the Guidelines on the Privacy in the Private Health Sector, the Code Development Guidelines and an initial instalment of 15 Information Sheets. The Office produced them all in the 12 months between the time the legislation was passed and the time it came into effect for most business and all private sector health service providers. For each of these documents the Office developed and implemented detailed consultation plans. In each case it involved:

• Developing a detailed picture and mailing lists of the stakeholders in the private sector;
• Making contact with these and encouraging them to join the Office's Privacy Connections Network;
• Forming consultative groups which included key stakeholders, including consumer, business and government representatives, and representatives of special interest groups that are less easy to make contact with;
• Preparing draft documents in consultation with these groups;
• Circulating widely the draft documents including by post, by email and posting on the Offices website and allowing a two month period to respond;
• Conducting national workshops to raise awareness about the guidelines and receive comments and questions;
• Targeting special interest groups that may be more difficult to reach and holding meetings or providing material to ensure the Office received input on issues of particular importance to them;
• Recording submissions on a database set up to enable analysis on a number of dimensions;
• Revising the drafts on the basis of submissions and further consultation with the consultative groups;
• A further, but more limited than previous; round of consultation;
• Final revisions in consultation with key stake holders;
• Publication and wide distribution before the Privacy Act came into effect on 21 December 2001.

This was a very robust process and invoked huge stakeholder response. The Office received 171 submissions on the Guidelines to the National Privacy Principles and 102 written submissions and 29 oral submissions on the Guidelines on Privacy in the Private Health Sector. They received considerable public attention in the media. The process was a real testing of the waters. The Office was aware that the drafts of the guidelines on which it was publicly consulting were relatively unrefined, and included quite preliminary but detailed thinking. In the timeframe it had, however, it considered that it was better to get the thinking out for comment and engage stakeholders early in the process rather than taking longer to produce a more refined product which left little time for stakeholder engagement. In the event, the draft guidelines although controversial had the major benefit of galvanising stakeholders into attention and action. In this sense, the deliberately taken considered risk in publishing the drafts early in the process ended up being more successful than anticipated. The input received was hugely constructive and enabled the Office to establish productive relationships with more consumer and industry organisations than would otherwise have been possible.

The final versions of the guidelines took account of the extensive input from all stakeholders. They reflected a delicate balance between all the factors that go into determining the public interest including an assessment of the social and economic costs and benefits of the approach, and what the Office saw as an appropriate balance between consumer interests, commercial interests, and broad Australian social values as partly informed by the survey work the Office had undertaken.

Overall, the Office's assessment of this process is that it achieved considerable respect for the outcome despite some suggestion from some privacy advocates that the final version of the guidelines was considerably weaker than the earlier version and that the Office had been hijacked by the big end of town.

The Office has widely publicised and distributed the final versions of the guidelines. They were published in an attractive hard copy format and mailed to all those who participated in the consultation process and more widely. More importantly, the Guidelines were posted on the Office's website and in the financial year 2001 - 2002 there were more than 107,000 downloads of the Guidelines to the National Privacy Principles and more than 27,000 downloads of the Guidelines on Privacy in Private Health Sector.(97)

The Office has adopted similar process for the development for many of its information sheets, and also for development of other guidelines such as the guidelines for applying to the processes for consulting on other Guidelines (eg on Public Key Infrastructure)(98) and deciding Public Interest Determinations under Part VI of the Privacy Act and approving codes to replace the NPPs under Part IIIAA of the Act.

Approach to law enforcement

• Regulator has a well publicised and understood policy on how it will go about implementing and enforcing the law
• Regulator adheres to this policy
• Regulator has evidence on the levels of non-compliance
• Regulator has evidence of the effect of the policy on understanding and learning in the wider community
• Regulator does not change the policy unless it is planned and well thought out and then the reasons for the change and the new policy are well publicised

The most significant statement by the Office on its policy on implementing and enforcing the law is Information Sheet 13-2001 "The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act", issued in December 2001.(99) This publication sought to set out explicitly the approach which the Office takes to promoting compliance with the requirements of the Privacy Act and the mechanisms the Act provides to accomplish this objective.

The Office has taken the approach that, at least in the early stages of the implementation of the changes to the Privacy Act, compliance will be achieved most often by helping organisations to comply rather than seeking out and punishing the few organisations that do not. The large majority of Australian organisations in the private sector wish to comply with their legal obligations. The Office's emphasis has been on providing advice, assistance and information. This has been our first and preferred approach at all times. Nevertheless, when breaches of the Act are identified they have been actively pursued.

Some journalists and privacy advocates have taken issue with this method calling for a more confrontational strategy, which more readily enforces harsher penalties. However, the Office has adhered rigidly to its stated approach. Its position has been that the "Advice and Assistance" approach will not be changed without proper evaluation. The two year review of the Privacy Act would seem to be an appropriate forum to address this issue.

