pdf (93.62 KB)

Mr Gary Banks

Chairman

Regulation Taskforce

PO Box 282

BELCONNEN ACT 2616

Dear Mr Banks

I refer to the call for submissions by the Regulatory Taskforce on Reducing the Regulatory Burden on Business. I note that the Privacy Act has been included as a regulation that your review is examining.[1]

Recently I undertook a review of the private sector provisions of the Privacy Act 1988. The Review Report is available at http://www.privacy.gov.au/act/review/revreport.pdf. I have provided 10 copies of the Report to your Taskforce under separate cover. The Government has not yet responded to my review report.

The private sector provisions of the Privacy Act became operational on 21 December 2001. On the passage of the legislation the Government committed to review the private sector provisions to assess their effectiveness in safeguarding privacy after two years of operation. The Federal Attorney General gave me terms of reference on
13 August 2004 for the review. The review was completed and submitted on 31 March 2005.

Basically, the terms of reference for the review sought to find out whether the private sector provisions had met their objectives which included:

• the creation of a nationally consistent scheme for the regulation of privacy;
• meeting international concerns about Australia’s international obligations regarding privacy;
  • recognising individual interests and;
  • recognising other competing interests (such as business efficiency and the free flow of information).

Specifically excluded from the terms of reference of the review were genetic information, employee records, children’s privacy, electoral roll information and the political acts and practices exemption.

In the course of the review, my Office undertook broad consultation with the community, released an Issues Paper and received 136 submissions from a wide spectrum of stakeholders: business (large and small), business associations, federal state and territory departments and agencies, and consumer and privacy groups as well as many individuals.

We had a Review Steering Committee that met four times and a Review Reference Group, made up of 40 representatives from community, business and government, met three times. We also held consultation forums (12) in all capital cities and commissioned community attitudes research.

With seven months of research, consultation and input from the community, coupled with my Office’s experience over the previous three years, on balance, I found there is no fundamental flaw with the private sector provisions in the Privacy Act. The overall effect is that the National Privacy Principles (NPPs) have worked well and delivered to individuals protection of personal and sensitive information in Australia in those areas covered by the Act.

While finding no fundamental flaws I did identify areas for improvement. The Report contains 85 recommendations stemming from a balanced and pragmatic examination of the Privacy Act. These recommendations should not be taken as dissatisfaction with the provisions. Rather, they are simply the benefit of three years experience where it has become apparent that there are ways of improving the existing elements of the regime, and because there have been external influences which have impacted on the efficacy of the legislation.

The recommendations are written as actions the Australian Government should consider doing (with some in concert with states and territories), or as measures the Office could undertake.

The key recommendations are that:

• It is apparent that while the private sector provisions work well, given the principles are based on the OECD principles written in the late 1970s, it may be appropriate for the Government to undertake a wider review of privacy to ensure that in the 21^st century the legislation best serves the needs of Australia.
• We need to raise the privacy awareness of organisations and individuals. Those recommendations, if implemented, would form the ‘lynch pin’ of an improved privacy scheme that would benefit individuals while recognising the right of businesses to achieve their objectives in an efficient way.
• Consumer control over personal information should be enhanced. I have recommended that the control that individuals have over their personal information be strengthened, particularly in relation to information collected about them indirectly or used or disclosed for other purposes such as direct marketing. Simple steps that could be taken to make this happen include measures to promote clearer and more easily understood privacy notices and a general opt-out right for all direct marketing approaches.
• While retaining the small business exemption with an amendment to simplify its application, I have suggested that some small business sectors that handle large volumes of personal information, such as internet service providers and tenancy data base operators, for example, should be covered by the private sector provisions.
• Thirty recommendations in the report relate to my Office and these include improving the transparency of the complaints process and to enable the Office to better identify and address systemic issues.
• Because of their complexity, the issue of privacy and research, in particular medical research, and privacy and new technologies warrant further debate. The main recommendation on these issues is that they should be considered in the context of a wider review of the Privacy Act.

Therefore, I found that the private sector provisions have met their objectives in some areas but not in two: meeting international concerns and the achievement of national consistency of privacy regulation.

