pdf (77.21 KB)

Submission to the Australian Competition and Consumer Commission by the

Office of the Privacy Commissioner

December 2005

1. Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers federal and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information and credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way agencies and organisations collect, use, store and disclose individual's personal information.

2. Background

On 25 July 2003, the Australian Competition and Consumer Commission (ACCC) received an application from the Australian Direct Marketing Association (ADMA) for revocation of authorisation A40077 and replacement by substitute authorisation A90876. Authorisation A40077 granted ADMA immunity from legal action for anti-competitive conduct under the Trade Practices Act 1974 in relation to the Direct Marketing Code of Practice (the code). On 13 August 2003, the ACCC granted an interim authorisation in relation to the code which was in force, while the merits of ADMA’s application were considered.

The ACCC has undertaken two public consultation processes in relation to the application, and on 12 October 2005 issued a draft determination. The ACCC invited the Office of the Privacy Commissioner (the Office) to make a submission in relation to its draft determination, and the Office is pleased to do so.

3. Office involvement

As part of its consultation, the ACCC called for public comments on the code in July 2003 and February 2004. The Office provided comments on both occasions.[1]

4. Regulatory context

The Privacy Act provides some minimum legislative rules governing the manner in which agencies and organisations are required to collect, use, store and disclose individuals’ personal information. In addition, some industries or industry groups make efforts to complement this regime through the development of further self-regulatory measures (e.g. industry codes of practice, or guidelines). To the extent that such initiatives offer a commitment to best privacy practice and to standards which improve upon the minimum legislative requirements under the Privacy Act, the Office welcomes such efforts.

5. Content of the code

In considering whether to grant the current application, the Office understands that the role of the ACCC is to make an assessment of any potential public benefits arising from the proposed code, and to weigh these against the code’s potential for anti-competitive effect.

Relevant to the issue of the code’s public benefit are matters such as the extent to which the code accurately and clearly reflects the privacy rights of individuals and possibly expands upon them. In this regard, the Office offers the following comments in relation to the current version of the code. It is hoped that these comments are useful to the ACCC in making a final determination in this matter.

Legislative status of the NPPs

When the code was first authorised in August 1999, the National Privacy Principles (the NPPs) under the Privacy Act, which apply to the information handling practices of many organisations, were not in force. The NPPs came into effect in December 2001, and therefore subsequent drafts of this code have been required to take account of this change in the law.

The Office’s previous two submissions have commented on the extent to which this has been achieved. It was the Office’s overall view on both occasions that the relevant drafts did not make the legislative status and separate enforceability of the NPPs clear, and that there was a risk of confusion between these legally enforceable rights and other aspects of the code.

The Office recognises that the current draft of the code contains some improvements in this regard. For example, the code takes the general approach of covering matters relevant to “consumer data protection” in Section G of the code, which now includes a specific reference to the need for members to comply with the NPPs. The code also cross-refers to this section from time to time, where appropriate. A number of clauses in Section G also assist, to a certain extent, in drawing members’ attention to the obligations that the NPPs impose upon 3^rd party suppliers of personal information (e.g. list suppliers).

However, the previous version of this code (which was issued for public comment in February 2004) contained a full text extract of the NPPs. The current version no longer contains the full text of the NPPs, instead listing only the NPP headings. It is not clear why the full text of the NPPs has been removed, but the Office remains of the view that the full text of the NPPs would be useful and should be reinserted. Its inclusion would help to clarify the obligations imposed by the code, some of which may cover similar ground to the NPPs (see, for example, the notice requirements in clauses D 7-14, which may run the risk of being confused with the notice requirements of NPP 1.3). Further, as one of the aims of the code is to build upon current legal obligations, the inclusion of the full text will help members to be clear of the distinction between their legal obligations and their additional code obligations.

Complaints handling

The Office’s previous submissions on this code noted that no mention was made of the fact that complaints about privacy can be handled by the Privacy Commissioner. It is acknowledged that the code (clause G7) requires that, where the Code Compliance Officer concludes that a particular complaint “does not fall within the jurisdiction of the Code Authority and should be dealt with by a Government Regulatory body”, the complaint should be referred to the appropriate body. Nonetheless, the Office remains of the view that a specific reference to this Office and its privacy complaints-handling function would help to further clarify the full extent of an individual’s rights in relation to privacy complaints-handling.

Record keeping requirements

Clause C58 of the code requires that members keep a record of particular details in relation to complaints received for a minimum of six months after complaints are resolved. To the extent that this clause involves the retention of personal information, the impact of NPP 4.2 (which requires the destruction or deidentification of data after it is no longer needed) should be considered, to ensure that personal information is only kept for as long as it is required for the particular purpose.

Parental consent

In relation to an individual’s capacity to consent to the collection, use and disclosure of their personal information, the Privacy Act relies on a general law test of competence. This may be relevant to any clauses in the code that require parental consent to such practices (for example, clause C51), to the extent that they effect the ability of legally competent minors to make these decisions for themselves.

Source of personal information

The Office welcomes the inclusion in the code of a requirement that code members inform individuals, on request, of the source of the individual’s personal information. This requirement is consistent with this Office’s recommendation (in its report Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (the OPC Review Report)) that “the Australian Government consider amending the Privacy Act to require organisations to take reasonable steps, on request, to advise an individual where it acquired the individual’s personal information”.[2]

Review of code

The OPC Review Report also recommended that the Australian Government consider exploring options for establishing a national ‘Do Not Contact' register.[3] In general, the prohibition of particular unsolicited telephone calls is an important step towards regaining individual control in what is viewed by many as an intrusive practice.

The Office notes that submissions have been sought by the Department of Communications, Information Technology and the Arts (DCITA) in relation to its Introduction of a Do Not Call Register: Possible Australian Model Discussion Paper,[4]which explores a number of possible models for the introduction of a national ‘Do Not Call’ register. The exploration of options in this regard is a move that this Office strongly supports.

Should such a Do Not Call register successfully be implemented on a national level, it would significantly affect the landscape covered by the current ADMA code, and would most likely be more comprehensive and far-reaching than the current membership-based code. In consideration of this possibility, the Office recommends that any authorisation of this code be reviewed in 2 years.

6. Summary

In summary, the Office recommends that:

• the full text of the NPPs be reinserted into the code;
• a specific reference to the Office and its privacy complaints-handling function be included;
• the impact of NPP 4.2 be considered in relation to any clauses which require personal information to be retained for specific periods of time;
• consideration be given to the impact of the Privacy Act’s reliance on a general law test of competence, in situations where the code specifically requires parental consent; and
• any authorisation of the code be reviewed in 2 years, given the possible introduction of a national Do Not Call register.