Complaints handling

• Regulator ensures that the community, and in particular complainants, can easily find out about the process the Office follows when handling complaints
• Regulator has effective processes to ensure that the Office handles complaints in an impartial fashion
• When operating as an alternative dispute resolution body adopts best practice standards in dispute resolution
• Regulator administers complaint handling role in accordance with the administrative law framework and in particular complies with the rules of natural justice when handling complaints
• Regulator has processes to deal with any power imbalances between the parties when investigating and conciliating complaints
• Regulator is as open as possible about the outcomes of the complaints it handles and the reasoning behind the decisions it makes about resolving complaints
• Regulator regularly benchmarks complaint outcomes, including compensation agreed between the parties or specified in a formal decision of the regulator, against those of similar complaints handlers
• Regulator has mechanisms for monitoring its complaints case loads and processes for independence, fairness, efficiency, consistency with other equivalent complaints handlers, and for trends in complaints that might indicate privacy issues that might be addressed at a systemic level
• Regulator selects staff with relevant skills and experience and provides training and support for its staff

As a result of the Strategic Plan 2000, the review of the complaints process conducted by Tracey Raymond and the need to become more efficient in the face of very constrained resources, the Office has taken a wide range of actions to meet the measures outlined here. These initiatives were outlined earlier under the heading Regulator has evidence that the resources are being used efficiently.

The Office's website has revamped and updated its website page that provides information about the Office's complaints process. The Office has an internal complaints manual which it is also updating and refining as its processes become more efficient. This contributes toward the Office having a consistent approach to complaint handling and decision making and also helps to ensure that it complies with administrative law requirements including the rules of natural justice.

As part of implementing Key Result Area 4 of the Strategic Plan 2000, the Office embarked on a major overhaul of the information handling system for complaints. This was a major improvement and benefited the Office in a number of respects. It gave the Office much more information about its complaints load, for example, how long complainants have to wait before having their complaints dealt with and how this is changing over time. It was also the basis on which it has enabled the Office to implement a triage process which identifies serious and urgent cases and fast tracks them to the head of the queue. The Office considers that over all, its processes have much improved.

The information system also gives the Office a much better picture of the outcomes arrived at for each complaint and what issues are arising. This allows the Office to assess whether issues that are arising are systemic and whether there is a need for more information in a particular area to prevent the issues arising.

It also allows the Office to identify cases that might usefully be reported on to the public. The Office resolves nearly all its cases using alternative dispute resolution processes. It very rarely makes a determination in which the Commissioner imposes a resolution, and it has only been to court once. This has had major implications for the ability for those in the public arena to understand the basis on which cases are resolved. It means that there is little precedent that would enable legal and other advisors to give definitive advice to businesses about the law in a particular circumstance. The Office has been criticised(100) for failing to provide sufficient information in this area and as a result has begun to publish Case Notes on key cases that the Office has handled.(101) This has helped to provide greater transparency in the process but there is probably still considerably more work to be done in this area, including possibly providing more statistics and other information on the overall outcomes achieved for all cases.

Active engagement in policy formation

• Regulator engages with the media and with government policy development as issues arise
• Regulator has successfully influenced policy outcomes
• Regulator views are regularly sought by key stakeholders and is seen as expert in regulated area

As seen above, the Office actively engages with the media on privacy policy issues. It has also actively engaged with government policy as the need has arisen. There are many examples to be seen on the Office's publications website, in the form of the number of submissions the Office has made to parliamentary inquiries, including into the private sector privacy provisions and interdepartmental working groups.

The Office has focused its efforts in one particular area over the last year or two as a result of the development of the Strategic Plan 2003. In this process, it recognised Identity Management as an area of special significance to privacy, both as a means of improving and facilitating individual control of personal information and conversely, to compromise it horribly. These are similar considerations to those behind the Australia Card debate of the 1980s, affected hugely by 15 years of further developments in technology and the more recent efforts to counter terrorism. One consequence has been that the Office has actively sought to become involved in a number of identity management initiatives, both in the area of health information and more widely.

It has also stated it opinions in relation to RFID chip development, intellectual property information management systems and many other issues.

The Office regularly receives requests for presentation and participation in conferences, seminars and workshops, and for policy advice. However these are two of the areas where the Office has had to downsize consciously since 2001 as a result of the resource constraints.

Ensure clear respect for the law by all parties

• The law is held in respect by the community, for example as found by survey
• Media sentiment does not imply disrespect
• Audits, sample surveys and other evaluation techniques indicate general compliance with the law
• The law is not falling into disrepute because it is being applied mindlessly, especially when there is regulator discretion in its application (avoiding 'the law is an ass' criticisms)

It could be said that the Office is receiving mixed messages on the question of respect for the law and the regulator. As outlined above under the heading Approach to law enforcement, the Office has taken a more partnership and helpful approach to enforcement of the Privacy Act where this was sufficient to gain compliance, rather than subjecting all infringers to public scrutiny. A less remarked element of the policy, though, is a clear statement that there will be an 'iron fist in the velvet glove' if necessary. Information Sheet 13-2001 points out that if the cooperative approach does not work in a given instance, the Office will not resile form taking stronger steps to enforce the law. Given the environment in which the Office has been operating, it is not clear that the Office would have been more effective had it taken a more aggressive course. It is possible that had it done so, it might have raised its profile, only to be ignored by key stakeholders from there on. On the basis of the stated policy, had a suitable case come along, there is no doubt that the Office would have taken strong and public action. Indeed, the lack of such cases has been something of a surprise.