It is the second issue that I want to particularly draw to the attention of the Taskforce. This issue was also a primary concern of the Senate Committee which recently undertook an inquiry into the Privacy Act and it has also called for greater consistency of privacy regulation.[2]

National Consistency

Ironically, national consistency was a central driver in the drafting of the private sector provisions in the first place. Prior to the implementation of the NPPs for the private sector there was a voluntary set of principles for the fair handling of personal information. However, these principles were not implemented comprehensively.

Against a background of the European Union indicating that Australian businesses would be hampered in dealing with European businesses as Australia did not have privacy protections in the private sector, and as Victoria had indicated it was going to introduce legislation, business and consumers told the Federal Government they did not want piecemeal legislation, rather nationally consistent legislation in the private sector was preferred.

Ultimately this led to the passage of legislation federally with the centrepiece being the NPPs in order to establish a national, consistent and clear set of standards for the regulation of privacy in the private sector.

In the review, many submissions drew attention to the problem of national inconsistency. Indeed, of the 136 submissions, almost half (60) addressed this issue. Submissions were overwhelmingly in support of the goal of achieving a nationally consistent system.

National inconsistencies operates on three different levels.

Inconsistencies within the Act

Firstly, the inconsistencies within the Privacy Act stem from minor differences between the Information Privacy Principles or IPPs which apply to public sector agencies and the NPPs which regulate the private sector. While these two sets of principles are very similar there are some differences that can prove complicated.

For example, unlike the IPPs, the NPPs include specific provisions about the transfer of data overseas, and the NPPs provide more protection to defined types of ‘sensitive information’, which includes health information. In some cases, an organisation might be subject to both the NPPs and the IPPs. An Australian government contractor, for instance, may be bound to comply with the NPPs, but also be bound by contract to comply with the IPPs. Also, some government enterprises are for the purposes of the Privacy Act both an ‘agency’ (for their non-commercial activities) and an ‘organisation’ (in relation to their commercial activities).

Inconsistencies with other commonwealth legislation

Secondly, there are inconsistencies between the Privacy Act and other Commonwealth legislation such as the Telecommunications Act and the Spam Act. This causes confusion for telecommunications companies which are covered both by the Telecommunications Act and the Privacy Act as these two pieces of legislation have different rules regarding the disclosure of customer information. Similarly, the Spam Act requires the stricter ‘opt-in’ function for direct marketing while the Privacy Act only requires direct marketers to have an ‘opt-out’ function.

Inconsistencies with state and territory legislation

Finally, there are the inconsistencies that have arisen between the Privacy Act and state and territory legislation. There is a need to clarify the relationship between state and federal activities and the way that different jurisdictions interact and function as a whole.

Submissions to the review gave examples of inconsistencies and overlaps between state and federal privacy law. One noted the problems faced by welfare organisations when administering programs that are government funded. In these cases, the welfare organisations may have to comply with the NPPs, the IPPs, department procedural requirements and state or territory law. This issue is further complicated by the fact that the organisation may need to collect health information as well, which is subject to state or territory health records legislation.

Tenancy databases are another example of inconsistency between federal, state and territory legislation. At the moment, the Privacy Act does not fully regulate the operation of tenancy databases. As a consequence, some states – NSW and Queensland – have developed their own legislation to regulate the operation of these databases with the ACT also considering implementing legislation. A few submissions such as that of The Real Estate Institute of Australia identified what they felt was a patchwork of legislation emerging in this field.

However, far and away the most complicated area of inconsistency is in the area of health. At present, the regulation of health information across Australia consists of a set of overlapping and sometimes inconsistent federal, state and territory legislation. At the Commonwealth level, the handling of health information is regulated in the private sector and the Australian Government public sector through the Privacy Act by the NPPs, the IPPs and Public Interest Determinations. Some states and territories have developed privacy legislation for their public sector, and Victoria and NSW enacted laws to regulate the handling of health information in the private sector too.

Of course, the shared intent is to regulate the handling of this sensitive information and to ensure its protection. However, this multiplicity of laws and provisions, many of which are very similar but not quite the same, has resulted in confusion and undue complexity, and of course increased compliance cost which ultimately is passed on to consumers.