One interpretation is that the Office's policy has been very successful. Another is that the lack of the need to prosecute reflects clever risk management by many businesses without necessarily reflecting good privacy practice, by ignoring the requirements of the legislation until a breach occurs then acting promptly when asked to do so, to avoid any opprobrium. Certainly, in every case where a business had a complaint lodged about it, the business acted quickly and cooperatively to amend its practices. Yet another interpretation is that under the current laws and with the level of effort, it has not been possible to bring such cases to light. However, it was committed to complying with its approach to law enforcement, and was not prepared to deviate from it without proper process.

The question of whether the current policy has been effective in ensuring clear respect for the law by all parties is one of the most important that should be addressed by the two year review. For this reason alone, a two year review that is restricted simply to an inspection of the wording of the Act without also assessing the performance of the regulator may be missing the most important points of all.

On the question of public education, the Office has stated that it has unfinished business there. This is particularly so given that an active consumer is a key part of creating a culture that respects privacy, and without, the approach remains flawed to some extent. Resource levels have been a major constraint here, with 'free' education for example, partnerships with the media, and the Office's website almost the only activity is has been possible to engage in. The one exception is an Advertorial activity the Office carried in mid-2002, which placed privacy advertisements in many news papers around the country. While the advertorial would have placed privacy issues in front of some 6.7 million Australians, it is not clear that it was highly effective. It was a very low cost strategy, in order to fit within Office resources compared with, say, television or radio campaigns and the Office probably got no more than that for which it paid.

Service provision

• Regulator has a Service Charter which covers various service level response measures
• Regulator has ways of measuring effectiveness of service provision and customer satisfaction with this
• Regulator complies with the Service Charter, including by publishing performance results regularly
• Service is accessible to disadvantaged groups
• Regulator reviews services on a regular basis and revises approach as a result

The Office has a lot more work to do against these measures. The Office does not have a service charter and this is not an oversight. The Office made a conscious decision that other activities should receive a higher priority and that it was pointless setting aspirational targets that were unlikely to be met in the light of the pressures on its resources from complaints and inquiries, as already described. It is not to say however that a charter is not important, or that it should not be done. The Office needs to do more work on all the other measures as well.

Nevertheless, the best possible performance in service provision has however been a consideration in its activities and it always seeks to ensure that those with disabilities for example are able to access the service.

In particular, as noted under the heading More complaints than expected, the Office has however kept increasingly detailed statistics of a number of aspects of its activities including statistics for the last three years on telephone inquiries, written inquiries, complaints, own motion investigations, audits, numbers of organisations that have opted into coverage of the Privacy Act, number of code approvals, policy advices, media interviews, website hits, numbers on our privacy connections network and privacy media email group, conference website and conference outputs. It publishes statistics about its complaints and inquiry numbers and topics complained about on the website on a regular basis.(102)

One service area that has not been described so far relates to the processes for approving codes under Part IIIAA of the private sector provisions of the Act. Here, in the Code Development Guidelines, the Office undertook to approve codes within two months of receiving an application.(103) The Office has not received very many code applications, and it has never managed to meet this time frame. There are a number of reasons for this. The main one is that the codes as initially received, generally speaking, came nowhere near the standard necessary for it to be approved. For example, they had often been drafted by non-lawyers who had little understanding of what might be needed to draft a document that would have the force of law when it replaced the NPPs as the standard. If the Office had chosen to reject such applications out-of-hand with no further action on its part, it could probably have met the two month deadline. However, it chose to try to work with the applicants to achieve this standard, and was successful in a number of cases; but only after a considerably longer period than two months. It would be fair to say that no one anticipated the complexity involved in developing an industry code that meets the requirements set out in the Privacy Act, in particular, the complexity in assessing whether a proposed code is 'at least the equivalent of all the obligations' set out in the NPPs, as required of the Commissioner under s.18BB(2).

Glimpse of the future

If the last 5 years have been marked by rapid change, particularly in the area of technology, then the next 5 years are likely to be exponentially so. We are entering a period where technology has the potential to change our lives fundamentally in ways we could never have imagined. As a recent commentator, Susan Greenfield, on the impact of technology on people writes:

'Soon computers will be invisible and ubiquitous - if not actually inside our bodies and brains, then sprinkled throughout or clothes, in our spectacles and watches, and converting the most unlikely inanimate objects into 'smart' interactive gadgets.

The real problem is not what is technically feasible but the extent to which what is technologically feasible can change our values. The gadgets of applied technology are the direct consequences of the big scientific breakthroughs of the previous century, and promise any day now to influence with unprecedented intimacy, the previously independent, isolated inner world of the human mind.' (104)

Given the nature of this change, one of the greatest values at risk will most definitely be privacy. Generally speaking, society has waited for the technology to come along, and then dealt with consequences as they arise. This has to a great extent been the approach to the developments in gene technology. Given the rapid pace of technological change, and what is now appearing to be its major transformative potential including to the nature of our humanity, we now cannot afford to continue to take a passive role in such development. Once the technology is with us and operating, it may be reaching the point where is too late to turn back the clock. Susan Greenfield considers that perhaps both Technophiles and Technophobes would agree that

'. . . we must be proactive and set the agenda for what we want and need from such rapid technical advances; only then shall we, our children and our grandchildren come to have the best possible life.(105)

In this context I believe it becomes more important than ever for there for us to focus on creating a culture that respects privacy. Only by taking this approach can we ensure that privacy is in the minds of ideas people and technicians from the moment that an idea or a technological development is a twinkle in the eye. It must be present in the thinking behind every phase thereafter as well.

A key strategy for the future should therefore be to build frameworks for people to use when they are developing initiatives and encourage them to use them.

Need to see the bigger picture

There are huge issues about our private lives at stake. Just how big is very hard to estimate. For example, the Office has recently been commenting from a privacy perspective on a whole raft of government initiatives in both the health and other areas of government operations that are aimed at improving identity management and providing services in an online environment. On their own, each of these initiatives may seem somewhat harmless and few of the proponents have been willing to see how all their individual proposals add together. We have seen our role as one of the few agencies able to step back and look at the big picture of how all these initiatives may be able to be linked together and to assess what possible privacy impacts such linking might have. A great difficulty has been to convince people to think into the future and concede that there is a real possibility that this linking might occur. Even harder has been to paint, in meaningful terms what such a privacy future might look like if it does occur.

In this respect, comprehensive research that recently commenced in Canada could comprise some of the most important work being done on privacy and technology at the moment. Titled "On the Identity Trail: Understanding the Importance and Impact of Anonymity and Authentication in a Networked Society", over the next four years, this undertaking will receive almost Canadian $3 million in funding from the Social Sciences and Humanities Research Council of Canada, along with more than Canadian $1 million from corporate and non-governmental partners.

The leader of the project, Ian Kerr, who holds the Canada Research Chair in Ethics, Law, and Technology in the University of Ottawa's Faculty of Law, points out that "networks such as the World Wide Web are only the most visible aspect of the technology that threatens privacy". Recognising the deep social significance of shifting architectures, Kerr has assembled a multi-disciplinary team of 23 researchers who represent the academic, public, private, and not-for-profit sectors, including philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers, privacy experts, and business leaders.(106)

Range of strategies needed

More than ever, it will be critical that we focus on a raft of strategies to achieve the goals we are set as regulators. In the face of forces outlined in this paper, sticking to an approach of simply enforcing black letter law, will not be an adequate response.

We need to adopt a range of strategies including:

• A strong focus on harnessing and working with marketing forces (good privacy is good business, using pricing to control behaviour etc);
• talking up privacy and drawing out the implications of social, political and technological developments, spreading the word via media;
• 'building privacy in, not building privacy on', both in technology (making sure wherever possible, we adopt Privacy Enhancing Technologies (PETs) not Privacy Invading Technologies (PITs) and in policy development;
• and when the market fails, moving in with the law.

There is also a need for all potentially privacy invasive initiatives to build key elements into their processes.

Immediate pressing issues

For Australia, the review of the privacy act should be an important feature of the next few years. It will tell the Office if it has steered the right course, and whether it should change tack to ensure that it is effective in the next phase of implementing the new private sector provisions. Just as important will be the need for clear leadership in the face of moves that could lead to an ever more finely divided patchwork of privacy legislation, both in the health sector and others.

Probably more important than both, though, will be close engagement with the global community, reflecting increasing ease and take-up of transactions that involve cross border flows of personal information both by business and by individuals.

Regardless, an ethical, effective, efficient privacy regulator will be essential. This in turn, calls for measures to test for and ensure that the privacy regulator, just as much as any other regulator, is doing the job well.