An example of this complexity is the one the Department of Health and Aging gave in their submission about the effect of several layers of privacy regulation. In giving advice to ACT pathologists who were changing their forms in a way that gave rise to privacy implications, the Department had to refer to the Privacy Act (both the NPPs and the IPPs), the Health Records (Privacy and Access) Act 1997 (ACT) and other ACT legislation, applying to pathologists operating as a private sector organisation.

Another organisation, operating as a medication service via a call centre said they had to read different statements to obtain consent depending on the location of the individual (and the law that applies in that jurisdiction). Insurance companies also cited differing laws that applied to the same piece of information differently.

The overlapping laws generate additional compliance costs for health service providers.

Recommendations of the Review

I made six recommendations about national consistency in the broad, and nine recommendations about consistency in telecommunications, health and residential tenancy databases.

The key general recommendations about national consistency are about trying to ensure national consistency in the protection of personal information for the benefit of individuals and business compliance.

It is not clear whether Section 3 of the Privacy Act covers the field for the protection of personal information in the private sector. I have suggested that the Government clarify the intention of the provision.

I also recommended that all governments should endorse national consistency as a goal in all privacy related legislation, and I recommended that this be done through the Council of Australian Governments.

After all the principles for the protection of personal information of all Australians is an issue that has not been and should not be divisive. It is my view that there should be no differences in application of these principles across our country. The principles supporting protection of personal information (or our privacy) should not be parochial or location based.

The third general recommendation relates to the Australian Government putting in mechanisms to address inconsistencies that have come about or will come about as a result of exemptions in the Privacy Act, for example in the area of workplace surveillance.

We were told in the review that the exemptions provided gaps in protection that states and territories felt a need to fill with their own legislation. Thus, in this way, the exemptions may be undermining the national consistency of privacy regulation. One example of this situation is in the area of workplace surveillance. Currently the Privacy Act does not cover employee records, which has seen states implement or consider implementing legislation in this area. NSW now has workplace surveillance laws and Victoria is contemplating such laws, although the current proposed models are different to what is in place in NSW.

Achieving national consistency is crucial if the Privacy Act is to achieve all of its objectives. Two of the objectives of the private sector provisions - to recognise individual interests and to recognise other competing interests such as business efficiency – are inextricably linked to the achievement of a nationally consistent scheme. If we have further fragmentation, then any review of the legislation in the future may find it hard to find that these two provisions are working well.

It is through national consistency of privacy legislation that business compliance burdens are minimised. A nationally consistent scheme also increases the ability of individuals to enforce their privacy rights without confusion as to what laws apply and where to go for help.

I draw attention to the many submissions I received from businesses and business organisations about the private sector provisions. These submissions are listed in Appendix 3 of my report and are also available on our website (http://www.privacy.gov.au/act/review/reviewsub.html). While many of these submissions have made useful comments, I draw your attention in particular to:

13. Real Estate Institute of Australia

20. Microsoft Australia

22. Australian Chamber of Commerce and Industry

26. Virgin Mobile (Australia) Pty Ltd

34. Promina Group Limited

35. Suncorp-Metway Limited

40. ANZ

48. Compvice Pty Ltd

59. Insurance Council of Australia Limited

60. Coles Myer Limited

63. Australian Finance Conference

67. Australian Direct Marketing Association

70. Australian Bankers’ Association

71. Acxiom Australia

80. Australian Private Hospitals Association

83. Commerce Queensland

84. Sensis

86. Baycorp Advantage

89. Investment and Financial Services Association Limited

92. Business SA

93. The Pharmacy Guild of Australia

98. Optus

106. Housing Industry Association

109. Australia Post

110. Telstra Corporation Limited

111. Australian Retailers Association

112. Vodafone Australia Limited

113. Victorian Automobile Chamber of Commerce

114. Australian Collectors Association, Institute of Mercantile Agents, Australian Institute of Credit Management

131. Mortgage Industry Association of Australia

The main discussion about the impact on business is discussed in Chapter 6 of my report and the complaint handling process from a business perspective is discussed in Chapter 5.

I would be pleased to discuss with the Taskforce any aspects arising from my Review of the private sector provisions and any issues raised with the Taskforce in the conduct of its review.

Yours sincerely

Signed

Karen Curtis

Privacy Commissioner

29 November 2005