Endnotes

1. I would like to thank Robin McKenzie for her considerable input to the preparation of this paper.
2. "Privacy Guidelines for the Private Sector", Media Release by the former Attorney-General, 24 August 2001, available online at: www.ag.gov.au/www/attorneygeneralHome.nsf/Web+Pages/05A191AF2966866FCA256B57000FDF0F
3. See for example: Report of the Royal Commission on Australian Government Administration. Australian Government Publishing Service (AGPS), Canberra, 1976; Review of Commonwealth Administration: Report. AGPS, Canberra, January 1983; Statutory Authorities and Government Business Enterprises: A Policy Discussion Paper Concerning the Efficiency and Accountability of Commonwealth Statutory Authorities and Government Business Enterprises. AGPS, Canberra, June 1986; Policy Guidelines for Commonwealth Statutory Authorities and Government Business Enterprises: A Policy Information Paper issued by the Minister for Finance, Senator the Hon. Peter Walsh. AGPS, Canberra, October 1987; Building a Better Public Service, A joint publication of the Management Advisory Board and its Management Improvement Advisory Committee No 12. AGPS, Canberra, June 1993. National Commission of Audit: Report to Government. AGPS, Canberra, June 1996.
4. "Review into the corporate governance of Commonwealth statutory authorities and office holders", Media Release by the Prime Minister, 14 November 2002, available online at: www.pm.gov.au/news/speeches/2002/media_release1991.htm
5. Brandy v Human Rights & Equal Opportunity Commission & Ors, available online at: www.austlii.edu.au/au/cases/cth/HCA/1995/10.html
6. See for example Professor Allan Fels "The Role of the Privacy Regulator in an Era of Transparency" paper delivered at the 25th International Conference of Data Protection and Privacy Commissioners, Sydney, 10 September 2003, p 5 which refers to the framework that Mark Moore of Harvard University developed. Available online at: www.privacyconference2003.org/program.asp#psa
7. Ibid p 6.
8. See for example, Industry Self-Regulation in Consumer Markets, Report prepared by the Taskforce on Industry Self-regulation, Canberra, August 2000, available online at: www.selfregulation.gov.au/publications/TaskForceOnIndustrySelf-Regulation/FinalReport/isr_part1.asp#P67_637 The following recent proposals and standards are other examples of a similar preference for 'best practice' Report of the HIH Royal Commission (www.hihroyalcom.gov.au/finalreport/index.htm); and Principles of Good Corporate Governance and Best Practice Recommendations, The ASX Corporate Governance Council, Sydney, March 2003 (www.asx.com.au/about/CorporateGovernance_AA2.shtm)
9. Privacy Amendment (Private Sector) Act 2000, available online at: http://scaleplus.law.gov.au/html/pasteact/0/157/0/PA002190.htm
10. As described by the Attorney-General at the conclusion of debate on the Privacy Amendment (Private Sector) Bill 2000, Hansard for the House of Representatives, 8 November 2000, available online at: http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=494017&TABLE=HANSARDR
11. See for example the matters to which the Commissioner must have regard in exercising powers as set out in s.29 of the Privacy Act, available online at: http://scaleplus.law.gov.au/html/pasteact/0/157/0/PA001080.htm
12. See for example Professor Allan Fels "The Role of the Privacy Regulator in an Era of Transparency" paper delivered at the 25th International Conference of Data Protection and Privacy Commissioners; Sydney, 10 September 2004, p 3, at www.privacyconference2003.org/program.asp#psa
13. The CrimTrac Inter-Governmental Agreement is available from the CrimTrac website at: www.crimtrac.gov.au/aboutus.htm
14. Leaders Summit on Terrorism and Multijurisdictional Crime Cross-Border Investigative Powers for Law Enforcement Report, November 2003, available online at: www.ag.gov.au/www/agdHome.nsf/AllDocs/RWP5EB0987799F1D124CA256DE40014B32C
15. Report of the Independent Review of Part 1D of the Crimes Act 1914 - Forensic Procedures, Canberra, March 2003, available online at: www.ag.gov.au/www/criminaljusticeHome.nsf/Web+Pages/F974FEAA49CD7F32CA256D2500090F58
16. Available online at: www.privacy.gov.au/materials/types/infosheets/view/6545
17. A recent survey conducted by the National University of Singapore's Information & Communications Management Program of attitudes in Sydney, Singapore, New York and Seoul includes inconsistencies of response that clearly indicate such differences. An initial report was presented at APEC's eCommerce Steering Group meeting in Santiago in February, expected to be published soon at www.export.gov/apececommerce.
18. See a number of the commentaries available on the Media page of the website of the Office of the Privacy Commissioner of New Zealand, at: www.privacy.org.nz/smediaf.html
19. This story has been followed by The Sydney Morning Herald in a special online Hospitals Scandal page at: www.smh.com.au/specials/hospitals/index.html, but see in particular "After a lifetime in health care, an eye for failings of the system", SMH, 12 December 2003 which is available online at: www.smh.com.au/articles/2003/12/11/1071125596347.html
20. At the forefront of this reaction has been the reaction of the European Union. A summary of official positions is available online at: www.europa.eu.int/comm/internal_market/privacy/adequacy_en.htm#countries
21. See for example the Office submission to the Senate Legal and Constitutional Legislation Committee on the Security Legislation Amendment (Terrorism) Bill 2002 and Related Bills (April 2002). Available online at:: www.privacy.gov.au/materials/types/download/8828/6623
22. Basic information about the US National Do Not Call Register is online at: www.ftc.gov/bcp/conline/edcams/donotcall/index.html. The Register itself is at www.donotcall.gov.
23. "Compliance with Do Not Call Registry Exceptional", US FTC Media Release, 13 February 2004, available at: www.ftc.gov/opa/2004/02/dncstats0204.htm
24. "ACA moves to protect telecommunications customer information", Media Release No. 49 by the Australian Communications Authority, 13 November 2003, available online at: www.aca.gov.au/aca_home/media_releases/media_enquiries/2003/03-49.htm
25. Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, Washington DC, May 2000; available online at: www.ftc.gov/os/2000/05/index.htm#22
26. "However, the rapid developments in information technology, data networking and electronic commerce raise some correspondingly difficult economic and legal problems relating to taxation, security, privacy and jurisdictional issues", as stated in the Introduction to the Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000, available online at:: http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=601&TABLE=OLDEMS
27. "Make 'em pay", The Economist, 12 Feb 2004, discusses the economics of spam and options for dealing with it; available online only as a paid premium content story at: www.economist.com/displaystory.cfm?story_id=S%27%298%3C%2FPQ3%2A%23P%22L%0A
28. Tag, You're It: Privacy Implications of Radio Frequency Identification (RFID) Technology, Information and Privacy Commissioner, Ontario Canada, February 2004 canvasses the issues very well. Available at: www.ipc.on.ca/scripts/index_.asp?action=31&P_ID=15007&N_ID=1&PT_ID=11351&U_ID=0
29. "Prepare to be scanned", The Economist, 4 December 2003; available online at: www.economist.com/displaystory.cfm?story_id=2246191
30. Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC 96), report of the joint inquiry into the protection of human genetic information by the Australian Law Reform Commission (ALRC) and the Australian Health Ethics Committee (AHEC) has been acclaimed as a 'world-leading' report on genetic privacy issues. Available online at: www.alrc.gov.au/inquiries/title/alrc96/index.htm
31. Public Records on the Internet: The Privacy Dilemma, Privacy Rights Clearing House, April 2002. Available at: www.privacyrights.org/ar/onlinepubrecs.htm
32. Fels page 5
33. "Sun on Privacy: 'Get Over It'", Wired News, 26 January 1999. Available online at: www.wired.com/news/politics/0,1283,17538,00.html
34. See the Regulatory Institutions Network as one example, at www.regnet.anu.edu.au
35. "The good, the bad and the ugly: economic perspectives on regulation in Australia", a speech by the Chairman of the Productivity Commission given in October 2003, provides an excellent description of current Productivity Commission thinking in this area. Available online at: www.pc.gov.au/research/speeches/cs20031002/index.html
36. Report on the Office of the Privacy Commissioner of Canada, Office of the Auditor-General of Canada, Ottawa, September 2003, available online at: www.oag-bvg.gc.ca/domino/reports.nsf/html/20030930ce.html
37. The Canadian Government's External Advisory Committee on Smart Regulation has very recently released a paper Assessing the Public Interest in the 21st Century: A Framework, January 2004: Leslie A Pal and Judith Maxwell. Available online at: www.smartregulation.gc.ca/en/06/01/su-10.asp or www.cprn.org/en/doc.cfm?doc=508
38. Fels page 3.
39. "The good, the bad and the ugly: economic perspectives on regulation in Australia", a speech by the Chairman of the Productivity Commission given in October 2003, page 16. Available online at: www.pc.gov.au/research/speeches/cs20031002/index.html
40. This point is given particular emphasis in the Productivity Commission paper, as noted on page 17.
41. As noted on page 16 of the Productivity Commission paper.
42. See for example Allan Fels page 6.
43. The Canadian Government's External Advisory Committee on Smart Regulation has very recently released a paper Assessing the Public Interest in the 21st Century: A Framework, January 2004: Leslie A Pal and Judith Maxwell. Available online at: www.smartregulation.gc.ca/en/06/01/su-10.asp or www.cprn.org/en/doc.cfm?doc=508
44. Benchmarks for Industry-Based Customer Dispute Resolution Schemes, released by the Minister for Customs and Consumer Affairs, 1997 and available online at: www.selfregulation.gov.au/publications/BenchmarksForIndustry-BasedCustomerDisputeResolutionSchemes/index.asp
45. Allan Fels in his paper says that it is not sufficient for a regulator to simply enforce the law - especially where there is significant uncertainty about it. In these circumstances, he considers that a regulator delivers 'public value' by actively engaging with the 'authorizing environment'. In saying this he emphasises the importance of actively engaging in policy formation. He argues that the regulator is ideally placed to advise on the rapidly changing environment, the complexity of the issues and to communicate and educate the public about this; page 7.
46. Fels page 11 and 12.
47. See eg Fels p 11 and 12
48. The Australian Public Service Commissioner has responsibility for Service Charters see: www.apsc.gov.au/charters/index.html.
49. The Strategic Plan 2000 is available online at: www.privacy.gov.au/materials/types/plans/view/6463
50. See for example: "Opening Address, Privacy and Security in the Information Age Conference", by the former Attorney-General, Melbourne Exhibition Centre, 9:00 am, 16 August 2001, available online at: www.ag.gov.au/www/attorneygeneralHome.nsf/Web+Pages/3867FD438A836DEDCA256B5A000344A6 "Privacy and the Private Sector: A co-regulatory approach", speech by the former Attorney-General to a Freehills Privacy Seminar, Canberra, 25 October 2000, available online at: www.ag.gov.au/www/attorneygeneralHome.nsf/Web+Pages/F8920AA9B485B9A0CA256B5D00767DB0 "Privacy Guidelines for the Private Sector", Media Release by the former Attorney-General, 24 August 2001, available online at: www.ag.gov.au/www/attorneygeneralHome.nsf/Web+Pages/05A191AF2966866FCA256B57000FDF0F
51. See Office of the Privacy Commissioner, Strategic Plan 2000, Key Result Area 1, available online at: www.privacy.gov.au/materials/types/plans/view/6463#key
52. See Office of the Privacy Commissioner, Strategic Plan 2000, Key Result Area 2.
53. Privacy Act 1988 (Cth) s.29(a).
54. "Corporate Partnership and Sponsorship Policy", 2001, available online at: www.privacy.giv.au/research/index.html#7
55. "Research into privacy attitudes in Australia", Office website page online at:: www.privacy.gov.au/aboutprivacy/attitudes/#1
56. See for example: Internet Privacy Survey, conducted by Freehills, published in February 2000, available online at: www.freehills.com/CA256AD900137BAA/All/E8393BC6ABDF7FD0CA256D9C001611A0 Privacy Survey 2000, conducted by PricewaterhouseCoopers, published in January 2001, available online at: www.pwcglobal.com/Extweb/pwcpublications.nsf/docid/FE1C1CDFED493084852569D000166410 The Risk Report, Issue 111, 24 May 2001, available online at: www.cpd.com.au/cpdnews/rr/archive/RR111.htm
57. The Office regularly publishes summary complaints and inquiry statistics on the Office website at: www.privacy.gov.au/complaints/statistics/
58. See Privacy Amendment (Private Sector) Bill 2000: Attorney-General's Second Reading, 12 April 2000, available online at: http://parlinfoweb.aph.gov.au/piweb/view_document.aspx?ID=580761&TABLE=HANSARDR
59. The conference website, www.privacyconference2003.org, sets out the conference program, all available papers and all known resolutions adopted by this and previous conferences.
60. Satellite events were promoted on the Conference website at: www.privacyconference2003.org/revents.asp
61. The notices resolution including a resource page of background material has been established on the conference website at: www.privacyconference2003.org/resolution.asp.
62. Available online at: www.privacyconference2003.org/commissioners.asp
63. All recent surveys conducted by the Office are available online at: www.privacy.gov.au/aboutprivacy/attitudes/
64. The majority of respondents said they thought the new privacy laws would have an impact on the way their business was currently conducted. See topic 4.17 in the Office of the Privacy Commissioner, Privacy and Business, July 2001 p 75, available online at: www.privacy.gov.au/materials/types/research/view/6613#4.17
65. For example, 42% of respondents said they had refused to deal with an organisation because of concerns over the use and protection of their personal information; see topic 4.2 of Privacy and the Community, July 2001, page 7 and available online at: www.privacy.gov.au/materials/types/research/view/6614#4.2
66. Katrina Nicholas "Harts numbers take a turn for the worse", Australian Financial Review, 3 September 2001
67. "Warning on using PCs for banking", The Courier-Mail, 9 March 2004, available online at: www.couriermail.news.com.au/common/story_page/0,5936,8908697%255E3122,00.html
68. OFPC survey Privacy and Business - responses to Topic 4.18 of the Survey, p 78, indicated that 73% of business respondents viewed the changes to the Federal Privacy legislation as positive; available online at: www.privacy.gov.au/materials/types/research/view/6613#4.18
69. See for example "Privacy in Australia", a paper delivered to a National Privacy Conference, organised by the Department of Human Services Victoria Melbourne, 26 November 2001, available online at: www.privacy.gov.au/materials/types/download/9150/6776
70. Available online at: www.privacy.gov.au/materials/types/guidelines/view/6517
71. Guidelines on Privacy in the Private Health Sector, guideline on use and disclosure available online at: www.privacy.gov.au/materials/types/guidelines/view/6517#b2
72. Information Sheet 17-2003 "Privacy and Personal Information that is Publicly Available", available online at: www.privacy.gov.au/materials/types/infosheets/view/6549
73. Information Sheet 16-2002 "Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business", available online at: www.privacy.gov.au/materials/types/infosheets/view/6548
74. Information Sheet 18-2003 "Taking reasonable steps to make individuals aware that personal information about them is being collected", available online at: www.privacy.gov.au/materials/types/infosheets/view/6550
75. The way the Act allows for such Public Interest Determinations and the details of extant Determinations is available online at: www.privacy.gov.au/law/act/pid/
76. A series of Topics covering the internet were included in the 2001 Privacy and the Community Survey, starting at Topic 4.31, p 42 and available online at: www.privacy.gov.au/materials/types/research/view/6614#4.31
77. Information Sheet 17-2003 "Privacy and Personal Information that is Publicly Available", available online at: www.privacy.gov.au/materials/types/infosheets/view/6549
78. www.donotcall.gov
79. For example, in its November 2000 submission to the Inquiry into the integrity of the Electoral Roll by the parliamentary Joint Standing Committee on Electoral Matters, the Office in Recommendation 5 recommended "That consideration be given, possibly through a broad public inquiry, to reviewing and updating the privacy protection of information held in public registers".
80. 42% agree with use, 46% disagree. See: see topic 4.30 of Privacy and the Community, July 2001, page 41 and available online at: www.privacy.gov.au/materials/types/research/view/6614#4.30
81. Available online at: www.privacy.gov.au/complaints/statistics/
82. Online enrolment is available from the following link on the Office website: www.privacy.gov.au/news/subscribe/
83. Five pages of FAQs are linked from the Frequently Asked Questions page of the Office website: www.privacy.gov.au/faq/
84. Under s.6EA of the Privacy Act, the Commissioner must publish a register of organisations that have opted into coverage by the Privacy Act. This register is available on the Office website at: www.privacy.gov.au/faq/
85. The resolution and supporting research are available on the Conference website at: www.privacyconference2003.org/resolution.asp
86. Annual Report 2002, Chapter 6, p 89, available online at: www.privacy.gov.au/materials/types/download/8589/6444
87. The Strategic Plan 2003 is available online at: www.privacy.gov.au/materials/types/plans/view/5892
88. Tracy Raymond carried out the review. She is a Senior Investigation/Conciliation Officer and Principal Training and Policy Officer with HREOC. Tracey is a Churchill Fellowship recipient with an academic background in social work and law. She has extensive experience in conducting administrative investigations and has been responsible for the development and on-going facilitation of HREOC's Statutory investigation Training Course.
89. Available for purchase online from Standards Australia at: www.standards.com.au/catalogue/script/Details.asp?DocN=stds000012657
90. Benchmarks for Industry-Based Customer Dispute Resolution Schemes, released by the Minister for Customs and Consumer Affairs, 1997 and available online at: www.selfregulation.gov.au/publications/BenchmarksForIndustry-BasedCustomerDisputeResolutionSchemes/index.asp
91. Corporate Partnership and Sponsorship Policy", 2001, available online at: www.privacy.giv.au/research/index.html#7
92. Enrolment is available on the Office website at: www.privacy.gov.au/business/privacyconnections
93. Privacy Contact Officers have their own page on the Office website at: www.privacy.gov.au/government/pco
94. Public Interest Determinations 9 and 9A (Family Medical History Determinations - December 2002) are available online at: www.privacy.gov.au/materials/types/determinations?sortby=55
95. Information Sheet 16-2002: Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business, is available online at: www.privacy.gov.au/materials/types/infosheets/view/6548
96. The Private Sector - Business pages on the Office website are accessible from: www.privacy.gov.au/business/ The Health pages on the Office website are accessible from: www.privacy.gov.au/business/health
97. Office of the Privacy Commissioner, Operation of the Privacy Act Annual Report: 1July 2001 - 30 June 2002, p 35 and p 40
98. A full list of guidelines, binding and non-binding, issued by the Office is available online at: www.privacy.gov.au/law/apply/guidance/
99. Information Sheet 13-2001 "The Privacy Commissioner's Approach to Promoting Compliance with the Privacy Act", issued in December 2001, available online at: www.privacy.gov.au/materials/types/infosheets/view/6545
100. Graeme Greenleaf has set out his concerns in a number of forums, including in a paper delivered to the 25th International Conference of Data Protection and Privacy Commissioners, available online at: www.privacyconference2003.org/program.asp#ps6
101. Complaint Case Notes and Complaint Determinations, available on the Office website at: www.privacy.gov.au/law/apply/determinations/
102. Complaints and enquiries statistics, available on the Office website at: www.privacy.gov.au/complaints/statistics/
103. See the section 6.2, Timeframes, in the Code Development Guidelines, available online at: www.privacy.gov.au/materials/types/guidelines/view/6482#6.2
104. Susan Greenfield, Tomorrow's People: How 21st - century technology is changing the way we think and feel, Allen Lane - Penguin Books 2003 p 7.
105. Ibid p 9.
106. "Canadian privacy project underway", News Release by the University of Ottawa, December 2003, available at: www.media.uottawa.ca/2003/031208-2-e.html

March 2004 Office ofthe Privacy Commissioner